adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
81,239 Commits 27 Branches 1,043 Tags
master
Commit Graph

3062 Commits

Author SHA1 Message Date
tart0ru5 fd6df3fb81 Improve failure condition checks 
The prior check silently passes when `res` is `nil` (e.g. request
timeout / host unreachable), because `nil != 403` evaluates to `true`
 2026-05-06 11:58:50 +08:00
adfoster-r7 3bee31ff5e Update checkcodes and bug fixes 2026-04-30 15:42:10 +01:00
cgranleese-r7 591dbdd821 Merge pull request #21350 from adfoster-r7/improve-checkcode-messages-3 
Add human-readable descriptions to CheckCode returns in modules
 2026-04-23 11:33:27 +01:00
adfoster-r7 c38f6b4858 Update checkcodes and bug fixes 2026-04-23 10:20:53 +01:00
adfoster-r7 2cbb3942b6 Add human-readable descriptions to CheckCode returns in linux/http exploit modules (A-M) 2026-04-22 13:08:59 +01:00
adfoster-r7 19d333df13 Add human-readable descriptions to CheckCode returns in linux/http exploit modules (N-Z) 2026-04-22 11:55:15 +01:00
Diego Ledda 1d5eae0f5b Merge pull request #21034 from Chocapikk/add-module-opendcim-sqli-rce 
Add openDCIM install.php SQLi to RCE module
 2026-04-14 16:04:13 -04:00
msutovsky-r7 5b6c2be9d1 Land #21003, unifies Selenium Firefox and Chrome modules 
Unified Selenium Grid/Selenoid RCE with Firefox + Chrome auto-detection
 2026-04-14 16:32:06 +02:00
Chocapikk 62e2c336d0 Remove old Selenium modules replaced by unified selenium_greed_rce 2026-04-14 12:32:51 +02:00
Martin Sutovsky db0fe4aaef Fixes Python payload delivery for Firefox profile 2026-04-14 10:17:04 +02:00
Chocapikk d84b09a16e Fix: Wrap Python payload for Firefox profile handler 
The Firefox exploit path delivers payloads via a MIME handler mapped to
/bin/sh. When using the default Python target, the raw Python payload
would fail to execute in /bin/sh. Wrap it with python3 -c so the shell
can invoke it correctly.
 2026-04-13 17:57:48 +02:00
Spencer McIntyre b743296f48 Reapply "This adjusts module options that need a routable address" 
This reverts commit 628275ef59.
 2026-03-26 14:43:31 -04:00
msutovsky-r7 0976f88058 Land #20835, adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548) 
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
 2026-03-25 14:39:01 +01:00
Brendan 5b5d1dbfaa Merge pull request #21076 from Chocapikk/avideo-encoder-getimage-cmd-injection 
Add AVideo Encoder getImage.php command injection (CVE-2026-29058)
 2026-03-18 18:46:32 -05:00
msutovsky-r7 b3aa45fb09 Land #20719, adds module for authenticated command injection in FreePBX filestore (CVE-2025-64328) 
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
 2026-03-13 11:00:43 +01:00
adfoster-r7 510ec29a63 Merge pull request #21046 from msutovsky-r7/exploit/beyondtrust/updates_description 
Updates description for BeyondTrust command injection
 2026-03-13 00:23:40 +00:00
Valentin Lobstein ee2ee34b9e Refactor: Extract shared logic in exploit method for openDCIM module 
Factor out duplicated print_status and backup_config calls, extract
trigger_exec and cleanup_config helpers for readability.
 2026-03-12 20:56:33 +01:00
Spencer McIntyre ccf56437da Merge pull request #20960 from g0tmi1k/dhcp_server 
dhcp_server: Add DHCPINTERFACE
 2026-03-12 15:48:36 -04:00
Valentin Lobstein f34a0b5d31 Fix: Address PR review feedback for openDCIM module 
Add ARTIFACTS_ON_DISK side effect and fetch payload note in docs.
 2026-03-12 20:44:19 +01:00
g0t mi1k b2f1e46c82 OptString -> OptAddress 2026-03-12 16:41:25 +00:00
Valentin Lobstein c266e687c2 Add authenticated RCE module for FreePBX filestore (CVE-2025-64328) 2026-03-11 19:43:28 +01:00
gregd 1f55aa724a Apply reviewer feedback: CheckCode::Appears, ARTIFACTS_ON_DISK, simplify connect 
- Use CheckCode::Appears instead of CheckCode::Vulnerable per convention
  - Add ARTIFACTS_ON_DISK to SideEffects for dropper target
  - Simplify connect call by removing unnecessary uri argument
 2026-03-10 13:07:03 +00:00
adfoster-r7 628275ef59 Revert "This adjusts module options that need a routable address" 2026-03-08 17:37:49 +00:00
Valentin Lobstein dfe73bb4c5 Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058) 
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
 2026-03-06 21:30:12 +01:00
Diego Ledda 1ec87b586a Merge pull request #20989 from zeroSteiner/feat/lib/mod-address-opts 
This adjusts module options that need a routable address
 2026-03-05 11:46:52 -05:00
msutovsky-r7 59a1992214 Land #21017, adds module for SSTI in Tactical RMM (CVE-2025-69516) 
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
 2026-03-05 15:38:32 +01:00
Valentin Lobstein bf41455bca Fix: Address review feedback - remove dead execute_command, fix dropper race condition 2026-03-05 14:01:12 +01:00
Martin Sutovsky 9c7264b48f Updates description 2026-03-03 15:42:15 +01:00
Spencer McIntyre 1b39311784 Remove redundant definitions of SRVHOST 2026-03-03 09:37:27 -05:00
Spencer McIntyre 821e3c28f1 Replace old patterns with srvhost_addr 2026-03-03 09:37:27 -05:00
adfoster-r7 9df6879a95 Update modules to use srvhost method 2026-03-03 09:37:25 -05:00
Spencer McIntyre 758ac7f2f6 Apply rubocop changes 2026-03-03 09:34:49 -05:00
Spencer McIntyre fc49421939 Replace checks for nonroutable addresses 
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
 2026-03-03 09:34:49 -05:00
adfoster-r7 1a4ae7bfa3 Fix broken module url references 2026-03-02 14:35:48 +00:00
Valentin Lobstein 4aeacb7456 Fix: CmdStager compatibility with dash shell in openDCIM module 
PHP exec() uses sh -c which is dash on Ubuntu. Dash echo does not
support -en flag, breaking the echo CmdStager flavor. Switch to
printf (octal) and bourne (base64) flavors which work in dash.

