adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
80,872 Commits 27 Branches 1,043 Tags
0ba93b6ae317cbb7ff77b5ab1ae973542e80daab
Commit Graph

1023 Commits

Author SHA1 Message Date
msutovsky-r7 0976f88058 Land #20835, adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548) 
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
 2026-03-25 14:39:01 +01:00
Valentin Lobstein 8ad5924bf1 Fix: Use parent of fix commit (78178d1~1) for vulnerable Encoder checkout 2026-03-13 22:59:51 +01:00
Valentin Lobstein 8d44dcd1fb Fix: Lab setup documentation for first-time environments 
- Fix DB permissions (bind mount creates files as www-data instead of mysql)
- Force table creation (cli.php skips it when configuration.php already exists)
- Revert entire Encoder working tree, not just getImage.php (78178d1 patched multiple files)
- Run git checkout from inside the container to avoid safe.directory issues
 2026-03-13 22:55:23 +01:00
Valentin Lobstein 5150a4b68b Docs: Clarify that .compose/encoder is a clone of AVideo-Encoder repo 
The commit c9861e9c exists in WWBN/AVideo-Encoder (not WWBN/AVideo).
Add a note explaining that .compose/encoder is a git clone created by
the container entrypoint, with a link to the correct repository.
 2026-03-11 22:05:23 +01:00
Valentin Lobstein 38e74740f3 Fix: Use correct commit hash for vulnerable getImage.php in lab setup 
The previous commit (e0c2768) did not touch getImage.php. Use c9861e9c
which is the last commit before the security patch (78178d1) that
modifies the file.
 2026-03-11 21:23:27 +01:00
Valentin Lobstein dfe73bb4c5 Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058) 
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
 2026-03-06 21:30:12 +01:00
msutovsky-r7 59a1992214 Land #21017, adds module for SSTI in Tactical RMM (CVE-2025-69516) 
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
 2026-03-05 15:38:32 +01:00
msutovsky-r7 fae76b2961 Land #20978, adds module BeyondTrust unauth command injection (CVE-2026-1731) 
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
 2026-02-25 14:18:59 +01:00
msutovsky-r7 7dcc036b6d Land #21006, adds module for Ollama path traversal RCE (CVE-2024-37032) 
Add Ollama path traversal RCE module (CVE-2024-37032)
 2026-02-25 13:06:09 +01:00
msutovsky-r7 002daf8d7d Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731 2026-02-25 12:53:37 +01:00
msutovsky-r7 12e21e4c66 Fixes documentation 2026-02-24 12:23:26 -05:00
Valentin Lobstein 5aeff61b26 Fix: Address PR review feedback for Ollama RCE module 
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com>
 2026-02-24 17:51:23 +01:00
msutovsky-r7 51af9d0ff1 Adds documentation 2026-02-24 10:25:49 -05:00
Valentin Lobstein bef9b7ad3b Feat: Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516) 2026-02-23 19:31:22 +01:00
Valentin Lobstein b17d227d28 Feat: Add Ollama path traversal RCE module (CVE-2024-37032) 2026-02-21 16:52:43 +01:00
gregd 36b29fb458 Add vulnerable environment setup guide to module documentation 
Step-by-step minikube-based setup for deploying a vulnerable
che-machine-exec instance for module verification.
 2026-02-19 11:27:27 +00:00
sfewer-r7 08efa9cd16 add in the Grandstream modules 2026-02-17 22:33:46 +00:00
sfewer-r7 f632cf34bf add in a module and docs fo rteh EPMM exploit 2026-02-05 12:26:38 +00:00
jheysel-r7 c47a74d0dd Merge pull request #20770 from vognik/Splunk_2022-43571_CVE-2024-36985 
Add Splunk RCE Exploits (CVE-2022-43571 & CVE-2024-36985)
 2026-01-20 12:36:51 -08:00
msutovsky-r7 7b092aeedb Land #20806, adds module for unauthenticated command injection in Control Web Panel API (CVE-2025-67888) 
Adds module for Control Web Panel API Command Injection (CVE-2025-67888)
 2026-01-14 15:44:25 +01:00
kali be9b2c9491 Add documentation for prison_management_rce 2026-01-06 12:33:49 +02:00
gregd c225256956 Add meterpreter scenario and redact IPs in documentation 2025-12-31 15:37:46 +00:00
gregd 475846ea2a Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548) 
This module exploits an unauthenticated RCE vulnerability in the
Eclipse Che machine-exec service. The service accepts WebSocket
connections without authentication on port 3333, allowing command
execution via JSON-RPC.

