b743296f48
Reapply "This adjusts module options that need a routable address"
...
This reverts commit 628275ef59
2026-03-26 14:43:31 -04:00
0976f88058
Land #20835 , adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548)
...
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
2026-03-25 14:39:01 +01:00
5b5d1dbfaa
Merge pull request #21076 from Chocapikk/avideo-encoder-getimage-cmd-injection
...
Add AVideo Encoder getImage.php command injection (CVE-2026-29058)
2026-03-18 18:46:32 -05:00
b3aa45fb09
Land #20719 , adds module for authenticated command injection in FreePBX filestore (CVE-2025-64328)
...
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-13 11:00:43 +01:00
510ec29a63
Merge pull request #21046 from msutovsky-r7/exploit/beyondtrust/updates_description
...
Updates description for BeyondTrust command injection
2026-03-13 00:23:40 +00:00
ccf56437da
Merge pull request #20960 from g0tmi1k/dhcp_server
...
dhcp_server: Add DHCPINTERFACE
2026-03-12 15:48:36 -04:00
b2f1e46c82
OptString -> OptAddress
2026-03-12 16:41:25 +00:00
c266e687c2
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-11 19:43:28 +01:00
1f55aa724a
Apply reviewer feedback: CheckCode::Appears, ARTIFACTS_ON_DISK, simplify connect
...
- Use CheckCode::Appears instead of CheckCode::Vulnerable per convention
- Add ARTIFACTS_ON_DISK to SideEffects for dropper target
- Simplify connect call by removing unnecessary uri argument
2026-03-10 13:07:03 +00:00
628275ef59
Revert "This adjusts module options that need a routable address"
2026-03-08 17:37:49 +00:00
dfe73bb4c5
Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058)
...
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
2026-03-06 21:30:12 +01:00
1ec87b586a
Merge pull request #20989 from zeroSteiner/feat/lib/mod-address-opts
...
This adjusts module options that need a routable address
2026-03-05 11:46:52 -05:00
59a1992214
Land #21017 , adds module for SSTI in Tactical RMM (CVE-2025-69516)
...
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-03-05 15:38:32 +01:00
bf41455bca
Fix: Address review feedback - remove dead execute_command, fix dropper race condition
2026-03-05 14:01:12 +01:00
9c7264b48f
Updates description
2026-03-03 15:42:15 +01:00
1b39311784
Remove redundant definitions of SRVHOST
2026-03-03 09:37:27 -05:00
821e3c28f1
Replace old patterns with srvhost_addr
2026-03-03 09:37:27 -05:00
9df6879a95
Update modules to use srvhost method
2026-03-03 09:37:25 -05:00
758ac7f2f6
Apply rubocop changes
2026-03-03 09:34:49 -05:00
fc49421939
Replace checks for nonroutable addresses
...
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
2026-03-03 09:34:49 -05:00
1a4ae7bfa3
Fix broken module url references
2026-03-02 14:35:48 +00:00
097a4700cb
Fix: check method returns CheckCode instead of fail_with on login failure
2026-02-26 17:13:57 +01:00
11806c983d
Update modules/exploits/linux/http/tacticalrmm_ssti_rce_cve_2025_69516.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-26 17:12:42 +01:00
fae76b2961
Land #20978 , adds module BeyondTrust unauth command injection (CVE-2026-1731)
...
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
2026-02-25 14:18:59 +01:00
0c12becfcf
Separates modules
2026-02-25 13:56:13 +01:00
63c7bd4958
Temp rollback
2026-02-25 13:54:20 +01:00
7dcc036b6d
Land #21006 , adds module for Ollama path traversal RCE (CVE-2024-37032)
...
Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-25 13:06:09 +01:00
c5303e2ac1
Apply suggestion from @msutovsky-r7
2026-02-25 12:54:17 +01:00
002daf8d7d
Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731
2026-02-25 12:53:37 +01:00
e77b1c00c6
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:12:23 +01:00
fd92207119
Fix BeyondTrust exploit failing on older instances (22.x)
...
The /get_mech_list?version=3 endpoint returns HTTP 500 on older
BeyondTrust versions that do not support the JSON API. Add a
fallback to version=2 which returns semicolon-separated key=value
pairs (e.g. "company=sewtest;product=ingredi").
Also remove the "Thank you for using BeyondTrust" check in the
BRDF validation, as PRA instances do not contain this string,
causing the check method to incorrectly report Unknown for PRA
targets.
2026-02-25 10:12:21 +01:00
4f2eafda09
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-25 10:11:18 +01:00
0b78ab319e
improved version checking (i think)
2026-02-25 10:11:18 +01:00
b43b204060
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:11:15 +01:00
70dd190bc7
Fix: Inline shellcode via asm db instead of mmap RWX
...
Use Metasm's asm("db ...") to embed shellcode directly in .text section
which is executable by default. Removes mmap/memcpy/mprotect entirely,
avoiding RWX or W^X allocations that IDS may flag.
Parent process uses _exit(0) instead of return since the inlined
shellcode bytes follow the setsid() call in the instruction stream.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:32:05 +01:00
d6d9180b7c
Fix: Clarify why fork+setsid is in the constructor
...
PrependFork operates at shellcode level, but fork must happen in the
.so constructor so the runner process returns immediately and is not
blocked by the payload execution.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:25 +01:00
4031d7d950
Fix: Randomize chat trigger message content
...
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:13 +01:00
29a02274cf
Refactor: Remove redundant Platform/Arch from single target
2026-02-24 17:54:28 +01:00
5aeff61b26
Fix: Address PR review feedback for Ollama RCE module
...
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com >
2026-02-24 17:51:23 +01:00
33d24cc85b
Update modules/exploits/linux/http/ollama_rce_cve_2024_37032.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-24 17:47:51 +01:00
98b3357e2a
Adds beyondtrust lib, moves functionality into library, shares those functions to two modules
2026-02-24 16:16:05 +01:00
1ddee63f05
Merge pull request #20983 from sfewer-r7/0day-grandstream
...
Add exploit (CVE-2026-2329) and auxiliary modules for the Grandstream GXP1600 series
2026-02-24 08:50:42 -06:00
c390260291
Rubocopes
2026-02-24 13:12:37 +01:00
338804f028
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-24 09:47:49 +01:00
fc3a6cd0fe
improved version checking (i think)
2026-02-24 09:47:48 +01:00
e0bc7c4533
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-24 09:47:45 +01:00
d934f2006c
Feat: Add default payloads per target
2026-02-23 19:36:49 +01:00
bef9b7ad3b
Feat: Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-02-23 19:31:22 +01:00
1f5ad66248
comment gen_buffer to explain why this is needed
2026-02-23 13:04:42 +00:00
54f5b88baa
clarify the offsets used in patch_offset2cmd
2026-02-23 12:39:37 +00:00
Spencer McIntyre