b743296f48
Reapply "This adjusts module options that need a routable address"
...
This reverts commit 628275ef59
2026-03-26 14:43:31 -04:00
0976f88058
Land #20835 , adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548)
...
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
2026-03-25 14:39:01 +01:00
81faae13ca
Merge pull request #21033 from Alpenlol/barracuda-esg-cve-2023-2868
...
Add exploit for CVE-2023-2868 Barracuda ESG command injection
2026-03-23 13:18:34 -07:00
f14b640de8
Fix rubocop spacing offenses in Author block
2026-03-23 12:40:48 -07:00
5d7a154b19
Credit cfielding-r7 as original PoC author
2026-03-23 10:45:41 -07:00
5b5d1dbfaa
Merge pull request #21076 from Chocapikk/avideo-encoder-getimage-cmd-injection
...
Add AVideo Encoder getImage.php command injection (CVE-2026-29058)
2026-03-18 18:46:32 -05:00
b3aa45fb09
Land #20719 , adds module for authenticated command injection in FreePBX filestore (CVE-2025-64328)
...
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-13 11:00:43 +01:00
510ec29a63
Merge pull request #21046 from msutovsky-r7/exploit/beyondtrust/updates_description
...
Updates description for BeyondTrust command injection
2026-03-13 00:23:40 +00:00
488cd0f9eb
remove test artifact
2026-03-12 13:41:50 -07:00
a56e0d0259
Remove require rubygems/package, use Rex::Tar::Writer for monkey-patch
2026-03-12 13:24:56 -07:00
63561130af
Address PR review feedback for CVE-2023-2868 module
2026-03-12 12:59:30 -07:00
ccf56437da
Merge pull request #20960 from g0tmi1k/dhcp_server
...
dhcp_server: Add DHCPINTERFACE
2026-03-12 15:48:36 -04:00
f7c4aac453
OptAddress -> OptAddressLocal
2026-03-12 16:41:25 +00:00
b2f1e46c82
OptString -> OptAddress
2026-03-12 16:41:25 +00:00
c266e687c2
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-11 19:43:28 +01:00
1f55aa724a
Apply reviewer feedback: CheckCode::Appears, ARTIFACTS_ON_DISK, simplify connect
...
- Use CheckCode::Appears instead of CheckCode::Vulnerable per convention
- Add ARTIFACTS_ON_DISK to SideEffects for dropper target
- Simplify connect call by removing unnecessary uri argument
2026-03-10 13:07:03 +00:00
628275ef59
Revert "This adjusts module options that need a routable address"
2026-03-08 17:37:49 +00:00
dfe73bb4c5
Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058)
...
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
2026-03-06 21:30:12 +01:00
1ec87b586a
Merge pull request #20989 from zeroSteiner/feat/lib/mod-address-opts
...
This adjusts module options that need a routable address
2026-03-05 11:46:52 -05:00
59a1992214
Land #21017 , adds module for SSTI in Tactical RMM (CVE-2025-69516)
...
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-03-05 15:38:32 +01:00
bf41455bca
Fix: Address review feedback - remove dead execute_command, fix dropper race condition
2026-03-05 14:01:12 +01:00
9c7264b48f
Updates description
2026-03-03 15:42:15 +01:00
ea915acba3
Appease rubocop
2026-03-03 09:37:27 -05:00
1b39311784
Remove redundant definitions of SRVHOST
2026-03-03 09:37:27 -05:00
821e3c28f1
Replace old patterns with srvhost_addr
2026-03-03 09:37:27 -05:00
132ef661d3
Update usage within binding operations
2026-03-03 09:37:27 -05:00
9df6879a95
Update modules to use srvhost method
2026-03-03 09:37:25 -05:00
758ac7f2f6
Apply rubocop changes
2026-03-03 09:34:49 -05:00
fc49421939
Replace checks for nonroutable addresses
...
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
2026-03-03 09:34:49 -05:00
1a4ae7bfa3
Fix broken module url references
2026-03-02 14:35:48 +00:00
782c1d5455
Add exploit for CVE-2023-2868 Barracuda ESG command injection
2026-02-27 23:29:56 -08:00
097a4700cb
Fix: check method returns CheckCode instead of fail_with on login failure
2026-02-26 17:13:57 +01:00
11806c983d
Update modules/exploits/linux/http/tacticalrmm_ssti_rce_cve_2025_69516.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-26 17:12:42 +01:00
fae76b2961
Land #20978 , adds module BeyondTrust unauth command injection (CVE-2026-1731)
...
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
2026-02-25 14:18:59 +01:00
0c12becfcf
Separates modules
2026-02-25 13:56:13 +01:00
63c7bd4958
Temp rollback
2026-02-25 13:54:20 +01:00
7dcc036b6d
Land #21006 , adds module for Ollama path traversal RCE (CVE-2024-37032)
...
Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-25 13:06:09 +01:00
c5303e2ac1
Apply suggestion from @msutovsky-r7
2026-02-25 12:54:17 +01:00
002daf8d7d
Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731
2026-02-25 12:53:37 +01:00
e77b1c00c6
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:12:23 +01:00
fd92207119
Fix BeyondTrust exploit failing on older instances (22.x)
...
The /get_mech_list?version=3 endpoint returns HTTP 500 on older
BeyondTrust versions that do not support the JSON API. Add a
fallback to version=2 which returns semicolon-separated key=value
pairs (e.g. "company=sewtest;product=ingredi").
Also remove the "Thank you for using BeyondTrust" check in the
BRDF validation, as PRA instances do not contain this string,
causing the check method to incorrectly report Unknown for PRA
targets.
2026-02-25 10:12:21 +01:00
4f2eafda09
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-25 10:11:18 +01:00
0b78ab319e
improved version checking (i think)
2026-02-25 10:11:18 +01:00
b43b204060
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:11:15 +01:00
70dd190bc7
Fix: Inline shellcode via asm db instead of mmap RWX
...
Use Metasm's asm("db ...") to embed shellcode directly in .text section
which is executable by default. Removes mmap/memcpy/mprotect entirely,
avoiding RWX or W^X allocations that IDS may flag.
Parent process uses _exit(0) instead of return since the inlined
shellcode bytes follow the setsid() call in the instruction stream.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:32:05 +01:00
d6d9180b7c
Fix: Clarify why fork+setsid is in the constructor
...
PrependFork operates at shellcode level, but fork must happen in the
.so constructor so the runner process returns immediately and is not
blocked by the payload execution.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:25 +01:00
4031d7d950
Fix: Randomize chat trigger message content
...
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:13 +01:00
29a02274cf
Refactor: Remove redundant Platform/Arch from single target
2026-02-24 17:54:28 +01:00
5aeff61b26
Fix: Address PR review feedback for Ollama RCE module
...
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com >
2026-02-24 17:51:23 +01:00
33d24cc85b
Update modules/exploits/linux/http/ollama_rce_cve_2024_37032.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-24 17:47:51 +01:00
Spencer McIntyre