Affects Red Hat OpenShift DevSpaces environments.
 2025-12-30 21:14:55 +00:00
JohannesLks 455275d087 add module for CVE-2025-67888 2025-12-23 19:21:34 -05:00
sfewer-r7 d40a35acdb the version logic changes, update the docs 2025-12-19 15:48:07 +00:00
sfewer-r7 a4dba96712 add in the HPE OneView exploit 2025-12-19 15:30:53 +00:00
vognik 8977538910 add docker lab deploy guide into docs 2025-12-13 12:28:55 -08:00
vognik da0dc35cb8 add documentation 2025-12-12 13:44:44 -08:00
sfewer-r7 795c38c524 Combine the 7.x and 6.x targets together, as Linux payloads work on 7.x also, so this target is Unix and Linux. This leaves the 8.x target Unix only due to IMA appraisal. 2025-11-28 10:12:02 +00:00
sfewer-r7 014312873c get both unix and linux payloads working on 6.x. Add a note to the docs about setting a gateway. 2025-11-27 20:28:44 +00:00
sfewer-r7 f5e8aa83be add in exploit support for FortiWeb versions 6.x which are vulnerable, but no longer under support from the vendor. 2025-11-27 12:43:19 +00:00
sfewer-r7 fa03ac8b66 on 7.4.8 the command nohup is not available. we must execute our payload in a new session, so we use a python stub to essentially call setsid. This has been tested to work on both 8.0.1 and 7.4.8. Teh payload cmd/unix/reverse_python isnot working as it previously was, so I am removing from the list of confirmed paylaods. The other two, cmd/unix/reverse_bash and cmd/unix/reverse_openssl work fine on both versions 2025-11-25 11:25:41 +00:00
sfewer-r7 aff76622fa add in the unauth RCE exploit module for CVE-2025-64446 + CVE-2025-58034 2025-11-21 12:22:25 +00:00
h00die b646e0e044 docs editing for consistency 2025-11-07 15:42:27 -05:00
h00die fb02ec4554 remove 4 space indents in options 2025-11-07 15:42:27 -05:00
h00die caa2873a14 more adjustments 2025-11-07 15:42:27 -05:00
h00die d8c73f6684 replace bold options with h3 2025-11-07 15:42:23 -05:00
Diego Ledda 110cb837aa Merge pull request #20672 from h00die-gr3y/centreon_auth_rce 
Centreon authenticated command injection leading to RCE via broker engine "reload" parameter [CVE-2025-5946]
 2025-11-05 16:29:29 +01:00
h00die-gr3y 408eceb2d9 small update documentation 2025-11-03 10:27:44 +00:00
h00die-gr3y 85b4233345 updated module based on review comments and added documentation 2025-11-03 10:21:31 +00:00
Brendan 91c0adb17f Merge pull request #20585 from vognik/CVE_2025_60787 
Add MotionEye Authenticated RCE (CVE-2025-60787)
 2025-10-09 13:50:25 -05:00
Vognik 267a26b763 code review changes from smcintyre-r7@ 2025-10-09 21:51:31 +04:00
Diego Ledda 1314f5d0bb Merge pull request #20455 from Chocapikk/aitemi_m300_time_rce 
Add unauthenticated RCE on Shenzhen Aitemi M300 MT02 (CVE-2025-34152)
 2025-09-10 10:12:41 +02:00
Brendan f1dffd3ad6 Merge pull request #20480 from msutovsky-r7/exploit/pretalx/file-rw 
Adds modules for Pretalx File Read/Limited File Write (CVE-2023-28459, CVE-2023-28458)
 2025-08-27 15:46:39 -05:00
Martin Sutovsky f43b141886 Fine-tunning docs 2025-08-27 21:18:03 +02:00
Martin Sutovsky 61a0d68d97 Fine-tuning docs 2025-08-27 19:22:46 +02:00
Martin Sutovsky 23f486dc53 Updates docs 2025-08-27 19:16:33 +02:00
Martin Sutovsky 7196786258 Clarifies docs 2025-08-27 18:12:54 +02:00
Martin Sutovsky d49870211b Adding exceptions to exploit module, bug fix for aux module, adds documentation for exploit module 2025-08-22 15:26:46 +02:00
Martin Sutovsky 72dcc5a301 Library fix 2025-08-21 07:21:56 +02:00