1d5eae0f5b
Merge pull request #21034 from Chocapikk/add-module-opendcim-sqli-rce
...
Add openDCIM install.php SQLi to RCE module
2026-04-14 16:04:13 -04:00
5b6c2be9d1
Land #21003 , unifies Selenium Firefox and Chrome modules
...
Unified Selenium Grid/Selenoid RCE with Firefox + Chrome auto-detection
2026-04-14 16:32:06 +02:00
62e2c336d0
Remove old Selenium modules replaced by unified selenium_greed_rce
2026-04-14 12:32:51 +02:00
db0fe4aaef
Fixes Python payload delivery for Firefox profile
2026-04-14 10:17:04 +02:00
d84b09a16e
Fix: Wrap Python payload for Firefox profile handler
...
The Firefox exploit path delivers payloads via a MIME handler mapped to
/bin/sh. When using the default Python target, the raw Python payload
would fail to execute in /bin/sh. Wrap it with python3 -c so the shell
can invoke it correctly.
2026-04-13 17:57:48 +02:00
338db0cabd
Add RISC-V arch support to Linux local exploit modules
...
Add ARCH_RISCV64LE and ARCH_RISCV32LE to the supported architecture
lists of 9 Linux local privilege escalation modules that use generic
EXE payload dropping and are not dependent on pre-compiled
architecture-specific exploit binaries.
This allows these modules to be used on RISC-V targets with the
existing RISC-V payload set.
2026-04-05 02:15:16 +11:00
b743296f48
Reapply "This adjusts module options that need a routable address"
...
This reverts commit 628275ef59
2026-03-26 14:43:31 -04:00
0976f88058
Land #20835 , adds module unauthenticated command injection Eclipse Che machine-exec (CVE-2025-12548)
...
Add Eclipse Che machine-exec unauthenticated RCE (CVE-2025-12548)
2026-03-25 14:39:01 +01:00
81faae13ca
Merge pull request #21033 from Alpenlol/barracuda-esg-cve-2023-2868
...
Add exploit for CVE-2023-2868 Barracuda ESG command injection
2026-03-23 13:18:34 -07:00
f14b640de8
Fix rubocop spacing offenses in Author block
2026-03-23 12:40:48 -07:00
5d7a154b19
Credit cfielding-r7 as original PoC author
2026-03-23 10:45:41 -07:00
5b5d1dbfaa
Merge pull request #21076 from Chocapikk/avideo-encoder-getimage-cmd-injection
...
Add AVideo Encoder getImage.php command injection (CVE-2026-29058)
2026-03-18 18:46:32 -05:00
b3aa45fb09
Land #20719 , adds module for authenticated command injection in FreePBX filestore (CVE-2025-64328)
...
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-13 11:00:43 +01:00
510ec29a63
Merge pull request #21046 from msutovsky-r7/exploit/beyondtrust/updates_description
...
Updates description for BeyondTrust command injection
2026-03-13 00:23:40 +00:00
488cd0f9eb
remove test artifact
2026-03-12 13:41:50 -07:00
a56e0d0259
Remove require rubygems/package, use Rex::Tar::Writer for monkey-patch
2026-03-12 13:24:56 -07:00
63561130af
Address PR review feedback for CVE-2023-2868 module
2026-03-12 12:59:30 -07:00
ee2ee34b9e
Refactor: Extract shared logic in exploit method for openDCIM module
...
Factor out duplicated print_status and backup_config calls, extract
trigger_exec and cleanup_config helpers for readability.
2026-03-12 20:56:33 +01:00
ccf56437da
Merge pull request #20960 from g0tmi1k/dhcp_server
...
dhcp_server: Add DHCPINTERFACE
2026-03-12 15:48:36 -04:00
f34a0b5d31
Fix: Address PR review feedback for openDCIM module
...
Add ARTIFACTS_ON_DISK side effect and fetch payload note in docs.
2026-03-12 20:44:19 +01:00
f7c4aac453
OptAddress -> OptAddressLocal
2026-03-12 16:41:25 +00:00
b2f1e46c82
OptString -> OptAddress
2026-03-12 16:41:25 +00:00
c266e687c2
Add authenticated RCE module for FreePBX filestore (CVE-2025-64328)
2026-03-11 19:43:28 +01:00
1f55aa724a
Apply reviewer feedback: CheckCode::Appears, ARTIFACTS_ON_DISK, simplify connect
...
