7545328be1
Linting
2026-03-02 15:02:56 +00:00
1a4ae7bfa3
Fix broken module url references
2026-03-02 14:35:48 +00:00
6f84c83135
Merge pull request #21000 from Chocapikk/add-modules-majordomo-rce
...
Add three MajorDoMo unauthenticated RCE modules
2026-03-02 05:20:22 -05:00
615ca34e29
Fix: Remove explicit timeouts from send_request_cgi calls
2026-02-27 14:42:00 +01:00
6923badeac
Fix: Use background thread for cycle.php bootstrap instead of timeout
2026-02-27 14:34:24 +01:00
76d103e483
Fix: Bootstrap cycle tables and update lab documentation
...
Add cycle.php bootstrap request in cmd_injection module to create
missing MEMORY tables before starting the cycle_execs.php worker.
Update all three module docs with curl in Dockerfile, Docker gateway
instructions, Options sections, and verified scenario outputs.
2026-02-27 14:33:04 +01:00
ccce3a7dca
Land #20951 , moves default payload into more consistent default options
...
Moves default payload into default options in Remote for Mac module
2026-02-25 17:06:30 +01:00
fae76b2961
Land #20978 , adds module BeyondTrust unauth command injection (CVE-2026-1731)
...
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/R…
2026-02-25 14:18:59 +01:00
0c12becfcf
Separates modules
2026-02-25 13:56:13 +01:00
63c7bd4958
Temp rollback
2026-02-25 13:54:20 +01:00
7dcc036b6d
Land #21006 , adds module for Ollama path traversal RCE (CVE-2024-37032)
...
Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-25 13:06:09 +01:00
c5303e2ac1
Apply suggestion from @msutovsky-r7
2026-02-25 12:54:17 +01:00
002daf8d7d
Merge branch 'beyondtrust-rce-2026' into collab/exploit/beyondtrust/cve-2026-1731
2026-02-25 12:53:37 +01:00
e77b1c00c6
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:12:23 +01:00
fd92207119
Fix BeyondTrust exploit failing on older instances (22.x)
...
The /get_mech_list?version=3 endpoint returns HTTP 500 on older
BeyondTrust versions that do not support the JSON API. Add a
fallback to version=2 which returns semicolon-separated key=value
pairs (e.g. "company=sewtest;product=ingredi").
Also remove the "Thank you for using BeyondTrust" check in the
BRDF validation, as PRA instances do not contain this string,
causing the check method to incorrectly report Unknown for PRA
targets.
2026-02-25 10:12:21 +01:00
4f2eafda09
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-25 10:11:18 +01:00
0b78ab319e
improved version checking (i think)
2026-02-25 10:11:18 +01:00
b43b204060
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-25 10:11:15 +01:00
70dd190bc7
Fix: Inline shellcode via asm db instead of mmap RWX
...
Use Metasm's asm("db ...") to embed shellcode directly in .text section
which is executable by default. Removes mmap/memcpy/mprotect entirely,
avoiding RWX or W^X allocations that IDS may flag.
Parent process uses _exit(0) instead of return since the inlined
shellcode bytes follow the setsid() call in the instruction stream.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:32:05 +01:00
d6d9180b7c
Fix: Clarify why fork+setsid is in the constructor
...
PrependFork operates at shellcode level, but fork must happen in the
.so constructor so the runner process returns immediately and is not
blocked by the payload execution.
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:25 +01:00
4031d7d950
Fix: Randomize chat trigger message content
...
Co-Authored-By: jvoisin <325724+jvoisin@users.noreply.github.com >
2026-02-24 23:29:13 +01:00
29a02274cf
Refactor: Remove redundant Platform/Arch from single target
2026-02-24 17:54:28 +01:00
5aeff61b26
Fix: Address PR review feedback for Ollama RCE module
...
Co-Authored-By: msutovsky-r7 <190406428+msutovsky-r7@users.noreply.github.com >
2026-02-24 17:51:23 +01:00
33d24cc85b
Update modules/exploits/linux/http/ollama_rce_cve_2024_37032.rb
...
