9df6879a95
Update modules to use srvhost method
2026-03-03 09:37:25 -05:00
758ac7f2f6
Apply rubocop changes
2026-03-03 09:34:49 -05:00
fc49421939
Replace checks for nonroutable addresses
...
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
2026-03-03 09:34:49 -05:00
1a4ae7bfa3
Fix broken module url references
2026-03-02 14:35:48 +00:00
fae76b2961
Land #20978 , adds module BeyondTrust unauth command injection (CVE-2026-1731)
...
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
2026-02-25 14:18:59 +01:00
0c12becfcf
Separates modules
2026-02-25 13:56:13 +01:00
63c7bd4958
Temp rollback
2026-02-25 13:54:20 +01:00
7dcc036b6d
Land #21006 , adds module for Ollama path traversal RCE (CVE-2024-37032)
...
Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-25 13:06:09 +01:00
c5303e2ac1
Apply suggestion from @msutovsky-r7
2026-02-25 12:54:17 +01:00
002daf8d7d
Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731
2026-02-25 12:53:37 +01:00
e77b1c00c6
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:12:23 +01:00
fd92207119
Fix BeyondTrust exploit failing on older instances (22.x)
...
The /get_mech_list?version=3 endpoint returns HTTP 500 on older
BeyondTrust versions that do not support the JSON API. Add a
fallback to version=2 which returns semicolon-separated key=value
pairs (e.g. "company=sewtest;product=ingredi").
Also remove the "Thank you for using BeyondTrust" check in the
BRDF validation, as PRA instances do not contain this string,
causing the check method to incorrectly report Unknown for PRA
targets.
2026-02-25 10:12:21 +01:00
4f2eafda09
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-25 10:11:18 +01:00
0b78ab319e
improved version checking (i think)
2026-02-25 10:11:18 +01:00
b43b204060
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:11:15 +01:00
70dd190bc7
Fix: Inline shellcode via asm db instead of mmap RWX
...
Use Metasm's asm("db ...") to embed shellcode directly in .text section
which is executable by default. Removes mmap/memcpy/mprotect entirely,
avoiding RWX or W^X allocations that IDS may flag.
Parent process uses _exit(0) instead of return since the inlined
shellcode bytes follow the setsid() call in the instruction stream.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:32:05 +01:00
d6d9180b7c
Fix: Clarify why fork+setsid is in the constructor
...
PrependFork operates at shellcode level, but fork must happen in the
.so constructor so the runner process returns immediately and is not
blocked by the payload execution.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:25 +01:00
4031d7d950
Fix: Randomize chat trigger message content
...
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:13 +01:00
29a02274cf
Refactor: Remove redundant Platform/Arch from single target
2026-02-24 17:54:28 +01:00
5aeff61b26
Fix: Address PR review feedback for Ollama RCE module
...
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com >
2026-02-24 17:51:23 +01:00
33d24cc85b
Update modules/exploits/linux/http/ollama_rce_cve_2024_37032.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-24 17:47:51 +01:00
98b3357e2a
Adds beyondtrust lib, moves functionality into library, shares those functions to two modules
2026-02-24 16:16:05 +01:00
1ddee63f05
Merge pull request #20983 from sfewer-r7/0day-grandstream
...
Add exploit (CVE-2026-2329) and auxiliary modules for the Grandstream GXP1600 series
2026-02-24 08:50:42 -06:00
c390260291
Rubocopes
2026-02-24 13:12:37 +01:00
338804f028
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-24 09:47:49 +01:00
fc3a6cd0fe
improved version checking (i think)
2026-02-24 09:47:48 +01:00
e0bc7c4533
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-24 09:47:45 +01:00
1f5ad66248
comment gen_buffer to explain why this is needed
2026-02-23 13:04:42 +00:00
54f5b88baa
clarify the offsets used in patch_offset2cmd
2026-02-23 12:39:37 +00:00
2c807a6d95
clarify the initial valud in our rop buffer and the function epilogue that reads them
2026-02-23 12:39:10 +00:00
8519bffeff
add a Check message for this and change from Safe to Unknown which is more accurate
2026-02-23 11:28:53 +00:00
cab7bf064e
Fix: Add email to Sagi Tzadik credit
2026-02-21 17:06:42 +01:00
22fb85f648
Fix: Correct vulnerability discovery credit to Sagi Tzadik (Wiz Research)
2026-02-21 17:05:58 +01:00
b17d227d28
Feat: Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-21 16:52:43 +01:00
cf497a8d6e
Merge pull request #20938 from Chocapikk/fix-beyondtrust-mech-list-fallback
...
Fix BeyondTrust PRA/RS exploit failing on older instances
2026-02-20 17:38:40 -06:00
08efa9cd16
add in the Grandstream modules
2026-02-17 22:33:46 +00:00
d330de16c8
Merge pull request #20932 from sfewer-r7/ivanti-epmm-rce
...
Add exploit module for Ivant EPMM/MobileIron (CVE-2026-1281)
2026-02-10 11:07:39 -06:00
3f6d228954
Update modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2026-02-10 18:06:20 +01:00
defeb14ef4
Update modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2026-02-10 18:02:22 +01:00
47d4cd7601
Update modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb
...
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com >
2026-02-10 18:02:12 +01:00
f41eda1128
Add GHSA and OSV reference type support
...
Add support for GHSA (GitHub Security Advisories) and OSV (Open Source
Vulnerabilities) as structured reference types in Metasploit modules.
Convert 49 hardcoded GHSA URLs to structured ['GHSA', 'GHSA-xxxx'] format
across existing modules, and add support for repository-specific GHSA
references with an optional third parameter ['GHSA', 'GHSA-xxxx', 'repo'].
Update reference validation, module validator, and info_fixups to handle
the new reference types correctly.
2026-02-09 15:17:23 +01:00
296cb5ff22
Fix BeyondTrust exploit failing on older instances (22.x)
...
The /get_mech_list?version=3 endpoint returns HTTP 500 on older
BeyondTrust versions that do not support the JSON API. Add a
fallback to version=2 which returns semicolon-separated key=value
pairs (e.g. "company=sewtest;product=ingredi").
Also remove the "Thank you for using BeyondTrust" check in the
BRDF validation, as PRA instances do not contain this string,
causing the check method to incorrectly report Unknown for PRA
targets.
2026-02-08 22:57:47 +01:00
51d2a18ade
remove the extra + operator. add a comment as to why we ljust the value.
2026-02-06 14:52:00 +00:00
95da6bd70d
use Rex::Stopwatch.elapsed_time to time this operation
2026-02-05 16:17:33 +00:00
22e5981a95
add back tick to BadChars
2026-02-05 16:16:57 +00:00
f632cf34bf
add in a module and docs fo rteh EPMM exploit
2026-02-05 12:26:38 +00:00
2f2fea7f6b
add CVE reference to Continuum exploit
2026-01-26 12:36:12 +01:00
c47a74d0dd
Merge pull request #20770 from vognik/Splunk_2022-43571_CVE-2024-36985
...
Add Splunk RCE Exploits (CVE-2022-43571 & CVE-2024-36985)
2026-01-20 12:36:51 -08:00
9e320dd168
add suggestions from @jheysel-r7
2026-01-19 18:45:01 -08:00
7b092aeedb
Land #20806 , adds module for unauthenticated command injection in Control Web Panel API (CVE-2025-67888)
...
Adds module for Control Web Panel API Command Injection (CVE-2025-67888)
2026-01-14 15:44:25 +01:00
adfoster-r7