20bb912515
Merge pull request #21023 from g0tmi1k/os_cmd_exec
...
Add: exploits/multi/http/os_cmd_exec
2026-03-27 16:38:03 +00:00
0976f88058
Land #20835 , adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548)
...
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
2026-03-25 14:39:01 +01:00
51f36982c7
Add: exploits/multi/http/os_cmd_exec
...
A lot of this was based on: exploits/unix/webapp/php_eval
2026-03-24 20:01:30 +00:00
81faae13ca
Merge pull request #21033 from Alpenlol/barracuda-esg-cve-2023-2868
...
Add exploit for CVE-2023-2868 Barracuda ESG command injection
2026-03-23 13:18:34 -07:00
5b5d1dbfaa
Merge pull request #21076 from Chocapikk/avideo-encoder-getimage-cmd-injection
...
Add AVideo Encoder getImage.php command injection (CVE-2026-29058)
2026-03-18 18:46:32 -05:00
8ad5924bf1
Fix: Use parent of fix commit (78178d1~1) for vulnerable Encoder checkout
2026-03-13 22:59:51 +01:00
8d44dcd1fb
Fix: Lab setup documentation for first-time environments
...
- Fix DB permissions (bind mount creates files as www-data instead of mysql)
- Force table creation (cli.php skips it when configuration.php already exists)
- Revert entire Encoder working tree, not just getImage.php (78178d1 patched multiple files)
- Run git checkout from inside the container to avoid safe.directory issues
2026-03-13 22:55:23 +01:00
63561130af
Address PR review feedback for CVE-2023-2868 module
2026-03-12 12:59:30 -07:00
5150a4b68b
Docs: Clarify that .compose/encoder is a clone of AVideo-Encoder repo
...
The commit c9861e9c exists in WWBN/AVideo-Encoder (not WWBN/AVideo).
Add a note explaining that .compose/encoder is a git clone created by
the container entrypoint, with a link to the correct repository.
2026-03-11 22:05:23 +01:00
38e74740f3
Fix: Use correct commit hash for vulnerable getImage.php in lab setup
...
The previous commit (e0c2768) did not touch getImage.php. Use c9861e9c
which is the last commit before the security patch (78178d1) that
modifies the file.
2026-03-11 21:23:27 +01:00
6467b7261d
Fix: Auto-provision admin user and fix filestore version downgrade in lab
2026-03-11 19:45:14 +01:00
c266e687c2
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-11 19:43:28 +01:00
c6aabc1c75
Land #21001 , adds module for SPIP Saisies plugin (CVE-2025-71243)
...
Add SPIP Saisies plugin RCE module (CVE-2025-71243)
2026-03-09 10:34:52 +01:00
dfe73bb4c5
Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058)
...
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
2026-03-06 21:30:12 +01:00
59a1992214
Land #21017 , adds module for SSTI in Tactical RMM (CVE-2025-69516)
...
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-03-05 15:38:32 +01:00
3d38e9b27b
Fix: Fallback check to Detected when plugin version unavailable
...
- Use spip_version as fallback when spip_plugin_version fails
- Return Detected instead of Unknown so AutoCheck does not abort
- Fix lab healthcheck to wait for saisies form before reporting healthy
2026-03-05 14:13:05 +01:00
6f84c83135
Merge pull request #21000 from Chocapikk/add-modules-majordomo-rce
...
Add three MajorDoMo unauthenticated RCE modules
2026-03-02 05:20:22 -05:00
782c1d5455
Add exploit for CVE-2023-2868 Barracuda ESG command injection
2026-02-27 23:29:56 -08:00
76d103e483
Fix: Bootstrap cycle tables and update lab documentation
...
Add cycle.php bootstrap request in cmd_injection module to create
missing MEMORY tables before starting the cycle_execs.php worker.
Update all three module docs with curl in Dockerfile, Docker gateway
instructions, Options sections, and verified scenario outputs.
2026-02-27 14:33:04 +01:00
402ed5d50b
Docs: Clarify 41086aaa is a pinned vulnerable commit on alpha branch
2026-02-26 17:18:22 +01:00
45c058d6f1
Land #21005 , adds gnu inetutils auth bypass module against a Synology NAS to documentation
...
add dsm target exploitation to gnu telnetd docs
2026-02-25 16:49:30 +01:00
fae76b2961
Land #20978 , adds module BeyondTrust unauth command injection (CVE-2026-1731)
...