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com >
2026-02-24 17:47:51 +01:00
98b3357e2a
Adds beyondtrust lib, moves functionality into library, shares those functions to two modules
2026-02-24 16:16:05 +01:00
1e7b0083f7
Merge pull request #20952 from g0tmi1k/unreal_ircd_3281_backdoor
...
Unreal_ircd_3281_backdoor: Add checks & Targets
2026-02-24 09:13:52 -06:00
1ddee63f05
Merge pull request #20983 from sfewer-r7/0day-grandstream
...
Add exploit (CVE-2026-2329) and auxiliary modules for the Grandstream GXP1600 series
2026-02-24 08:50:42 -06:00
c390260291
Rubocopes
2026-02-24 13:12:37 +01:00
1e4c184512
Merge pull request #20988 from adfoster-r7/add-solarwinds-srvhost-defaults
...
Add solarwinds srvhost defaults
2026-02-24 04:41:23 -05:00
338804f028
Changed error wording to remove patch specifics and loosen wording to 'may indicate' as there could be other reasons for the websocket exiting unexpectedly, e.g. using the cmd/unix/generic payload results in the error, even when target is vulnerable and the exploit succeeds
2026-02-24 09:47:49 +01:00
fc3a6cd0fe
improved version checking (i think)
2026-02-24 09:47:48 +01:00
e0bc7c4533
Add CVE-2026-1731 support and modernize targets for BeyondTrust PRA/RS RCE
2026-02-24 09:47:45 +01:00
62a466cbed
Land #20819 , adds WSL startup folder persistence module
...
wsl startup folder persistence
2026-02-24 07:59:11 +01:00
ae65d5d9dc
linux wsl startup cleanup now with windows path
2026-02-23 18:29:22 -05:00
1f5ad66248
comment gen_buffer to explain why this is needed
2026-02-23 13:04:42 +00:00
54f5b88baa
clarify the offsets used in patch_offset2cmd
2026-02-23 12:39:37 +00:00
2c807a6d95
clarify the initial valud in our rop buffer and the function epilogue that reads them
2026-02-23 12:39:10 +00:00
8519bffeff
add a Check message for this and change from Safe to Unknown which is more accurate
2026-02-23 11:28:53 +00:00
ece2374532
target user for wsl_startup_folder
2026-02-21 21:04:40 -05:00
cab7bf064e
Fix: Add email to Sagi Tzadik credit
2026-02-21 17:06:42 +01:00
22fb85f648
Fix: Correct vulnerability discovery credit to Sagi Tzadik (Wiz Research)
2026-02-21 17:05:58 +01:00
b17d227d28
Feat: Add Ollama path traversal RCE module (CVE-2024-37032)
2026-02-21 16:52:43 +01:00
05c12bb033
Feat: Add three MajorDoMo unauthenticated RCE modules
...
- CVE-2026-27174: Console eval RCE via missing exit after redirect
- CVE-2026-27175: Command injection via rc/index.php + cycle_execs race condition
- CVE-2026-27180: Supply chain RCE via update URL poisoning in saverestore module
All three modules include documentation with Docker lab setup instructions.
2026-02-21 08:34:31 +01:00
d2ed326b16
Merge pull request #20950 from g0tmi1k/vsftpd_234_backdoor
...
vsftpd_234_backdoor: Add check & targets
2026-02-20 18:46:34 -06:00
cf497a8d6e
Merge pull request #20938 from Chocapikk/fix-beyondtrust-mech-list-fallback
...
Fix BeyondTrust PRA/RS exploit failing on older instances
2026-02-20 17:38:40 -06:00
2c7348ec50
Add solarwinds srvhost defaults
2026-02-20 18:23:41 +00:00
f2262a84cc
Land #20841 , adds persistence module for Windows feature active setup
...
active setup persistence
2026-02-20 10:46:45 +01:00
f65dca14c7
unreal_ircd: Clean up
...
This is based on MR feedback
2026-02-20 08:59:32 +00:00
63bead7de0
unreal_ircd: Drop loop for wfsDelay
2026-02-20 08:59:32 +00:00
3a8c6abd39
unreal_ircd: Add Linux fetch payload support
...
Fetch over CmdStager (& multiple targets)
2026-02-20 08:57:57 +00:00
adfoster-r7