- Use CheckCode::Appears instead of CheckCode::Vulnerable per convention
- Add ARTIFACTS_ON_DISK to SideEffects for dropper target
- Simplify connect call by removing unnecessary uri argument
2026-03-10 13:07:03 +00:00
628275ef59
Revert "This adjusts module options that need a routable address"
2026-03-08 17:37:49 +00:00
dfe73bb4c5
Add exploit for AVideo Encoder getImage.php command injection (CVE-2026-29058)
...
Unauthenticated OS command injection via the base64Url parameter in
getImage.php. The URL is interpolated into an ffmpeg shell command
without escapeshellarg(), and FILTER_VALIDATE_URL does not block
shell metacharacters in the URL path.
2026-03-06 21:30:12 +01:00
1ec87b586a
Merge pull request #20989 from zeroSteiner/feat/lib/mod-address-opts
...
This adjusts module options that need a routable address
2026-03-05 11:46:52 -05:00
59a1992214
Land #21017 , adds module for SSTI in Tactical RMM (CVE-2025-69516)
...
Add Tactical RMM Jinja2 SSTI RCE module (CVE-2025-69516)
2026-03-05 15:38:32 +01:00
bf41455bca
Fix: Address review feedback - remove dead execute_command, fix dropper race condition
2026-03-05 14:01:12 +01:00
9c7264b48f
Updates description
2026-03-03 15:42:15 +01:00
ea915acba3
Appease rubocop
2026-03-03 09:37:27 -05:00
1b39311784
Remove redundant definitions of SRVHOST
2026-03-03 09:37:27 -05:00
821e3c28f1
Replace old patterns with srvhost_addr
2026-03-03 09:37:27 -05:00
132ef661d3
Update usage within binding operations
2026-03-03 09:37:27 -05:00
9df6879a95
Update modules to use srvhost method
2026-03-03 09:37:25 -05:00
758ac7f2f6
Apply rubocop changes
2026-03-03 09:34:49 -05:00
fc49421939
Replace checks for nonroutable addresses
...
This consolidates modules that check for a nonroutable SRVHOST value and
replaces it with OptAddressRoutable, defaulting to a reasonable address.
2026-03-03 09:34:49 -05:00
1a4ae7bfa3
Fix broken module url references
2026-03-02 14:35:48 +00:00
4aeacb7456
Fix: CmdStager compatibility with dash shell in openDCIM module
...
PHP exec() uses sh -c which is dash on Ubuntu. Dash echo does not
support -en flag, breaking the echo CmdStager flavor. Switch to
printf (octal) and bourne (base64) flavors which work in dash.
Also split backup_and_poison into backup_config and poison_dot so
CmdStager chunks don't overwrite the backup table, and escape
backslashes in SQL to preserve octal/hex sequences through MySQL.
2026-02-28 21:39:16 +01:00
2d8c3d69ed
Feat: Add openDCIM install.php SQLi to RCE module
...
Exploits CVE-2026-28515, CVE-2026-28516, CVE-2026-28517 to chain
missing authorization, SQL injection, and command injection in
openDCIM's install.php for remote code execution.
2026-02-28 21:13:51 +01:00
782c1d5455
Add exploit for CVE-2023-2868 Barracuda ESG command injection
2026-02-27 23:29:56 -08:00
097a4700cb
Fix: check method returns CheckCode instead of fail_with on login failure
2026-02-26 17:13:57 +01:00
11806c983d
Update modules/exploits/linux/http/tacticalrmm_ssti_rce_cve_2025_69516.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-26 17:12:42 +01:00
fae76b2961
Land #20978 , adds module BeyondTrust unauth command injection (CVE-2026-1731)
...
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
2026-02-25 14:18:59 +01:00
0c12becfcf
Separates modules
2026-02-25 13:56:13 +01:00
63c7bd4958
Temp rollback
2026-02-25 13:54:20 +01:00
7dcc036b6d
Land #21006 , adds module for Ollama path traversal RCE (CVE-2024-37032)
...
Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-25 13:06:09 +01:00
c5303e2ac1
Apply suggestion from @msutovsky-r7
2026-02-25 12:54:17 +01:00
002daf8d7d
Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731
2026-02-25 12:53:37 +01:00
e77b1c00c6
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:12:23 +01:00
Diego Ledda