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
2026-02-25 14:18:59 +01:00
7dcc036b6d
Land #21006 , adds module for Ollama path traversal RCE (CVE-2024-37032)
...
Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-25 13:06:09 +01:00
002daf8d7d
Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731
2026-02-25 12:53:37 +01:00
12e21e4c66
Fixes documentation
2026-02-24 12:23:26 -05:00
5aeff61b26
Fix: Address PR review feedback for Ollama RCE module
...
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com >
2026-02-24 17:51:23 +01:00
51af9d0ff1
Adds documentation
2026-02-24 10:25:49 -05:00
1ddee63f05
Merge pull request #20983 from sfewer-r7/0day-grandstream
...
Add exploit (CVE-2026-2329) and auxiliary modules for the Grandstream GXP1600 series
2026-02-24 08:50:42 -06:00
62a466cbed
Land #20819 , adds WSL startup folder persistence module
...
wsl startup folder persistence
2026-02-24 07:59:11 +01:00
bef9b7ad3b
Feat: Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-02-23 19:31:22 +01:00
ece2374532
target user for wsl_startup_folder
2026-02-21 21:04:40 -05:00
b17d227d28
Feat: Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-21 16:52:43 +01:00
a24f53f2b6
add dsm exploitation to telnetd docs
2026-02-21 10:27:47 -05:00
53652b3e3b
Fix: Update SPIP saisies doc with working lab setup
2026-02-21 09:50:50 +01:00
b904419f28
Fix: Update SPIP saisies doc with working lab setup
2026-02-21 09:50:02 +01:00
a8f66a23d9
Feat: Add SPIP Saisies plugin RCE module (CVE-2025-71243)
2026-02-21 09:32:53 +01:00
05c12bb033
Feat: Add three MajorDoMo unauthenticated RCE modules
...
- CVE-2026-27174: Console eval RCE via missing exit after redirect
- CVE-2026-27175: Command injection via rc/index.php + cycle_execs race condition
- CVE-2026-27180: Supply chain RCE via update URL poisoning in saverestore module
All three modules include documentation with Docker lab setup instructions.
2026-02-21 08:34:31 +01:00
1f547f19fb
Merge pull request #20832 from DataExplorerX/doc-linux-samba-module
...
Add documentation for linux/samba/chain_reply module (CVE-2004-0883)
2026-02-20 18:12:05 -06:00
7f8b18d7dc
Update documentation/modules/exploit/linux/samba/chain_reply.md
2026-02-20 17:45:14 -06:00
fcb41a2275
Update documentation/modules/exploit/linux/samba/chain_reply.md
...
Update documentation to point to a specific wayback machine page since the original does not exist, and a few of the wayback machine links are also broken.
2026-02-20 17:42:34 -06:00
f2262a84cc
Land #20841 , adds persistence module for Windows feature active setup
...
active setup persistence
2026-02-20 10:46:45 +01:00
36b29fb458
Add vulnerable environment setup guide to module documentation
...
Step-by-step minikube-based setup for deploying a vulnerable
che-machine-exec instance for module verification.
2026-02-19 11:27:27 +00:00
b6f37bef11
Land #20976 , adds module for StoryChief WP plugin (CVE-2025-7441)
...
Add StoryChief WordPress 1.0.42 unauthenticated RCE module (CVE-2025-7441)
2026-02-19 10:06:25 +01:00
c6f7d03d03
Merge pull request #20919 from h00die/emacs
...
emacs extension persistence
2026-02-18 10:58:13 -05:00
a48129b640
Updated doc after checking msftidy_docs
2026-02-18 16:58:51 +02:00
8af82dc7eb
Merge pull request #20844 from 6a6f656c/userinit
...
Windows Userinit persistence
2026-02-18 06:05:04 -05:00
9f301549e8
Update documentation/modules/exploit/windows/persistence/registry_userinit.md
...
Co-authored-by: h00die <h00die@users.noreply.github.com >
2026-02-18 11:46:11 +01:00
08efa9cd16
add in the Grandstream modules
2026-02-17 22:33:46 +00:00
7e50106cff
Apply suggestion from @dledda-r7
...
Co-authored-by: Diego Ledda <diego_ledda@rapid7.com >
2026-02-17 07:17:03 -05:00
8ee79fa524
Add StoryChief WordPress 1.0.42 unauthenticated RCE module
2026-02-16 00:44:20 +02:00
adfoster-r7