Also split backup_and_poison into backup_config and poison_dot so
CmdStager chunks don't overwrite the backup table, and escape
backslashes in SQL to preserve octal/hex sequences through MySQL.
 2026-02-28 21:39:16 +01:00
Valentin Lobstein 2d8c3d69ed Feat: Add openDCIM install.php SQLi to RCE module 
Exploits CVE-2026-28515, CVE-2026-28516, CVE-2026-28517 to chain
missing authorization, SQL injection, and command injection in
openDCIM's install.php for remote code execution.
 2026-02-28 21:13:51 +01:00
Valentin Lobstein 097a4700cb Fix: check method returns CheckCode instead of fail_with on login failure 2026-02-26 17:13:57 +01:00
Valentin Lobstein 11806c983d Update modules/exploits/linux/http/tacticalrmm_ssti_rce_cve_2025_69516.rb 
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
 2026-02-26 17:12:42 +01:00
msutovsky-r7 fae76b2961 Land #20978, adds module BeyondTrust unauth command injection (CVE-2026-1731) 
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
 2026-02-25 14:18:59 +01:00
Martin Sutovsky 0c12becfcf Separates modules 2026-02-25 13:56:13 +01:00
Martin Sutovsky 63c7bd4958 Temp rollback 2026-02-25 13:54:20 +01:00
msutovsky-r7 7dcc036b6d Land #21006, adds module for Ollama path traversal RCE (CVE-2024-37032) 
Add Ollama path traversal RCE module (CVE-2024-37032)
 2026-02-25 13:06:09 +01:00
msutovsky-r7 c5303e2ac1 Apply suggestion from @msutovsky-r7 2026-02-25 12:54:17 +01:00
msutovsky-r7 002daf8d7d Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731 2026-02-25 12:53:37 +01:00
Jonah Burgess e77b1c00c6 Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE 2026-02-25 10:12:23 +01:00
Valentin Lobstein fd92207119 Fix BeyondTrust exploit failing on older instances (22.x) 
The /get_mech_list?version=3 endpoint returns HTTP 500 on older
BeyondTrust versions that do not support the JSON API. Add a
fallback to version=2 which returns semicolon-separated key=value
pairs (e.g. "company=sewtest;product=ingredi").

Also remove the "Thank you for using BeyondTrust" check in the
BRDF validation, as PRA instances do not contain this string,
causing the check method to incorrectly report Unknown for PRA
targets.
 2026-02-25 10:12:21 +01:00
Jonah Burgess 4f2eafda09 Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds 2026-02-25 10:11:18 +01:00
Jonah Burgess 0b78ab319e improved version checking (i think) 2026-02-25 10:11:18 +01:00
Jonah Burgess b43b204060 Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE 2026-02-25 10:11:15 +01:00
Valentin Lobstein 70dd190bc7 Fix: Inline shellcode via asm db instead of mmap RWX 
Use Metasm's asm("db ...") to embed shellcode directly in .text section
which is executable by default. Removes mmap/memcpy/mprotect entirely,
avoiding RWX or W^X allocations that IDS may flag.

Parent process uses _exit(0) instead of return since the inlined
shellcode bytes follow the setsid() call in the instruction stream.

Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com>
 2026-02-24 23:32:05 +01:00